ac9ac5a95273064ba09af8be049124ba52db7a59075d69a94d12427917dbc376

Analysis

max time kernel
120s
max time network
130s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
21-09-2024 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gameguard_setup.msi
Size

7.7MB
MD5

68bd8f9af44479db013a77c806f1c674
SHA1

0cbb2b63c78b42e13b1818964bb2cf43e46c5052
SHA256

ac9ac5a95273064ba09af8be049124ba52db7a59075d69a94d12427917dbc376
SHA512

991f703293b984beeeda44cc72cacc0cd69bd4cb1856b2b1c5cf2a2d06d7f58e8469af70c2ecece05d98643937c52f8a944b9892e2925738457d2ac238867852
SSDEEP

196608:mELpCPNYnYCCJLuMo3nmkmKf+GNI1Xjn5CD9ilxw:fLpCVY7CtuMo2kmcNmsiLw

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

gguard.exe

description ioc process

File created C:\Windows\system32\drivers\acdrv.sys gguard.exe
Blocklisted process makes network request 5 IoCs

Processes:

msiexec.exemsiexec.exe

flow pid process

2 2120 msiexec.exe
3 2120 msiexec.exe
4 2120 msiexec.exe
7 960 msiexec.exe
8 960 msiexec.exe

description	ioc	process
File created	C:\Windows\system32\drivers\acdrv.sys	gguard.exe

flow	pid	process
2	2120	msiexec.exe
3	2120	msiexec.exe
4	2120	msiexec.exe
7	960	msiexec.exe
8	960	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

gameguard.exegameguard.exegguard.exeggvolehn.exe

pid process

2044 gameguard.exe
2044 gameguard.exe
4636 gameguard.exe
4636 gameguard.exe
1072 gguard.exe
1072 gguard.exe
1776 ggvolehn.exe
1776 ggvolehn.exe

pid	process
2044	gameguard.exe
2044	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
1072	gguard.exe
1072	gguard.exe
1776	ggvolehn.exe
1776	ggvolehn.exe

Drops file in Program Files directory 16 IoCs

Processes:

gameguard.exegameguard.exeacsvc.exemsiexec.exegguard.exe

description	ioc	process
File created	C:\Program Files (x86)\GameGuard\steam_api.dll	gameguard.exe
File created	C:\Program Files (x86)\GameGuard\acsvc.exe	gameguard.exe
File created	C:\Program Files (x86)\GameGuard\cache\qfprmqhf.cache	gameguard.exe
File created	C:\Program Files (x86)\GameGuard\gameguard.exe	acsvc.exe
File opened for modification	C:\Program Files (x86)\GameGuard\gameguard.exe	acsvc.exe
File created	C:\Program Files (x86)\GameGuard\cache\tckkrthh.cache	gameguard.exe
File created	C:\Program Files (x86)\GameGuard\gguard.exe	gameguard.exe
File created	C:\Program Files (x86)\GameGuard\gameguard.exe	msiexec.exe
File created	C:\Program Files (x86)\GameGuard\cache\rpgkfav.cache	gameguard.exe
File created	C:\Program Files (x86)\GameGuard\steam_appid.txt	gameguard.exe
File created	C:\Program Files (x86)\GameGuard\launcher_x64	gameguard.exe
File created	C:\Program Files (x86)\GameGuard\acsvc.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\GameGuard\acsvc.exe	gameguard.exe
File created	C:\Program Files (x86)\GameGuard\ggvolehn.exe	gguard.exe
File created	C:\Program Files (x86)\GameGuard\cache\lvioolry.cache	gameguard.exe
File created	C:\Program Files (x86)\GameGuard\cache\ndcfdc.cache	gameguard.exe

