53bd49d14bb027c71fc76f75bc9a644c29e5d858fad284389f4460d0a85f8891

Analysis

max time kernel
1s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
08/04/2024, 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
Size

3.2MB
MD5

f54f365249b60dcd028fbd5fa266efde
SHA1

cd0b53ee24ca4e208e2ec662ba737a24bfe1d768
SHA256

53bd49d14bb027c71fc76f75bc9a644c29e5d858fad284389f4460d0a85f8891
SHA512

46592072ce3e3c02096fb5740e4d7d0f2ae32437a3586115cbed417d74d4cf71f3403dd618d0d91889a8c898f3dfece00f50a45cc8a1cb1304b18544e2710d5c
SSDEEP

49152:M5k1YCdptya507NUUWn043oHS3fT8YwVq1/xT3DDbw0TUqyE/snji6attJM:CNhS4Yw8yMEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
480	Process not Found
2548	alg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2596	chrome.exe
2596	chrome.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2060	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2180	2060	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe	28
PID 2060 wrote to memory of 2180	2060	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe	28
PID 2060 wrote to memory of 2180	2060	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe	28
PID 2060 wrote to memory of 2596	2060	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe	30
PID 2060 wrote to memory of 2596	2060	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe	30
PID 2060 wrote to memory of 2596	2060	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe	30
PID 2596 wrote to memory of 2704	2596	chrome.exe	31
PID 2596 wrote to memory of 2704	2596	chrome.exe	31
PID 2596 wrote to memory of 2704	2596	chrome.exe	31
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 1808	2596	chrome.exe	33
PID 2596 wrote to memory of 2916	2596	chrome.exe	34
PID 2596 wrote to memory of 2916	2596	chrome.exe	34
PID 2596 wrote to memory of 2916	2596	chrome.exe	34
PID 2596 wrote to memory of 2508	2596	chrome.exe	35
PID 2596 wrote to memory of 2508	2596	chrome.exe	35
PID 2596 wrote to memory of 2508	2596	chrome.exe	35
PID 2596 wrote to memory of 2508	2596	chrome.exe	35
PID 2596 wrote to memory of 2508	2596	chrome.exe	35
PID 2596 wrote to memory of 2508	2596	chrome.exe	35
PID 2596 wrote to memory of 2508	2596	chrome.exe	35
PID 2596 wrote to memory of 2508	2596	chrome.exe	35
PID 2596 wrote to memory of 2508	2596	chrome.exe	35
PID 2596 wrote to memory of 2508	2596	chrome.exe	35
PID 2596 wrote to memory of 2508	2596	chrome.exe	35
PID 2596 wrote to memory of 2508	2596	chrome.exe	35
PID 2596 wrote to memory of 2508	2596	chrome.exe	35

C:\Users\Admin\AppData\Local\Temp\2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=92.0.4515.131 --initial-client-data=0x17c,0x184,0x18c,0x180,0x190,0x140221ee0,0x140221ef0,0x140221f00
  2⤵
  - Drops file in Windows directory
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef65e9758,0x7fef65e9768,0x7fef65e9778
    3⤵
    PID:2704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1128 --field-trial-handle=1268,i,16898948987041319219,8561036255707829254,131072 /prefetch:2
    3⤵
    PID:1808
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1268,i,16898948987041319219,8561036255707829254,131072 /prefetch:8
    3⤵
    PID:2916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1268,i,16898948987041319219,8561036255707829254,131072 /prefetch:8
    3⤵
    PID:2508
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2272 --field-trial-handle=1268,i,16898948987041319219,8561036255707829254,131072 /prefetch:1
    3⤵
    PID:2192
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1268,i,16898948987041319219,8561036255707829254,131072 /prefetch:1
    3⤵
    PID:2208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1280 --field-trial-handle=1268,i,16898948987041319219,8561036255707829254,131072 /prefetch:2
    3⤵
    PID:2980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3260 --field-trial-handle=1268,i,16898948987041319219,8561036255707829254,131072 /prefetch:1
    3⤵
    PID:1208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3348 --field-trial-handle=1268,i,16898948987041319219,8561036255707829254,131072 /prefetch:8
    3⤵
    PID:2320
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3264 --field-trial-handle=1268,i,16898948987041319219,8561036255707829254,131072 /prefetch:8
    3⤵
    PID:1756
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1360 --field-trial-handle=1268,i,16898948987041319219,8561036255707829254,131072 /prefetch:8
    3⤵
    PID:1656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3648 --field-trial-handle=1268,i,16898948987041319219,8561036255707829254,131072 /prefetch:8
    3⤵
    PID:1664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4188 --field-trial-handle=1268,i,16898948987041319219,8561036255707829254,131072 /prefetch:8
    3⤵
    PID:3016
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:2592
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13f977688,0x13f977698,0x13f9776a8
      4⤵
      PID:2284
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:1972
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13f977688,0x13f977698,0x13f9776a8
        5⤵
        
