Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 17:02
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
Resource
win7-20231215-en
General
-
Target
2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
-
Size
1.5MB
-
MD5
de27529b17db2e2656778f67876900b6
-
SHA1
aa3107ae1ccd629c57dd70298c1482a9edf858c4
-
SHA256
635bbbe254e983f1181094d011d33b3961c53e99493ea65ebfcbcc3f1c52cd3c
-
SHA512
5b1fa47ab30fafc431ffe33d26f4c69921d65421d6b347ba163461ac636d7dd67e98b4debfe22919d1e1e4e0ee599d1d7f6d95a7f5569ad9073dfaa52786ca2d
-
SSDEEP
24576:kZ7+quEOtqZpp0YYtwlGhNsof2e7A+ebC:kZ7+xHmpSK8hWomh
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
Processes:
alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemsiexec.exeOSE.EXEOSPPSVC.EXEperfhost.exelocator.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 480 2076 alg.exe 2808 aspnet_state.exe 2700 mscorsvw.exe 2580 mscorsvw.exe 2900 mscorsvw.exe 1664 mscorsvw.exe 2876 ehRecvr.exe 1952 ehsched.exe 780 elevation_service.exe 840 IEEtwCollector.exe 772 GROOVE.EXE 1992 maintenanceservice.exe 2980 msdtc.exe 2376 msiexec.exe 2632 OSE.EXE 2956 OSPPSVC.EXE 2752 perfhost.exe 2152 locator.exe 1984 dllhost.exe 1556 mscorsvw.exe 1884 mscorsvw.exe 2180 mscorsvw.exe 3036 mscorsvw.exe 2252 mscorsvw.exe 700 mscorsvw.exe 2108 mscorsvw.exe 1504 mscorsvw.exe 2692 mscorsvw.exe 2396 mscorsvw.exe 2264 mscorsvw.exe 1968 mscorsvw.exe 1064 mscorsvw.exe 2308 mscorsvw.exe 1496 mscorsvw.exe 2668 mscorsvw.exe 2136 mscorsvw.exe 2448 mscorsvw.exe 448 mscorsvw.exe 2424 mscorsvw.exe 2072 mscorsvw.exe 1556 mscorsvw.exe 2624 mscorsvw.exe 2960 mscorsvw.exe 2748 mscorsvw.exe 1992 snmptrap.exe 1576 vds.exe 1872 vssvc.exe 2768 wbengine.exe 2960 WmiApSrv.exe 1564 wmpnetwk.exe 1752 SearchIndexer.exe 1668 mscorsvw.exe 2012 mscorsvw.exe 2004 mscorsvw.exe 3040 mscorsvw.exe 540 mscorsvw.exe 2992 mscorsvw.exe 2084 mscorsvw.exe 1916 mscorsvw.exe 1464 mscorsvw.exe 2728 mscorsvw.exe 2976 mscorsvw.exe 1932 mscorsvw.exe -
Loads dropped DLL 35 IoCs
Processes:
msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 480 480 480 480 480 480 480 2376 msiexec.exe 480 480 480 480 480 480 760 540 mscorsvw.exe 540 mscorsvw.exe 2084 mscorsvw.exe 2084 mscorsvw.exe 1464 mscorsvw.exe 1464 mscorsvw.exe 2976 mscorsvw.exe 2976 mscorsvw.exe 2536 mscorsvw.exe 2536 mscorsvw.exe 1540 mscorsvw.exe 1540 mscorsvw.exe 1528 mscorsvw.exe 1528 mscorsvw.exe 1460 mscorsvw.exe 1460 mscorsvw.exe 1932 mscorsvw.exe 1932 mscorsvw.exe 1572 mscorsvw.exe 1572 mscorsvw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
Processes:
aspnet_state.exeSearchProtocolHost.exemscorsvw.exe2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exeGROOVE.EXEmsdtc.exealg.exedescription ioc process File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe aspnet_state.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\system32\fxssvc.exe mscorsvw.exe File opened for modification C:\Windows\System32\alg.exe 2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\locator.exe 2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe aspnet_state.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe mscorsvw.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe File opened for modification C:\Windows\System32\vds.exe aspnet_state.exe File opened for modification C:\Windows\system32\vssvc.exe aspnet_state.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\wbengine.exe aspnet_state.exe File opened for modification C:\Windows\system32\SearchIndexer.exe aspnet_state.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\5be422d48a0c1054.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exeaspnet_state.exemscorsvw.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe mscorsvw.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE aspnet_state.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe aspnet_state.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe mscorsvw.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe aspnet_state.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe mscorsvw.exe File opened for modification C:\Program Files\7-Zip\7z.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe alg.exe -
Drops file in Windows directory 64 IoCs
Processes:
mscorsvw.exealg.exeaspnet_state.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exemscorsvw.exemscorsvw.exemsdtc.exedescription ioc process File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\ehome\ehRecvr.exe aspnet_state.exe File opened for modification C:\Windows\ehome\ehsched.exe aspnet_state.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7272.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8DA63582-AFD1-409D-AAFF-71CBB8098A5E}.crmlog dllhost.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP88EE.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7BB5.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7EFF.tmp\Microsoft.Office.Tools.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8BFA.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe 2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP757E.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP821B.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe aspnet_state.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
ehRec.exeSearchFilterHost.exeSearchProtocolHost.exeehRecvr.exeSearchIndexer.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86} SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\ShapeCollector.exe,-299 = "Provide writing samples to help improve the recognition of your handwriting." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005 = "Desktop Gadget Gallery" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10302 = "Compete with - and against - online opponents at the classic trick-taking, partnership card game of Spades. Score the most points to win." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\msra.exe,-635 = "Invite a friend or technical support person to connect to your computer and help you, or offer to help someone else." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10056 = "Hearts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\authFWGP.dll,-21 = "Configure policies that provide enhanced network security for Windows computers." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008 = "Windows Mobility Center" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10060 = "Solitaire" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114 = "Windows Fax and Scan" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\syswow64\unregmp2.exe,-155 = "Play digital media including music, videos, CDs, and DVDs." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10054 = "Chess Titans" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings." SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\NetProjW.dll,-511 = "Display your desktop on a network projector." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10060 = "Solitaire" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000803fe984b04fda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehres.dll,-100 = "Windows Media Center" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\odbcint.dll,-1312 = "Maintains ODBC data sources and drivers." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sdcpl.dll,-100 = "Backup and restore your files and system. Monitor latest backup status and configuration." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100 = "System Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Sidebar\sidebar.exe,-1012 = "Add Desktop Gadgets that display personalized slideshows, news feeds, and other customized information." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\Explorer.exe,-312 = "Play and manage games on your computer." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\syncCenter.dll,-3001 = "Sync files between your computer and network folders" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msconfig.exe,-126 = "System Configuration" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000 = "Sync Center" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051 = "Snipping Tool" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
ehRec.exeaspnet_state.exepid process 1692 ehRec.exe 2808 aspnet_state.exe 2808 aspnet_state.exe 2808 aspnet_state.exe 2808 aspnet_state.exe 2808 aspnet_state.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exealg.exeaspnet_state.exevssvc.exewbengine.exewmpnetwk.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 3032 2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe Token: SeShutdownPrivilege 1664 mscorsvw.exe Token: SeShutdownPrivilege 2900 mscorsvw.exe Token: 33 2248 EhTray.exe Token: SeIncBasePriorityPrivilege 2248 EhTray.exe Token: SeDebugPrivilege 1692 ehRec.exe Token: 33 2248 EhTray.exe Token: SeIncBasePriorityPrivilege 2248 EhTray.exe Token: SeRestorePrivilege 2376 msiexec.exe Token: SeTakeOwnershipPrivilege 2376 msiexec.exe Token: SeSecurityPrivilege 2376 msiexec.exe Token: SeShutdownPrivilege 1664 mscorsvw.exe Token: SeShutdownPrivilege 2900 mscorsvw.exe Token: SeShutdownPrivilege 1664 mscorsvw.exe Token: SeShutdownPrivilege 1664 mscorsvw.exe Token: SeShutdownPrivilege 2900 mscorsvw.exe Token: SeShutdownPrivilege 2900 mscorsvw.exe Token: SeShutdownPrivilege 1664 mscorsvw.exe Token: SeDebugPrivilege 2076 alg.exe Token: SeShutdownPrivilege 2900 mscorsvw.exe Token: SeShutdownPrivilege 1664 mscorsvw.exe Token: SeTakeOwnershipPrivilege 2808 aspnet_state.exe Token: SeBackupPrivilege 1872 vssvc.exe Token: SeRestorePrivilege 1872 vssvc.exe Token: SeAuditPrivilege 1872 vssvc.exe Token: SeBackupPrivilege 2768 wbengine.exe Token: SeRestorePrivilege 2768 wbengine.exe Token: SeSecurityPrivilege 2768 wbengine.exe Token: SeDebugPrivilege 2808 aspnet_state.exe Token: 33 1564 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 1564 wmpnetwk.exe Token: SeManageVolumePrivilege 1752 SearchIndexer.exe Token: 33 1752 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1752 SearchIndexer.exe Token: SeShutdownPrivilege 2900 mscorsvw.exe Token: SeShutdownPrivilege 1664 mscorsvw.exe Token: SeShutdownPrivilege 1664 mscorsvw.exe Token: SeShutdownPrivilege 1664 mscorsvw.exe Token: SeShutdownPrivilege 1664 mscorsvw.exe Token: SeShutdownPrivilege 1664 mscorsvw.exe Token: SeShutdownPrivilege 1664 mscorsvw.exe Token: SeShutdownPrivilege 1664 mscorsvw.exe Token: SeShutdownPrivilege 1664 mscorsvw.exe Token: SeShutdownPrivilege 1664 mscorsvw.exe Token: SeShutdownPrivilege 2900 mscorsvw.exe Token: SeShutdownPrivilege 2900 mscorsvw.exe Token: SeShutdownPrivilege 2900 mscorsvw.exe Token: SeShutdownPrivilege 1664 mscorsvw.exe Token: SeShutdownPrivilege 2900 mscorsvw.exe Token: SeShutdownPrivilege 1664 mscorsvw.exe Token: SeShutdownPrivilege 2900 mscorsvw.exe Token: SeShutdownPrivilege 1664 mscorsvw.exe Token: SeShutdownPrivilege 2900 mscorsvw.exe Token: SeShutdownPrivilege 1664 mscorsvw.exe Token: SeShutdownPrivilege 2900 mscorsvw.exe Token: SeShutdownPrivilege 1664 mscorsvw.exe Token: SeShutdownPrivilege 2900 mscorsvw.exe Token: SeShutdownPrivilege 1664 mscorsvw.exe Token: SeShutdownPrivilege 2900 mscorsvw.exe Token: SeShutdownPrivilege 1664 mscorsvw.exe Token: SeShutdownPrivilege 2900 mscorsvw.exe Token: SeShutdownPrivilege 1664 mscorsvw.exe Token: SeShutdownPrivilege 2900 mscorsvw.exe Token: SeShutdownPrivilege 1664 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EhTray.exepid process 2248 EhTray.exe 2248 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
EhTray.exepid process 2248 EhTray.exe 2248 EhTray.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
SearchProtocolHost.exepid process 1956 SearchProtocolHost.exe 1956 SearchProtocolHost.exe 1956 SearchProtocolHost.exe 1956 SearchProtocolHost.exe 1956 SearchProtocolHost.exe 1956 SearchProtocolHost.exe 1956 SearchProtocolHost.exe 1956 SearchProtocolHost.exe 1956 SearchProtocolHost.exe 1956 SearchProtocolHost.exe 1956 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mscorsvw.exemscorsvw.exedescription pid process target process PID 1664 wrote to memory of 1556 1664 mscorsvw.exe mscorsvw.exe PID 1664 wrote to memory of 1556 1664 mscorsvw.exe mscorsvw.exe PID 1664 wrote to memory of 1556 1664 mscorsvw.exe mscorsvw.exe PID 1664 wrote to memory of 1884 1664 mscorsvw.exe mscorsvw.exe PID 1664 wrote to memory of 1884 1664 mscorsvw.exe mscorsvw.exe PID 1664 wrote to memory of 1884 1664 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2180 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2180 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2180 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2180 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 3036 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 3036 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 3036 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 3036 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2252 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2252 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2252 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2252 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 700 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 700 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 700 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 700 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2108 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2108 