f31270a17ae384bba66c918479ae56d62c9a7589ae1ed84f20c5e601eb11d309

Analysis

max time kernel
1s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 08:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_339dfa02b42ed9a2871069b74f09846d_ryuk.exe
Size

3.2MB
MD5

339dfa02b42ed9a2871069b74f09846d
SHA1

7ff9cf1a20f811ec6fa9748f34544308f019a35e
SHA256

f31270a17ae384bba66c918479ae56d62c9a7589ae1ed84f20c5e601eb11d309
SHA512

dc77b57f2934c2f01225c415404e4df6af538036fdfd1482ffbd8cd085c1d2c0e340efd076e083af443aeb114771879468874e80a1e218de347876d3a1619090
SSDEEP

49152:G5k1YCdptya507NUUWn043oHS3fTIYwVq1/xT3DDbwwTU+e7ctXdujQzfkrh6do:ANhSMYw8OvjoW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
480	Process not Found
2596	alg.exe
2192	aspnet_state.exe
1844	mscorsvw.exe

Loads dropped DLL 1 IoCs

pid	Process
480	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-09_339dfa02b42ed9a2871069b74f09846d_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fba33d24bfe435d8.bin	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-04-09_339dfa02b42ed9a2871069b74f09846d_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-04-09_339dfa02b42ed9a2871069b74f09846d_ryuk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2700	chrome.exe
2700	chrome.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1888	2024-04-09_339dfa02b42ed9a2871069b74f09846d_ryuk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 3048	1888	2024-04-09_339dfa02b42ed9a2871069b74f09846d_ryuk.exe	28
PID 1888 wrote to memory of 3048	1888	2024-04-09_339dfa02b42ed9a2871069b74f09846d_ryuk.exe	28
PID 1888 wrote to memory of 3048	1888	2024-04-09_339dfa02b42ed9a2871069b74f09846d_ryuk.exe	28
PID 1888 wrote to memory of 2700	1888	2024-04-09_339dfa02b42ed9a2871069b74f09846d_ryuk.exe	30
PID 1888 wrote to memory of 2700	1888	2024-04-09_339dfa02b42ed9a2871069b74f09846d_ryuk.exe	30
PID 1888 wrote to memory of 2700	1888	2024-04-09_339dfa02b42ed9a2871069b74f09846d_ryuk.exe	30
PID 2700 wrote to memory of 1980	2700	chrome.exe	31
PID 2700 wrote to memory of 1980	2700	chrome.exe	31
PID 2700 wrote to memory of 1980	2700	chrome.exe	31
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 760	2700	chrome.exe	34
PID 2700 wrote to memory of 1892	2700	chrome.exe	36
PID 2700 wrote to memory of 1892	2700	chrome.exe	36
PID 2700 wrote to memory of 1892	2700	chrome.exe	36
PID 2700 wrote to memory of 888	2700	chrome.exe	37
PID 2700 wrote to memory of 888	2700	chrome.exe	37
PID 2700 wrote to memory of 888	2700	chrome.exe	37
PID 2700 wrote to memory of 888	2700	chrome.exe	37
PID 2700 wrote to memory of 888	2700	chrome.exe	37
PID 2700 wrote to memory of 888	2700	chrome.exe	37
PID 2700 wrote to memory of 888	2700	chrome.exe	37
PID 2700 wrote to memory of 888	2700	chrome.exe	37
PID 2700 wrote to memory of 888	2700	chrome.exe	37
PID 2700 wrote to memory of 888	2700	chrome.exe	37
PID 2700 wrote to memory of 888	2700	chrome.exe	37
PID 2700 wrote to memory of 888	2700	chrome.exe	37
PID 2700 wrote to memory of 888	2700	chrome.exe	37