        PID:1700
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 --field-trial-handle=1268,i,16898948987041319219,8561036255707829254,131072 /prefetch:8
    3⤵
    PID:2380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3568 --field-trial-handle=1268,i,16898948987041319219,8561036255707829254,131072 /prefetch:8
    3⤵
    PID:564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3560 --field-trial-handle=1268,i,16898948987041319219,8561036255707829254,131072 /prefetch:8
    3⤵
    PID:3060
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4044 --field-trial-handle=1268,i,16898948987041319219,8561036255707829254,131072 /prefetch:8
    3⤵
    PID:1616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2740 --field-trial-handle=1268,i,16898948987041319219,8561036255707829254,131072 /prefetch:8
    3⤵
    PID:2664

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2548

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2188

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
PID:1592

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
PID:580

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
PID:2084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
PID:916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 24c -NGENProcess 250 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:1028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 11c -NGENProcess 1fc -Pipe 190 -Comment "NGen Worker Process"
  2⤵
  PID:3576

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
PID:3004

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:3988

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
PID:1784

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
PID:1724

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2320

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
PID:3204

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
PID:3316

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:3452

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:3740

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3564

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:3828

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:2788

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:2500

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
dde2958ffb9c958f402b3d218d5f4017

SHA1
f9bca053208db400a9af20b6f1b78d98abe217dd

SHA256
d3ed8ba00440cc8d78b81c1d69cc10fd87e0125c4ab8d5365695fdcc7bcc5e31

SHA512
4c11f79d9facc2f759ad176b612620f1d092247a8615d6fee7d55bf4aeb46b392254995f548c4408d488cb6f50b1238d67b30f0402b5a6beece0e0b606a66a4d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
05e82932082532b7f6eded3a62706f1d

SHA1
eaf86981a1efe98a0d87a22a6485d8f163f0998f

SHA256
504806c85fc3e37932bcdcca261794398618b2ef736884abbfc5dbbda15a259d

SHA512
18bf084c27c97ae15f4397d58b4c2fb4cd3eb83e6be8fd68c0bd1509e689ccac55387786d0875d7c9ea62e05a252d960ba03778ad0dfa10fe2828c84273a4ece

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
8faba549adccf1c152f674ff6ecb8289

SHA1
0d9a8bb670ffb666d3a09dfeda0604d64654b30a

SHA256
eb6b7e9f176799fe681398f3099aaa21f95f526429c3ff5b471558047f3f4a99

SHA512
2e99eccb8d0357e75d5fd1e0e96e4a0b2983e6c895a94a6dd7ac7034d144af67b0db6fff67c6853fc1be3e06e9c2d4e38424f48d50e5fef53aa9ee0b740b75a8

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
896970878dd3d7e3b16c6aee06940735

SHA1
75b2e2e9356a6ecbea4f19c6a42b8f232c038c93

SHA256
b35136b8beeb9a4c3382424a2802fdf9e298df254c8551c6c4a293640a57acf0

SHA512
06dd31659bf4459f450cc05dbb8970dc192800e185937c8a5cdd635e206804d8e6514e29335bcfaa446ef1fc109d72932cc1c68bb6a8ea8c048e42eb4c5aca41