Drops file in Windows directory 14 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\SystemTemp\~DFB80C05DAE92EE5FB.TMP	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF905C4EAE3DC46C14.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF758F6BDAA6B477D7.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7E05.tmp	msiexec.exe
File created	C:\Windows\Installer\{DB58A440-02BB-433B-AE99-D0B8AF31A839}\icon.ico	msiexec.exe
File created	C:\Windows\SystemTemp\~DFBC95AA2D6DD77113.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DB58A440-02BB-433B-AE99-D0B8AF31A839}	msiexec.exe
File opened for modification	C:\Windows\Installer\{DB58A440-02BB-433B-AE99-D0B8AF31A839}\icon.ico	msiexec.exe
File created	C:\Windows\Installer\e587339.msi	msiexec.exe
File created	C:\Windows\Installer\e587337.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e587337.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 7 IoCs

Processes:

acsvc.exegameguard.exeacsvc.exeacsvc.exegameguard.exegguard.exeggvolehn.exe

pid process

2076 acsvc.exe
2044 gameguard.exe
4712 acsvc.exe
3428 acsvc.exe
4636 gameguard.exe
1072 gguard.exe
1776 ggvolehn.exe
Loads dropped DLL 2 IoCs

Processes:

MsiExec.exegguard.exe

pid process

2020 MsiExec.exe
1072 gguard.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exe

pid process

2120 msiexec.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4948 1776 WerFault.exe ggvolehn.exe
1160 1776 WerFault.exe ggvolehn.exe

pid	process
2076	acsvc.exe
2044	gameguard.exe
4712	acsvc.exe
3428	acsvc.exe
4636	gameguard.exe
1072	gguard.exe
1776	ggvolehn.exe

pid	process
2020	MsiExec.exe
1072	gguard.exe

pid	process
2120	msiexec.exe

pid	pid_target	process	target process
4948	1776	WerFault.exe	ggvolehn.exe
1160	1776	WerFault.exe	ggvolehn.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

acsvc.exeacsvc.exegameguard.exegguard.exeggvolehn.exeMsiExec.exegameguard.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gameguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ggvolehn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gameguard.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b63f186ec435d5ff0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b63f186e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b63f186e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db63f186e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b63f186e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 46 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell\open\command\ = "\"C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\044A85BDBB20B334EA990D8BFA138A93\ProductFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\gameguard\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\044A85BDBB20B334EA990D8BFA138A93	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Version = "16777216"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\ProductIcon = "C:\\Windows\\Installer\\{DB58A440-02BB-433B-AE99-D0B8AF31A839}\\icon.ico"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\gameguard	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ggac\DefaultIcon	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\14D8C6FEA992C334C8E1F1E30B83F8E1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\14D8C6FEA992C334C8E1F1E30B83F8E1\044A85BDBB20B334EA990D8BFA138A93	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\PackageName = "gameguard_setup.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\URL Protocol	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\044A85BDBB20B334EA990D8BFA138A93\DesktopShortcutFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\gameguard\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ggac\ = "URL:GameGuard Protocol"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ggac\URL Protocol	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ggac\DefaultIcon\ = "C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe,1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gameguard	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ggac	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ggac	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\DefaultIcon\ = "C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe,1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ggac\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\PackageCode = "FCF74D9E87639FE42A3F49F0B413967A"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\DeploymentFlags = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\ = "URL:GameGuard Protocol"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell\open\command\ = "\"C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\ProductName = "GameGuard"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exegameguard.exegameguard.exegguard.exeggvolehn.exe

pid	process
960	msiexec.exe
960	msiexec.exe
2044	gameguard.exe
2044	gameguard.exe
2044	gameguard.exe
2044	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
1072	gguard.exe
1072	gguard.exe
1072	gguard.exe
1072	gguard.exe
1776	ggvolehn.exe
1776	ggvolehn.exe
1072	gguard.exe
1072	gguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe
4636	gameguard.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