C:\Users\Admin\AppData\Local\Temp\2024-04-09_339dfa02b42ed9a2871069b74f09846d_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_339dfa02b42ed9a2871069b74f09846d_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Local\Temp\2024-04-09_339dfa02b42ed9a2871069b74f09846d_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-09_339dfa02b42ed9a2871069b74f09846d_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=92.0.4515.159 --initial-client-data=0x180,0x188,0x190,0x184,0x194,0x140221ee0,0x140221ef0,0x140221f00
  2⤵
  - Drops file in Windows directory
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6479758,0x7fef6479768,0x7fef6479778
    3⤵
    PID:1980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1128 --field-trial-handle=1272,i,7531584444535448685,11843611631679987692,131072 /prefetch:2
    3⤵
    PID:760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1272,i,7531584444535448685,11843611631679987692,131072 /prefetch:8
    3⤵
    PID:1892
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1272,i,7531584444535448685,11843611631679987692,131072 /prefetch:8
    3⤵
    PID:888
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2128 --field-trial-handle=1272,i,7531584444535448685,11843611631679987692,131072 /prefetch:1
    3⤵
    PID:2100
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2268 --field-trial-handle=1272,i,7531584444535448685,11843611631679987692,131072 /prefetch:1
    3⤵
    PID:2984
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1440 --field-trial-handle=1272,i,7531584444535448685,11843611631679987692,131072 /prefetch:2
    3⤵
    PID:2040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1384 --field-trial-handle=1272,i,7531584444535448685,11843611631679987692,131072 /prefetch:1
    3⤵
    PID:2536
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3440 --field-trial-handle=1272,i,7531584444535448685,11843611631679987692,131072 /prefetch:8
    3⤵
    PID:2904
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3572 --field-trial-handle=1272,i,7531584444535448685,11843611631679987692,131072 /prefetch:8
    3⤵
    PID:1044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3568 --field-trial-handle=1272,i,7531584444535448685,11843611631679987692,131072 /prefetch:8
    3⤵
    PID:2604
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4024 --field-trial-handle=1272,i,7531584444535448685,11843611631679987692,131072 /prefetch:8
    3⤵
    PID:2012
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:2156
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13fe27688,0x13fe27698,0x13fe276a8
      4⤵
      PID:2732
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:1004
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13fe27688,0x13fe27698,0x13fe276a8
        5⤵
        
        PID:2476
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4184 --field-trial-handle=1272,i,7531584444535448685,11843611631679987692,131072 /prefetch:8
    3⤵
    PID:2932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4216 --field-trial-handle=1272,i,7531584444535448685,11843611631679987692,131072 /prefetch:8
    3⤵
    PID:1428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3856 --field-trial-handle=1272,i,7531584444535448685,11843611631679987692,131072 /prefetch:8
    3⤵
    PID:1660
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2756 --field-trial-handle=1272,i,7531584444535448685,11843611631679987692,131072 /prefetch:8
    3⤵
    PID:3572

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2596

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2192

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1844

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1696

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
PID:2244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:1560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 250 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 24c -NGENProcess 1f0 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:2684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
PID:2804

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
PID:1748

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
PID:1852

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2280

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
PID:2864

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
PID:2092

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
PID:1600

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:1300

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:1016

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
PID:3044

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3636

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:3820

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:3912

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:4008

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:2288

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:3200

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:3332

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3340

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:1676

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3872

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:1880

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:1652

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
1cf22f90c1ad3d77bbad452fb2654890

SHA1
389a3ce6dc8dc8e59cf0cdbaf457638ce32911bb

SHA256
96ac3089de0964c6cd3f82165db2c3d06637c3ee5bb96c72d9f2b08d2bcd7ca5

SHA512
b928d6b5c8da57829a5604125e2d10517e274784344b624efc658271d3cfaffc207f33f75abc002eb36fdc3d948ba0dc26f08b3d668bb8938e043693745bf532

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
27306cd149aa9aadffe670d96162e397

SHA1
3c08a6ce23238daa3dc821a391ec1e64ced30936

SHA256
6a10ea5723006657e41a4f563345e4081f9ae4b36b124a9b3272c6aba26ed39b

SHA512
01753afc7356943602d5cc453083233b0a3a5e893845fabbc0cbb011e0cfe7d5801a44b752a556657842d8627563ed871b2a8169aa4791ff272c1579d6052bac

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
6f117f39707675ecf9b9a5dea1f877ed

SHA1
a49dbfc91c20f0584c9b4df80937b8684f0c6bd0

SHA256
218c082d79e4b649dcd73f32c59dbd5232028278d5e66686af8d2e8a956d3deb

SHA512
dd46a4ef3df271ee5eeac6c4dd20df3b3589d9942797c94f369affad0fe41a6966c67669c1e7f59d40485d0c53b73f8428d55bdbea24965bdba9c02b260580fa

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
9ac794628b4007516977f09a7a4526db

SHA1
6dc08c000502eeb5a00850e30a8d57883a50e6a5

SHA256
7805c848e4cdc4a47b21d61323c10423375cc137c95c9e674030c578f5093998

SHA512
9a54f5863fd34da69b1984adcd8a3e36435a7d877b7246be6f9e44a9d947e742c62964bf515f24248969d9b401e6e2ed39dfd3a55fe8b13f546d035a34026646