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
739392e3bb6d7f971529d2846c829759

SHA1
f829884573c51c37a8801838114d8a485fd1a5d1

SHA256
5aca616c71d790a257d48039c4b39aee0e9cfee98b42cd5015c922a685ec412d

SHA512
522f58f6218122d2d474349a2b0f3539173b57bc04c75d1ba94eb19e926c6360a3c40b31f42cbc6263bcf47a36b6181dac5ffdeb0bd778c8ef83309755df16e6

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\e11b2d77-cbde-433e-bf21-cd1b36e50f8e.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
39e40b362bdc1e121c6c6a234cf5a7d0

SHA1
e7d46c8386bad51ab8b775c828ece711ef320302

SHA256
e593936454d92cdc9ca94e2ab9a6ad6fcce1b336d57adeb62c2ab0a23a938192

SHA512
b4250429c50a73e4d72e6f54008bb29cdd7bdd016096d9de8e4a6ee79a9cc2b9b39125b004e5d588633510615724ca4a11a96d32b540433927acdbb58e26b8d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
7f3b3c9a10c6c55bae56e67ac76e2a2e

SHA1
2552ca31ba6c65dab1ae7121d5846c8c09f06f55

SHA256
8b1757e38c091c648cfce6c53b42a198429413252f6d56151ccc97ce9b7314e8

SHA512
dab3ec1cf83d339fe57a485e8f33b04532cf1ad2349e0474808f2141187f146da275e19e828cd41b20a55b2ab7fa29d91cd5d8ac767b3914c3748a0602173bb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
036992db81e3fafee0bfa8cc0765e68a

SHA1
0b1c1e26a96d86f9bbb33cb11bc0aeb6f71c183d

SHA256
341f31f4ad36445926a416e582982f1c55f56787df0b882aa2eec9e35a567e21

SHA512
bf045e8f77f2021e7b3132a45db76b86887e14341800d1dce97b0580822e742ca71b4df56c7761399906a6cd9467b4a005b2e5afaba52ea03a2f5d627c027049

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
740b9e314da2f302951e78671a754465

SHA1
386726c1c8a644f71a0f331f0997e702d498f934

SHA256
e6bb7377e3d3c698095fb0d9e6b302a025f56eb061c2f1461a0ba22ba42cf99b

SHA512
3bb508ea2f643b186c429cbce9135e406189bf830ee792250869d627a9c6be6f081c6347bd9f3909e929532b4e1dded3b60179601dac8c2cc4d130663af74e67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
12072a3d30de589a6900a9765a79f6d2

SHA1
e3bcd70371614ba4b9ecd57a65bf484a83663529

SHA256
b768910f1bb5951d577d40756d0bb0375492b828c112787a6453999d5e756314

SHA512
1aae6ff95aa9b7019f234592d230340468dba2130f34d06abc6a1c37fe2b1dd737dee795ab2cabd6a1ab60227eb8c26917e3d8609c8de14c2ab2c2549eaef641

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
9KB

MD5
3cfe24d69edabdfb145901364f1cf5f4

SHA1
3f023588077110a5e43fc5a2c8a105feed87af6f

SHA256
6271b5d365196dc5b2004283feeb8700bb04f87b15b43bc9701e9c9316c147d3

SHA512
264322bbcea7205e2acc72dcc30cf5af11603590303579a64e75a2c94f325b7076df8851124c6cd661969c7875cc9c1041c22fb0b55ac117dc71b7d943c9a6d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2596_2083657605\3946e673-45e6-4b7f-8d1d-8368ffd04b62.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2596_2083657605\CRX_INSTALL\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2596_2083657605\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\2ed9ff3d3d2ec148.bin

Filesize
12KB

MD5
dd5bd73cf2f91f016b42535ee64a2e7b

SHA1
af5fe9503336c858e2ba833bbcd0361d693bffd2

SHA256
a32a910c69ae84a2260d76d75d4c830effcfb63a4f456a67b508e43095a1eb37

SHA512
8c16b017e503d25af42bcb9637a6255806d9245fcfe0f6650164dd7e3ca698f325a9a11877446d532a637b3ba4b367cd24c4d493a2ee4dbe056bd3e92b4a7648