684

pid	process
684

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	2120	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2120	msiexec.exe
Token: SeSecurityPrivilege	960	msiexec.exe
Token: SeCreateTokenPrivilege	2120	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2120	msiexec.exe
Token: SeLockMemoryPrivilege	2120	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2120	msiexec.exe
Token: SeMachineAccountPrivilege	2120	msiexec.exe
Token: SeTcbPrivilege	2120	msiexec.exe
Token: SeSecurityPrivilege	2120	msiexec.exe
Token: SeTakeOwnershipPrivilege	2120	msiexec.exe
Token: SeLoadDriverPrivilege	2120	msiexec.exe
Token: SeSystemProfilePrivilege	2120	msiexec.exe
Token: SeSystemtimePrivilege	2120	msiexec.exe
Token: SeProfSingleProcessPrivilege	2120	msiexec.exe
Token: SeIncBasePriorityPrivilege	2120	msiexec.exe
Token: SeCreatePagefilePrivilege	2120	msiexec.exe
Token: SeCreatePermanentPrivilege	2120	msiexec.exe
Token: SeBackupPrivilege	2120	msiexec.exe
Token: SeRestorePrivilege	2120	msiexec.exe
Token: SeShutdownPrivilege	2120	msiexec.exe
Token: SeDebugPrivilege	2120	msiexec.exe
Token: SeAuditPrivilege	2120	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2120	msiexec.exe
Token: SeChangeNotifyPrivilege	2120	msiexec.exe
Token: SeRemoteShutdownPrivilege	2120	msiexec.exe
Token: SeUndockPrivilege	2120	msiexec.exe
Token: SeSyncAgentPrivilege	2120	msiexec.exe
Token: SeEnableDelegationPrivilege	2120	msiexec.exe
Token: SeManageVolumePrivilege	2120	msiexec.exe
Token: SeImpersonatePrivilege	2120	msiexec.exe
Token: SeCreateGlobalPrivilege	2120	msiexec.exe
Token: SeBackupPrivilege	244	vssvc.exe
Token: SeRestorePrivilege	244	vssvc.exe
Token: SeAuditPrivilege	244	vssvc.exe
Token: SeBackupPrivilege	960	msiexec.exe
Token: SeRestorePrivilege	960	msiexec.exe
Token: SeRestorePrivilege	960	msiexec.exe
Token: SeTakeOwnershipPrivilege	960	msiexec.exe
Token: SeRestorePrivilege	960	msiexec.exe
Token: SeTakeOwnershipPrivilege	960	msiexec.exe
Token: SeRestorePrivilege	960	msiexec.exe
Token: SeTakeOwnershipPrivilege	960	msiexec.exe
Token: SeRestorePrivilege	960	msiexec.exe
Token: SeTakeOwnershipPrivilege	960	msiexec.exe
Token: SeRestorePrivilege	960	msiexec.exe
Token: SeTakeOwnershipPrivilege	960	msiexec.exe
Token: SeRestorePrivilege	960	msiexec.exe
Token: SeTakeOwnershipPrivilege	960	msiexec.exe
Token: SeRestorePrivilege	960	msiexec.exe
Token: SeTakeOwnershipPrivilege	960	msiexec.exe
Token: SeRestorePrivilege	960	msiexec.exe
Token: SeTakeOwnershipPrivilege	960	msiexec.exe
Token: SeRestorePrivilege	960	msiexec.exe
Token: SeTakeOwnershipPrivilege	960	msiexec.exe
Token: SeRestorePrivilege	960	msiexec.exe
Token: SeTakeOwnershipPrivilege	960	msiexec.exe
Token: SeRestorePrivilege	960	msiexec.exe
Token: SeTakeOwnershipPrivilege	960	msiexec.exe
Token: SeRestorePrivilege	960	msiexec.exe
Token: SeTakeOwnershipPrivilege	960	msiexec.exe
Token: SeRestorePrivilege	960	msiexec.exe
Token: SeTakeOwnershipPrivilege	960	msiexec.exe
Token: SeRestorePrivilege	960	msiexec.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

msiexec.exegameguard.exeggvolehn.exe

pid process

2120 msiexec.exe
2120 msiexec.exe
2044 gameguard.exe
2044 gameguard.exe
1776 ggvolehn.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

gameguard.exeggvolehn.exe

pid process

2044 gameguard.exe
2044 gameguard.exe
1776 ggvolehn.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ggvolehn.exe

pid process

1776 ggvolehn.exe

pid	process
2120	msiexec.exe
2120	msiexec.exe
2044	gameguard.exe
2044	gameguard.exe
1776	ggvolehn.exe