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
83dd774f567007dcbd09d496a7864b59

SHA1
c2977efbf79e16c01e04c27cdb2e5546b465a5cf

SHA256
9e650066057b33b86d1c5a58d28e9eaafa7710743bb78b4e638490a5daa0c517

SHA512
6a1c3910890c4bc400f9dbb49411bc7cc3815efb575fe7bd37744779a6a43d141928e493c2e575f99f0c355a0dbb5ffad605a0ce6a6d4548cbecd7aa131a0c98

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\80f0d5cf-92a9-42de-8649-41598dc104ea.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
98839058218839f994b8e103bad863ad

SHA1
231dc87642c3cdf4a41f4c21233c120f87e7b076

SHA256
236861e6339353e02901dcf56d40d9b09ea1070f1363b4a76f2c9fde294028dd

SHA512
399ecd3a4654a815e9f5275a9c59282bbc3b096809d2d322a6aa04f932924a10a15d0f1fb3b3944193c4d6a88f0724e11faab8ec21bc57d09ebfe9cdbfb34775

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
a2fda23b31a1d9962bca68521bd94d12

SHA1
2540f3bf2aa622edbdfc377dcc66b85aa9f20402

SHA256
8b328fe36e7d912558e802de41469a0342602cc7a75b45066d2610fe7099860a

SHA512
3953e5100f6eb0b468828707707e80380ff91da73091999889bc9485d3e1c815e1877de9fd63205987f985f8ccabaafba7ccc37e798d9074e2ad17b69bd8f079

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
2cbed978c5385d9132dc11b391294638

SHA1
4e476930043a8ced924a65488d5f32c3584cf9e1

SHA256
6be8dba52591116612635f6be93767588918d4f97e565089aadfe80cc0de0601

SHA512
b4dcb41d1ea870c1eeac4a9585a6c10344c6bea2018a3fe4f3e86ce777afdf32dc143679b1b6cf890d8638c79ceddf190cf826097c84dc37b2a548dbce9ab404

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
e195c8f1dce66e0be41098d1e57b1b90

SHA1
19a41e8f546dac895cec10cd12cf692d78d23529

SHA256
9beab28a66a4366135d9e0a9307d55c7c48a5ad702bedf6d00556fecacc58026

SHA512
16d8cd6b43d20e553e99d2f8585a692392789ebdca738b9e0d74f945cbad6790a49a323166224c1bab461c2f7d05624cc9cda430813829f7a7588158f17fed9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
5KB

MD5
42da8e6b4be5fb875ba1fea8584f394d

SHA1
fac587c7ee7d107300a0a572dd5a840afe9b06e7

SHA256
18926d0becffac634f1f9efe0c8a5fe61aef75527a85f8749b8c4e45e5562044

SHA512
3acff2c0ea7748c2c51c49f1110a425c735ad4601d774cbc131c76b76429ead8b49f495b5399da1a8c279a46de26efcdba873f52f19a9f80de32b3cbbdb8a97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
c6577fb70a136ceeb0d99fade3f2b86d

SHA1
d3feaab35d9da0381e4a9224bae1e9faf08f4cf4

SHA256
567ec3042e83ac23dfecb6078922286e21c974e3d1b05311e8e027ed10a5dad3

SHA512
d4b92ab0e89a2b27343f738ae1448d8dfb1966532cc2560c6f4780c5d1dcff9cd90a4109c68867476cc948aa398796858c007d4de5a67218098b4d17c7a23793

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2700_2095134296\1c41e7a7-dfa6-47b3-ba47-16940d1d0c4e.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Roaming\fba33d24bfe435d8.bin

Filesize
12KB

MD5
99d5bec2b54feade7b899905728269c2

SHA1
5634f37b6a9dca4b15f7df992b23bd9d0b248839

SHA256
7f744ccff90cef5ee98b752d865deb4c9a3db154308797ae1982356a97dba04e

SHA512
b17494f1f0fc6b8f8192f94a9807fd3c45fdb187b26ea6a2b16fe77a10de3557ce2a1191fecd7891daef9ff2fe18f41fe623259dea3e7afb9b2e4dad4780ec97

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
8c39f8dfb30e9c6a26dd4da398f95124

SHA1
bbf4959f8d03715b1af6419bee549fca255434e1

SHA256
78ef9fd96331663a1308e47af920531f26a43ae43abef5417920fcdc4258e500

SHA512
17a3422cfc08dbae29b57a20ea0aca6889038758ac9249a3c739c149e31b84a800b4b8eade25b7a027d66abaea4058f6990edb693631f836f287291d9c06074c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
b9a5c26d19f41f64b7cf938b1bef1516