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
de784ce16784c0777852298347b97af9

SHA1
b2c87312da1d81130f82d9b4e46b77ec37552596

SHA256
d02a57129a0391dc991d1b20b208d4f175998b95eef89a4079d82345e05f01e8

SHA512
e79452b12df861a327432af3218b2df7c37bb5609a73fff06fbbab89fe6ef428e9ef2cf7a2f13f9cc837fa969adfa3b05a295148dc862817dca8ea834e753050

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.4MB

MD5
6144b48a56a6ce024631b0177e3837d7

SHA1
2ecaf12f5be155f90e4c3a839e70266831edb759

SHA256
1ded79c3c4101e8727c6b25e7dbd498050a1063d4be17878e1937be488872ac8

SHA512
67cff8929339b0d06d5b585ff30e249545e39482b07e24dabf715afbfe267d675f4072d9150e8e644fc0a0eaf558b0e06b77dae4fe4c4ab065295c0fa5681336

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
8712fff8a3df670676324033c1cc1d1e

SHA1
252fb6624a8a87f32d1a95566815e25215048add

SHA256
b50965b821e298aeb0205a0101eb6c8c39e269a6241bd46ce31c654693d52b29

SHA512
52491b1e79466a639d9e10e664cc1f5d010968f9430225ba0751471d8e9ef1300c1cb9eff2ea96a2c0962cad2d726b63c843b012fd2862e5c878e3004efee49c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
41d0dcefb8631987d622e82c76d74e3e

SHA1
f7219ed640ef48cb488f5e1a178bfe3c2eb4e68e

SHA256
f146e8e51d39498475c62391dec61c4e982e239c67a8324f35184a62dbdd695d

SHA512
2b7b62a23f65e990716a9d520e8b195de9743f98255f5b8f4eb5960a50586df0277c70f09751c3d58f0b37a4806f1ba9f5192e798d107dbbe023c6b5dc8ea41c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
a8cbf99ecee34e0f9063172776822cdc

SHA1
5f12baeb0e5470b8c209351222ad346bece75b2f

SHA256
3b431f168a96714e723bb915b1af1256b241caa9b6d642336790ea158546bdcf

SHA512
b2fbdbbe04ecf7d0baf396ba0fed9c5c5b02de798b253b2a80f1d8c7c23d198b46097122a8164597b08edb9db95e25c6377be78eb78a20149a22ef358713e9cb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
5041cdf570a47cb0b48b3406cfb56e5c

SHA1
3a23cb04496322ba95ad1877d1060286236e15dd

SHA256
bf53df41971efb7e77623f73c46855141410aff3bdc34314e00102edb96edf77

SHA512
e4c1dd07bafd2ba5baaf01ad919728ea79fbc40b977dcc3cde494652c30864a597b709b7a3fb1688ee9536ef83004324b65f002a1973067fe00fb8a0eb17ba74

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\2ed9ff3d3d2ec148.bin

Filesize
12KB

MD5
a3231e284d58941fad544656c3bc5252

SHA1
0e241a8bf6624b7d6fce591790848eeb74623f72

SHA256
d4d703432a1c2d29a1841c8f2ec3b67ec11cb6da5bf7935c6b2c577ae813930c

SHA512
3f0723c2581f20a8486107b0aaa4f98b1090841b11e7010f0a4ffae81dacde42091521ac7ac3ea611dcb22eab665e1d815be1a286274f96d9f35a9b96e942ded

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
c056b0b54b5de1e54d0d4ecfa1821fe7

SHA1
80ad798c7fcd1419de9fc136064d1f929cd76b32

SHA256
8f672ceb801cb32884d190031bd18216c8fddd9140088a3ecdd58f2780d95e2c

SHA512
4f4fd7dfe01c96752678819c380ade52fac2c7411245060e2fca598edf85b3d070d756a4424f4b33146d272fe962224c5339c0c8924d126fc65ba9feee09b44b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
d3e5b32994083f5f61d2fced62af8492