pid	process
2044	gameguard.exe
2044	gameguard.exe
1776	ggvolehn.exe

pid	process
1776	ggvolehn.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

msiexec.exeMsiExec.exeacsvc.exeacsvc.exegameguard.exegguard.exe

description	pid	process	target process
PID 960 wrote to memory of 4876	960	msiexec.exe	srtasks.exe
PID 960 wrote to memory of 4876	960	msiexec.exe	srtasks.exe
PID 960 wrote to memory of 2020	960	msiexec.exe	MsiExec.exe
PID 960 wrote to memory of 2020	960	msiexec.exe	MsiExec.exe
PID 960 wrote to memory of 2020	960	msiexec.exe	MsiExec.exe
PID 2020 wrote to memory of 2044	2020	MsiExec.exe	gameguard.exe
PID 2020 wrote to memory of 2044	2020	MsiExec.exe	gameguard.exe
PID 2020 wrote to memory of 2044	2020	MsiExec.exe	gameguard.exe
PID 4712 wrote to memory of 3428	4712	acsvc.exe	acsvc.exe
PID 4712 wrote to memory of 3428	4712	acsvc.exe	acsvc.exe
PID 4712 wrote to memory of 3428	4712	acsvc.exe	acsvc.exe
PID 3428 wrote to memory of 4636	3428	acsvc.exe	gameguard.exe
PID 3428 wrote to memory of 4636	3428	acsvc.exe	gameguard.exe
PID 3428 wrote to memory of 4636	3428	acsvc.exe	gameguard.exe
PID 4636 wrote to memory of 1072	4636	gameguard.exe	gguard.exe
PID 4636 wrote to memory of 1072	4636	gameguard.exe	gguard.exe
PID 4636 wrote to memory of 1072	4636	gameguard.exe	gguard.exe
PID 1072 wrote to memory of 1776	1072	gguard.exe	ggvolehn.exe
PID 1072 wrote to memory of 1776	1072	gguard.exe	ggvolehn.exe
PID 1072 wrote to memory of 1776	1072	gguard.exe	ggvolehn.exe
PID 1072 wrote to memory of 5024	1072	gguard.exe	verifier.exe
PID 1072 wrote to memory of 5024	1072	gguard.exe	verifier.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\gameguard_setup.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2120

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4876

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 840CFDCF7C425ED9AF4A12BB119C8966 C
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020

C:\Program Files (x86)\GameGuard\gameguard.exe
"C:\Program Files (x86)\GameGuard\gameguard.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2044

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:244

C:\Program Files (x86)\GameGuard\acsvc.exe
"C:\Program Files (x86)\GameGuard\acsvc.exe"
1⤵
- Executes dropped EXE
PID:2076

C:\Program Files (x86)\GameGuard\acsvc.exe
"C:\Program Files (x86)\GameGuard\acsvc.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4712

C:\Program Files (x86)\GameGuard\acsvc.exe
"C:\Program Files (x86)\GameGuard\acsvc.exe" --run="C:\Program Files (x86)\GameGuard\gameguard.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3428

C:\Program Files (x86)\GameGuard\gameguard.exe
"C:\Program Files (x86)\GameGuard\gameguard.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4636

C:\Program Files (x86)\GameGuard\gguard.exe
".\gguard.exe"
4⤵
- Drops file in Drivers directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1072

C:\Program Files (x86)\GameGuard\ggvolehn.exe
"C:\Program Files (x86)\GameGuard\ggvolehn.exe"
5⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 964
6⤵
- Program crash
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 964
6⤵
- Program crash
PID:1160

C:\Windows\system32\verifier.exe
C:\Windows\system32\verifier.exe /volatile /removedriver acdrv.sys
5⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1776 -ip 1776
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1776 -ip 1776
1⤵
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e587338.rbs

Filesize
11KB

MD5
e1facb9eecf6fb992ce0517b4d9def1f

SHA1
8a5aa41a852526b427c19ad577f09ff0eab843b0

SHA256
eb4bc32f416299ce593d849bd023e266d26f0821c448834a16d95485e6d2cf09

SHA512
81132a29e9d0eb8c259a91f1f59572b4a7a76018d63738e03e9ffc829e0e61673ea9bda737a9705595c66d032a55634d6f3aa8fea3818d0fcf2d5714b3b0af62