SHA1
89b0c8458b04051389a40ec61c868a015c1d547e

SHA256
497245d223e24a398e736de9d7b90b02462551bcb9bda017bb7ebe46df89f401

SHA512
5f3fd3ea7bfbbc9eeb6ebf26757aa975f5d74c8f273f3d563b6d7d1614751c9fa88c4bdc0caf71099b0c7aae32517bbaa41afdf225b1951d9dbb83387ca6406c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
deb446e7faef2a734c50f24e1c31c32f

SHA1
88e4a41e7230a5f3a27f61b21dca098808e5b123

SHA256
c5c173ede83bde98c5a134583925be533fdc4ccff919a052cdc50a2dbda1915f

SHA512
945e4876aae57e800a09583a41295463b89fd5c3c363f2731f104a475eda64746cef8742e3b8f5d2bfcfc1a522ae6a3ed2afd13ace2fe849c73b208b34c3bc9e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
c75e0129985d0c999fbf3ad1e04ce1a7

SHA1
589865d60f25b02c5162187161048c7d0e2a1910

SHA256
2f32b5736f0bec0825ef1ffc4dc941743fad2adf523bd01c2d6e6d15d30bbd8d

SHA512
e233a1cc38c81ffe6fd9f9ab09e0e6c069717d60fd3a52b8560e967ff9fae4a12cc30870ed0aeebd1b7ea0093cf255599e0c56f0a93d8c2af10774b2bd1eac58

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
339dcbd3fa5d7cb85b32a9325385a62e

SHA1
a280cfad5199dabc8fa23bf964dfcc2cd94611d1

SHA256
846b8ef023f2bc4e0fa0a0ec3c0d006603558d04cc737027d757015a3e032dfd

SHA512
82507886d00b9fd09ef60839faf0ea6f35443c4f2962b4a2875b165b391773c21fcf0dcbe658b85120468c41ec7e90ae1229f5dcd68e2524ea911d0d846f4c15

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d8ee8d0354ec299a5454663cc9df7470

SHA1
25df3ce8be093818507a88aa90e93d8c857c3c40

SHA256
c97579cd222e9f357771b1aa7140f341ac585321509406bfcad73a3418c60b88

SHA512
71440541e8e9e666916a160939d58944219dff32234f76953be687c1e942321fd67affdabd7e4b59af2e68128417dc6adc4439eaa8627120bd8a876e24f75d3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
0833a2d5f0c82bda87809a1776ad3f4d

SHA1
506076312709a4dfb817e1e3a91099ab8e766e04

SHA256
937e861bf822b30f1af99dbdace95efe48c5ad521492fef051d2c401365548d2

SHA512
3e6daf94f64570fe6827267b2d107ab5735976493e3db63d89b149878e3cd456eed06ea34bfb08fc1742f2b5234b10bffd084075f30aa6617ba4373d93623720

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
7d55ffe913e4a80c1cdb3cdf920e4036

SHA1
2578f2cb4a827923b35f853799dcdc04814a822a

SHA256
ba9dbe4c21ac6c45c3112c2eecafbcd298b1255c160234e91cd250424e342ed5

SHA512
0f3d82efda78ae88482632426ac61a3075e38f0fe0668af1625bddfdda1f9269f7c0dd940df20550e5665e8d84d46767664653efb4e0a22ffe66a80c07e9765d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
c78ee53490cd19ab5014621f6b795fe8

SHA1
9eb5cdf7fdb5743d5c0c5a388db3512add096da0

SHA256
5a65d173e7e78026f780d31d9d41f0594a2f1051837ffc4e80c4a6935bc304de

SHA512
c66c18b2ac125b1a2abc4e6b0ce7c37cad7572b2e7de9cede551b8b366f1f2c2773eb4e4eeb2156e94da66b4c28fa9b4b09d80fb0a8dca5be28bc8d3372143b1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
c9bf0a29020aaacb0469a0b1348b79ca

SHA1
855a98c4f6d81e0356c0cb7bfaefd7b209aa830b

SHA256
06207e4b89bc6b1b2b0f9d119b084a3c85740d0f635fb619486a205d4f13e9f1

SHA512
1788e64fc565cf2c2f039dcad12096aa1cee0330b85b41b06ed598c75ed2f30f41aae7f91b23963fff142592a27e3a0ad429a7b59229b6ce82044e046bb74734