SHA1
eb1998c1a9df8c0690ea7da00a9c13739084af65

SHA256
ef9942a85c3aec3cf515dead0e294280a8119cdefb975634a5999e4e03935df3

SHA512
868c0cade0fa9cef8938b5a39a141d5a72c9587a91b702db4965b9108a56289955ec4d319cb2c6f05e53343dbd3b7fdf9a69717d03e613a3665fd50225310233

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
029a59984e5a474049c0d3ce51f5da14

SHA1
0d1a1a5d65da8495d76736b97c652e232432cdc9

SHA256
d8eb7cc52f64adfc05c4de39b32bf40372fe7826cb358259394a2cc47e4402ac

SHA512
26708b139a1670f91410abf4889092c54bb993b615fa5010501d89e625ce42dac6e0b72d1854218e5c0ec08f3b11f36fb24046798cd580c405d0c774addea28d

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
8fa34bc0d70f64535b7cf3ef236bca1d

SHA1
5eca8192e8c6e1dc1c1417871705f7ef1dd7578b

SHA256
20bdf30ff2a0a984caae341136c19ee09c01c0856831dce157d327e65ab7d915

SHA512
1c45d019b5e15a4261c029609f5b0b2cce2bf24409d08a4454c2801d591f65f15d0620202e01de050086d51169b4ce6857473928437ea7076045f1d1f1070d92

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
71aa521bf656f81c356896613bd2078a

SHA1
129aeec4a91f5f73702d057e71c2501d372bf49c

SHA256
58da191e3d31947874761a600f4fc0664300284ac8b14d6b873a79e7c7ff8087

SHA512
1bf2b51d440b63a2334f389b5398d3f496dba3d9deabcfca5d46f519462938174c488c8253810a0405a81322c97f6783a9fad687daab4b3522804b01c1a07ce6

Download Submit
\Windows\System32\Locator.exe

Filesize
25KB

MD5
ae0ecf0aa89f93f116f10e8dfe72908a

SHA1
f32947e5366f835c55b7917d6119eed43b651eab

SHA256
0f8b9a821d39a1c2d123f8ef906a7acdaea7c096f825d8da0177f319de2c9403

SHA512
1223b070b8eae25cb3d27774ebb70e9caca899375cedd8803f3464f0b482f85c25ec3227ee58bbd0cf8b11eb9d64fb9526bca11fd699c57ed52b0712dce72687

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
286c6a996134fd5ae061601afada708a

SHA1
48c7a6a3c7a4e7b44b72ea039f8f957462dfb23c

SHA256
3c59c7d49c873f987652c8d5c542f9ea38f53dacefd0daf042119139fe83739c

SHA512
a90bce7b5dd68a3d867ae988adbc703dea779f9739b03ad57e459c0f70cc004b785f386fc9013ccd7994d953161cb42dfd8f29dd7d6015d538654c1a7be61894

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
811d6a873fd3d2f0e5cac2086ed85f82

SHA1
950e92fe9f29edad90c39133bd22c4f9c1f6f231

SHA256
f4c958c43110a04ce3b6b5a33aa0706f2a2b7f75571ce8bd3f75780fccaee2bc

SHA512
72825cf85d7d3ab6d38c74956780c7848516994831c5c270ec3ca56c7224de2aea775080cf574c1c3cec8702b255e1cb1fa20e26f63ded82db8de45f990bd3fa

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
ed2a31f647bd4b78ae1f0f971bfd2a48

SHA1
15ba98bf8c8ce3c5d0df56203805de5c6119976b

SHA256
3d3e60fc5c95402c9053a582b5d018ef1a63188441d92b9c4834f995c54386b6

SHA512
f0fc26f1b254c561c89181ee87abab4b997fe15c13f755c820fc0c3c18571c5af4c8ff4d69aad0fa42a955cded965b493e8bb52bec508d213831888ab2e41c3e