Download Submit
C:\Program Files (x86)\GameGuard\acsvc.exe

Filesize
316KB

MD5
7ec55f85dd4740e6f146d3ee54e01201

SHA1
44fcf3bb83a006ab6ca90d728bec43c031e0cada

SHA256
7997c3e9c03c0e91b8b07cb482c97066afdd483d2dbab1f292f749f4fe97e229

SHA512
7b6a494b5506e249e67e63c32fe42895227ec53a49f37e9b3884f628fd7bcc29f1f8bf96d616b8b741adc48540fc8eda7e64701a459acb707569bd1e36ee143b

Download Submit
C:\Program Files (x86)\GameGuard\acsvc.exe

Filesize
330KB

MD5
b966184ae28d7bc96756bc3ed001c701

SHA1
8c620632624e9bc9b3e7d7a672072bdb6952df87

SHA256
f2b6185392b98f27da4a7a8c74b585ae00d6e69bd7f97727dca0953aa3ab0324

SHA512
8b9ad0bec94ed9a44a0c8aa8b8ca1b80fc6aecc46a2d74a2eb3830394ece82a77bed121c49ccbc6fb4fb7c05edbc90c17d591c2ee0f88bd3018893bc4cd0e003

Download Submit
C:\Program Files (x86)\GameGuard\cache\qfprmqhf.cache

Filesize
15.3MB

MD5
1ac7965867072e615fea1ee20dc2300e

SHA1
d175990d7fe808931ee915470b130a2c37283ee8

SHA256
0cb8174d1aeb9bb9efa6cca18f09df5941e5f48d23240d207e15a25f20ac70fc

SHA512
4bdf16ff4c50d1e04dd4b9fa9cb3949c8a061bc7a2a5d86bc5cff07ad55ccafd5314a36189eb12e9164fc73b46830db5f54f553bb3d5112c0aee5dd22bb0dcf1

Download Submit
C:\Program Files (x86)\GameGuard\gameguard.exe

Filesize
7.2MB

MD5
81ed38976254bb646c0ecee753324027

SHA1
c3fe70f9daff9e66b315b2adc9481a7d39d7e7c6

SHA256
cf169e7a746c574f3e2ec653a6739ca71fe0e34aa76f604cd36706fe45536be7

SHA512
476a6f9f65857d015661dc8504c537efff00fbd69014ab2e36aeed393b69083962195b3aa6e4485aa46f7471aa59aec21a6e56a687fc6474cc7a62b9c47ca018

Download Submit
C:\Program Files (x86)\GameGuard\gguard.exe

Filesize
41.9MB

MD5
6b6d7a19c765cfb9021d6fbc3a4ff6ff

SHA1
c23923025df7d0b7bc947659b78de99a94c62c71

SHA256
b5ea882518b27ab7499d285f0516c1bbf435190d7d55b3835e787b6d62ec3894

SHA512
addc8ef031b2725f07667703e2d69c7cd167f3e50b5070a356fdcf7846514ec4610d47b350eb29d4df7aa75808bf03ff5186f3112f2063ab56988c4f199cb8b3

Download Submit
C:\Program Files (x86)\GameGuard\ggvolehn.exe

Filesize
16.9MB

MD5
d274658c7293070e421e9c441ab0e9b4

SHA1
103ac0fda11316ca57d6df6647eeebd02506f281

SHA256
8af22f3de2117b3a7681e2136b2a931bdb97c20e883a86554a40c8ae46bc361f

SHA512
8b55958e22088ea8f9d318a832f40ef154efc0805a9c32584fc7e625d2804e4b2dc0ef325d9d815e84b98730e096b921613dea1f08e8cf54032d500a69c6261d