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
cf701fb3757aa3f475bd45d1eaa1037b

SHA1
9975d3021825b0b5e1e2142e52ab1d187b4f39d5

SHA256
f8e81ae7ffce90677ba90924b79b812fffae15d5e1bb7a22cd698de0d57c2b6c

SHA512
2340ebddc114c817de22b085fe33bd1cda02da8f52118d5694cf5371e2a5c6e113e11d5f2b52d3378070269e3f1c510ef0935b4d55cb568b54edeb18fcc6af34

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
b47cb38e8da8001b22ee9646bc96b0cf

SHA1
5c92b7d5018c31e6940da962263a9ba7cb17a009

SHA256
7cf18a6f1b61e63468fa0fafa5d05aebe3d09866a899cf3a4945c6899c399a26

SHA512
7840ea5355d382f492b69e03ef32c48dff52dfdfa2feb783267aebf9a9da27318206e7748a71bc68c2291747645ed1b9f7113450bdec33f0643abd6f8426226a

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
c160fd2d97f15ab7857a51d81a49dcfe

SHA1
b0ce7b02151245adae8173aded1bcccaf2a35cb5

SHA256
ec7b3dc70046994f4ed5cbc159276a84f14233f280ad5646e72b45c4e35f2860

SHA512
b72c5271be80c4bdd5e7c8140bfce22c4444f7129fe466db6263a09893013a00422a8eb9cd19583f8698db0cf657e94747b57fa24d848735027c14bfb615e317

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
188ba339589a69de80952984da4f682c

SHA1
57c5d5ec029656c64576c15757c3b142d93eb529

SHA256
1cead47b547cf70da9525936c850788615e6184174b53bb20b55fa63a179562d

SHA512
ded32d18740392b352c21480d1374ce3f059a096e2d7539097ceb73ac62ba2f4b2d993d861708a79952732eefba54f0e145c0ec8dcd09234a7bc709a7bbcc42c

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ba351fd3d255a20f0cf5cd1a0955df9d

SHA1
eb64b47c67dbbdc5fb9c559e0fb56b6bac8bcdf9

SHA256
d30e9fb2fe4721d723f3058989b1a06739f217efde10312614131faaead6020c

SHA512
4cbe8d5c191e9f4ed70ab52ae6909eec84ca6f52744237927d38714d2f73bd681e0c2b95e26e34b1c72a1a1d58d63ff5b9947a4f5f6bc0907a3f1fb36b7f609a

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
0571ef011fb79be867ed93a5e1091f5e

SHA1
409068b182c469c53895e4bc503ead0ed79e5d51

SHA256
afc113bbf7430d1d948829a95b832786b4544f5f67986eaa3c8d272505470c12

SHA512
78a970a9b3e8d8de245acbf6ac0220bc1678bf48a4a74055a73083d2f6039e569523a3e914f9e5df010031c3c67a4ecc50be8144b2a4ce2a59eb74576d10f397

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
60d1ed6401886128101806c381c79e50

SHA1
d099fbcf2e4379aebfb6f171f10cd4898e701973

SHA256
e9ce6cb15411f96030ae19fa1bcb4ee84c2789a2b6641fbc2e19b087e951602b

SHA512
65c6a12c90c29d56b3c18ef97dd98580eb902acefbd7afa36e9349c446eb8cf9e843e568b435c0270399620248f8f31bf8a847adb967a1538907d59019f5e668

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
a96f7d640866166ec29cc69fde3397ff

SHA1
e6faa8ce2f8c40e9b5f37daa2cb3c0f890254a0f

SHA256
507ddf3b75da86d0c1dcdff8744a77ab4047d019af22d9232af223a890eba921

SHA512
6bfbf3b16fbefd8a3fa4f1b533ff589a52ee290ff704bc18bc8d05ffd643c4dfd6292aca60a27008b865b05e5e10a652ea9618868d31eb92ad2596221eb2a97a

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
453f546b6f5218bcb1a4660d602fb14d

SHA1
53281008c70b9b229ece93ff7bbb30f756cae1ff

SHA256
955b103a6dbc5fc06e78235f8c4ff49a36f87454955d35d8aab29a23c70c1562

SHA512
6826cff14d22362cd44e0b46f528301ab97cc213f466484ad7aad34a31ede935d65bee0b9b58adca2f5c07291512b0347c7fa228cd03aabd1ffd53fde903fbe6

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
d9ab3a32e1d281258ba730c8e651e127