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
7445f4911e92990a7287c819b782cd94

SHA1
d917e9fff112f5a497574bf4319becdcc9131a19

SHA256
8a6622f3fec00ced0f516ae0c2ffef17cbbdb2759df499d172ec04b387d229be

SHA512
3031df22f7d078e9b9f4239e285b945e3f6d7fa7e1b480cfdd9917308fa78702fabc78a7bd4694063718cee3b39c81be9912e09b2c1ac8fd665a116a43e59d04

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.5MB

MD5
cacd3b1cac11dc25cfeb5831ac16c098

SHA1
d77b94cc3e414ca2b67b08fcef7356164582d1cc

SHA256
495bcf80496db7950cca7881815be0756f2deb10e08990e4452b1908a4f5d902

SHA512
bd64d4bf7919696d6755a4028c1618fb8d85cf0732da1a299f87c9d5b8e4ee9fa2323da8a38ad563a327cc02f4b8099914dacfeaf5e44522ab778585cc3e72ec

Download Submit
memory/580-406-0x0000000010000000-0x0000000010179000-memory.dmp

Filesize
1.5MB

Download
memory/580-434-0x0000000010000000-0x0000000010179000-memory.dmp

Filesize
1.5MB

Download
memory/580-412-0x0000000000450000-0x00000000004B7000-memory.dmp

Filesize
412KB

Download
memory/580-407-0x0000000000450000-0x00000000004B7000-memory.dmp

Filesize
412KB

Download
memory/916-890-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/916-447-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/916-439-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/916-440-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/1028-1048-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download
memory/1028-898-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/1028-892-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/1028-947-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/1028-1044-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/1028-1000-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download
memory/1028-891-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/1592-863-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1592-401-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1724-886-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1724-887-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/1784-871-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1784-917-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1784-879-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1784-929-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1784-872-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/2060-0-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/2060-13-0x0000000002700000-0x0000000002A3D000-memory.dmp

Filesize
3.2MB

Download
memory/2060-33-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2060-29-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/2060-8-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/2060-1-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2084-429-0x0000000010000000-0x0000000010181000-memory.dmp

Filesize
1.5MB

Download
memory/2180-12-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2180-15-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2180-21-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2180-20-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2180-413-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2320-922-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2320-1029-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2320-930-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2500-1051-0x0000000001000000-0x000000000116F000-memory.dmp

Filesize
1.4MB

Download
memory/2500-1059-0x0000000000490000-0x00000000004F7000-memory.dmp

Filesize
412KB

Download
memory/2548-27-0x0000000100000000-0x000000010017D000-memory.dmp

Filesize
1.5MB

Download
memory/2548-25-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2788-1042-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2788-1038-0x0000000000360000-0x00000000003C0000-memory.dmp

Filesize
384KB

Download
memory/2788-1032-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/3004-495-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3004-489-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download
memory/3004-488-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3004-902-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download
memory/3004-496-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3204-936-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/3204-943-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/3204-1040-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/3316-1060-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/3316-1057-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/3316-951-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/3316-954-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/3452-981-0x0000000140000000-0x00000001401A4000-memory.dmp

Filesize
1.6MB

Download
memory/3452-982-0x0000000000F90000-0x0000000000FF0000-memory.dmp

Filesize
384KB

Download
memory/3564-1002-0x00000000004E0000-0x000000000066C000-memory.dmp

Filesize
1.5MB

Download
memory/3564-1015-0x0000000100000000-0x000000010018C000-memory.dmp

Filesize
1.5MB

Download
memory/3564-1011-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/3576-1023-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/3576-1013-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/3740-1009-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/3740-1005-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/3828-1017-0x000000002E000000-0x000000002E18F000-memory.dmp

Filesize
1.6MB

Download
memory/3828-1020-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/3988-857-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/3988-856-0x0000000100000000-0x000000010016E000-memory.dmp

Filesize
1.4MB

Download
memory/3988-864-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/3988-916-0x0000000100000000-0x000000010016E000-memory.dmp

Filesize
1.4MB

Download
memory/3988-865-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download