Download Submit
C:\Program Files (x86)\GameGuard\steam_api.dll

Filesize
258KB

MD5
5be6351ea71a94ca4334f3211f5eb609

SHA1
1a5a83bebedcb499128219805296f042e5b9d159

SHA256
8d36de57cc6436f4e82ee672023f17a7f83a7a55af558582c2c139f83fb33ed0

SHA512
f61cab57849d12e9e0a26e73d20fda28085aff2e1a619501d25f9736ff455444a5d05d722ca32bb2356d5b209e29982ab93fd4e6b84acf4cb4b3ab5474d01655

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\60B3F7207DEB992031C120EB71F562CD

Filesize
4KB

MD5
94bf0bf032ce32469dd74f4f1f5320e6

SHA1
86bff704a2f82816f346a6a374250f35743de3b0

SHA256
54f08bfd73dd3477610059c4a1d92723e698def0efa7ad4661584a51d9aab79b

SHA512
ac62c42bfe02a35739dfed5df012bb3ef1f7bdbde1f4d9dce9448812bb6d25891dbacc2591e859f644c95151bdb7179f4f8e355b81a2a38ca7afce4980a79901

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037

Filesize
1KB

MD5
004eba2a24fda787318ce19fec383d25

SHA1
f9e5b03ce43664c60c7937c8998d4c12165af3ca

SHA256
ed5bd4c2310d2d1ce382a7b847ae6468a93b019a41004820e6ce2cf75f0f8a2e

SHA512
fb14058d341c5d5a426a73b43f9ccf1781197972969fbf3d82b4928c14d9181a090f11d073cdd8d0eb78ab1766fa815f62fc5c5cb30bab0dcf95ab1fc7a8f4f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DF8D319B9741B9E1EBE906AACEA5CBBA_750FF3DD16195A328CB56C56AF693E3C

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\60B3F7207DEB992031C120EB71F562CD

Filesize
222B

MD5
ef981cb3dc58932f435cc1e7fdf01be9

SHA1
38b2f1d0e8c1cf1f76ba92989a899d2f60678622

SHA256
fba157d330d1c9abf3aa613a1012052b63642422f84bb046601ded4d09262ad1

SHA512
52120e8feddf35463638060517cbba96ca36f7f1f1e51118a95b130c5ce8f056b10b39c8e3b4e39ff52b58e885b6ac852cd635fb1667e82f3ec3c631a4427a83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037

Filesize
498B

MD5
f0a28d74b8aac0ce127ad06fe64160f0

SHA1
b8c4779c724d9a4aa4c09219dc5e3d5eec4ee1df

SHA256
0b165452fcf2294867fba8b78e2f1e29145dc18592f11cede73be37d34b40d4c

SHA512
5fdcde4aa165a3db93514cd06731cb61ac78057e9c3df739f6fadb00f353e2ec619a0898cd8d1288c9d95e86ef9aeff7719890eb83da6c66d0a1007759bcfc8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DF8D319B9741B9E1EBE906AACEA5CBBA_750FF3DD16195A328CB56C56AF693E3C

Filesize
448B

MD5
393d55016bb9f82cbfdc09af7635af59

SHA1
4d278401d005da5fd89570293665fdda2e969d30

SHA256
f61429b838ab4d5e30b33b89f6c28e63ec74bf52fb432ccb782a6525502296a9

SHA512
b3702af347ae0b0bd3503d15ece014bdefa1a1cbcbb74211da6edaa18701e2e1bfad06e853ec29edda9a45ea81b1fd54f9b0a4e3db6948be57ee5265f7b7d8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI973A.tmp

Filesize
202KB

MD5
d773d9bd091e712df7560f576da53de8

SHA1
165cfbdce1811883360112441f7237b287cf0691

SHA256
e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7

SHA512
15a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd

Download Submit
C:\Windows\Installer\e587337.msi

Filesize
7.7MB

MD5
68bd8f9af44479db013a77c806f1c674

SHA1
0cbb2b63c78b42e13b1818964bb2cf43e46c5052

SHA256
ac9ac5a95273064ba09af8be049124ba52db7a59075d69a94d12427917dbc376

SHA512
991f703293b984beeeda44cc72cacc0cd69bd4cb1856b2b1c5cf2a2d06d7f58e8469af70c2ecece05d98643937c52f8a944b9892e2925738457d2ac238867852