SHA1
e3012fc0210242aabf741dea3e2b4ddec14dec54

SHA256
5c1f2626c68f7583697135ca6e74b3b782264aec6a7f4d104851039372aef795

SHA512
c31c3ef9179e49a0aeca907c709b1b2045146a5b572478bb84903b282f98083b52ba8d0e78c0cadb15095cf26c9e7459598544cd21a840f78613e045d0da6230

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
b7c8edbf66cf99b413ab39a0a9194a33

SHA1
a2e8f8e6039a3f325fc6711081b4f47679ba56c8

SHA256
d6c0ee90d73f272e1c47afc19bb09cf4bdfea947534a6bfe2d3aaccf5243861b

SHA512
43e00c7762a5eaf53ea3a599f3fddb0a8e0e8fda360da28a4215281c0a5b78460eefd365bbca19d8cace49e539eba29fc3a98b575f709c4cf1a9238997ec7f64

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
2f8b9401443a7624510aa4bed2558760

SHA1
f5cf60b3742f1ef6df0ca690b5e4dd9809d49f3b

SHA256
9fb412d457fbaba155a096c63085a4b5b13e5a4ef50253f262c0da06ad39776b

SHA512
b5da71b44472b16f6fe273b47d83a66547eb98191c765ef0a6788f276faf42d555c54fcda5e9db016a4bc7e3be37ddd08a815cc459febfaf742c3d4cc6d92cdf

Download Submit
memory/1016-336-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1016-437-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1300-448-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1300-323-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1300-449-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1300-331-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1560-308-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/1560-304-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1560-505-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/1560-533-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1600-309-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1600-527-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1600-296-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1748-229-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1748-188-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1748-302-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1748-194-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/1844-159-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1844-63-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1844-110-0x00000000004A0000-0x0000000000506000-memory.dmp

Filesize
408KB

Download
memory/1844-82-0x00000000004A0000-0x0000000000506000-memory.dmp

Filesize
408KB

Download
memory/1852-213-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1852-329-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1852-320-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1852-221-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1888-8-0x0000000001CA0000-0x0000000001D00000-memory.dmp

Filesize
384KB

Download
memory/1888-7-0x0000000001CA0000-0x0000000001D00000-memory.dmp

Filesize
384KB

Download
memory/1888-1-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/1888-31-0x0000000001CA0000-0x0000000001D00000-memory.dmp

Filesize
384KB

Download
memory/1888-37-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/1888-0-0x0000000001CA0000-0x0000000001D00000-memory.dmp

Filesize
384KB

Download
memory/2092-273-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2092-509-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2092-284-0x0000000000360000-0x00000000003C0000-memory.dmp

Filesize
384KB

Download
memory/2192-55-0x0000000000260000-0x00000000002C0000-memory.dmp

Filesize
384KB

Download
memory/2192-49-0x0000000000260000-0x00000000002C0000-memory.dmp

Filesize
384KB

Download
memory/2192-184-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2192-48-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2244-228-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/2244-130-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2244-120-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/2244-137-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2280-235-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2280-436-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2280-260-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2288-535-0x00000000000E0000-0x0000000000140000-memory.dmp

Filesize
384KB

Download
memory/2288-529-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2596-162-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2596-24-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/2596-27-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2596-34-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/2804-161-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2804-173-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2804-165-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2804-282-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2976-247-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2976-145-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/2976-149-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2976-152-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/3044-492-0x000007FEEF840000-0x000007FEF01DD000-memory.dmp

Filesize
9.6MB

Download
memory/3044-491-0x00000000010C0000-0x0000000001140000-memory.dmp

Filesize
512KB

Download
memory/3044-490-0x000007FEEF840000-0x000007FEF01DD000-memory.dmp

Filesize
9.6MB

Download
memory/3048-146-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/3048-20-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/3048-12-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/3048-13-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/3200-543-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/3636-510-0x0000000000550000-0x0000000000759000-memory.dmp

Filesize
2.0MB

Download
memory/3636-497-0x00000000003C0000-0x0000000000420000-memory.dmp

Filesize
384KB

Download
memory/3636-495-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/3820-502-0x0000000000310000-0x0000000000376000-memory.dmp

Filesize
408KB

Download
memory/3820-500-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/3912-520-0x0000000072418000-0x000000007242D000-memory.dmp

Filesize
84KB

Download
memory/3912-507-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/3912-506-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/4008-519-0x0000000000220000-0x0000000000286000-memory.dmp

Filesize
408KB

Download
memory/4008-518-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download