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
46a5f1af1f480b40dd0963c46b222e67

SHA1
e7211266074f8c344e48b2e80ceac696d56a04e1

SHA256
ea376da2f019f259399fc1ae9668ae8bd98f5115976b983802ce1b8f03c85305

SHA512
3416a9b79417ba0e004a980d8aad149f66826174de404268afe1118266f0a8aeae6e899e9bcf5a6171037c1e001341f93aece875e026e36b2a295f511a4be8b6

Download Submit
\??\Volume{6e183fb6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d5eb37c8-f4f4-4e74-b193-83822a8ec4cd}_OnDiskSnapshotProp

Filesize
6KB

MD5
f285a5852f2ecf948d330b9778235712

SHA1
6d281a129632d12207525a623c36e5aa8155d226

SHA256
436fa4e7e605f329aebb460e95d4e0beac77fc434e4612a14f2967d25c7a5030

SHA512
916b702e977851b4cf8d20a30c2af0bd5f922882007cb6f89b322e314c47f1ec19d0783d6b8015b68fb15f00e07bed011a7e853695f61bab7269c0bb1da5da5b

Download Submit
memory/1072-147-0x00000000063E0000-0x00000000063E1000-memory.dmp

Filesize
4KB

Download
memory/1072-143-0x0000000006080000-0x0000000006081000-memory.dmp

Filesize
4KB

Download
memory/1072-140-0x0000000006050000-0x0000000006051000-memory.dmp

Filesize
4KB

Download
memory/1072-142-0x0000000006070000-0x0000000006071000-memory.dmp

Filesize
4KB

Download
memory/1072-144-0x00000000063B0000-0x00000000063B1000-memory.dmp

Filesize
4KB

Download
memory/1072-145-0x00000000063C0000-0x00000000063C1000-memory.dmp

Filesize
4KB

Download
memory/1072-146-0x00000000063D0000-0x00000000063D1000-memory.dmp

Filesize
4KB

Download
memory/1072-141-0x0000000006060000-0x0000000006061000-memory.dmp

Filesize
4KB

Download
memory/1072-148-0x0000000000C60000-0x00000000059E3000-memory.dmp

Filesize
77.5MB

Download
memory/1776-157-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/1776-159-0x0000000003FA0000-0x0000000003FA1000-memory.dmp

Filesize
4KB

Download
memory/1776-160-0x0000000003FE0000-0x0000000003FE1000-memory.dmp

Filesize
4KB

Download
memory/1776-161-0x0000000003FF0000-0x0000000003FF1000-memory.dmp

Filesize
4KB

Download
memory/1776-162-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/1776-158-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1776-156-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/1776-165-0x0000000000400000-0x000000000209F000-memory.dmp

Filesize
28.6MB

Download
memory/1776-163-0x0000000004010000-0x0000000004011000-memory.dmp

Filesize
4KB

Download
memory/2044-83-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/2044-91-0x0000000000EC0000-0x0000000001A7E000-memory.dmp

Filesize
11.7MB

Download
memory/2044-84-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/2044-86-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/2044-87-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/2044-88-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/2044-85-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/2044-89-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/2044-90-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/4636-115-0x0000000003B10000-0x0000000003B11000-memory.dmp

Filesize
4KB

Download
memory/4636-109-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/4636-108-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/4636-111-0x0000000003AC0000-0x0000000003AC1000-memory.dmp

Filesize
4KB

Download
memory/4636-114-0x0000000003B00000-0x0000000003B01000-memory.dmp

Filesize
4KB

Download
memory/4636-116-0x0000000000060000-0x000000000196C000-memory.dmp

Filesize
25.0MB

Download
memory/4636-113-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

Filesize
4KB

Download
memory/4636-112-0x0000000003AE0000-0x0000000003AE1000-memory.dmp

Filesize
4KB

Download
memory/4636-110-0x0000000003A90000-0x0000000003A91000-memory.dmp

Filesize
4KB

Download