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2108 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2108 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1504 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1504 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1504 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1504 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2692 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2692 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2692 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2692 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2396 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2396 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2396 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2396 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2264 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2264 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2264 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2264 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1968 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1968 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1968 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1968 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1064 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1064 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1064 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1064 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2308 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2308 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2308 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2308 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1496 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1496 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1496 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1496 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2668 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2668 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2668 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2668 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2136 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2136 2900 mscorsvw.exe mscorsvw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2700
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2580
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 250 -NGENProcess 248 -Pipe 1e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 23c -NGENProcess 254 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:700 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 260 -NGENProcess 24c -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 240 -NGENProcess 1e8 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 268 -NGENProcess 1f0 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 254 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 274 -NGENProcess 1e8 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 24c -NGENProcess 244 -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 268 -NGENProcess 26c -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 23c -NGENProcess 24c -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1e8 -NGENProcess 254 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 280 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 24c -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1e8 -NGENProcess 28c -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 23c -NGENProcess 24c -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:448 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 294 -NGENProcess 274 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 29c -NGENProcess 294 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 23c -NGENProcess 26c -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1e8 -NGENProcess 2a0 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 294 -NGENProcess 2a4 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 240 -NGENProcess 2a0 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2748
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"2⤵PID:1556
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 230 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b4 -InterruptEvent 204 -NGENProcess 1dc -Pipe 1a8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 24c -NGENProcess 1c4 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 220 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 204 -NGENProcess 258 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 240 -NGENProcess 25c -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:540 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 220 -NGENProcess 204 -Pipe 1bc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 254 -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2084 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 260 -NGENProcess 270 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 274 -NGENProcess 26c -Pipe 208 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1464 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 264 -NGENProcess 278 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 220 -NGENProcess 27c -Pipe 1c4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2976 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 26c -NGENProcess 280 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 27c -Pipe 1b4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2536 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 240 -NGENProcess 288 -Pipe 26c -Comment "NGen Worker Process"2⤵PID:2464
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 274 -NGENProcess 27c -Pipe 204 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1540 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 220 -NGENProcess 27c -Pipe 28c -Comment "NGen Worker Process"2⤵PID:2100
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 294 -NGENProcess 290 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1528 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 290 -NGENProcess 270 -Pipe 288 -Comment "NGen Worker Process"2⤵PID:2496
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 278 -NGENProcess 2a0 -Pipe 294 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1460 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a0 -NGENProcess 27c -Pipe 270 -Comment "NGen Worker Process"2⤵PID:700
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 220 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1932 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 278 -NGENProcess 2a8 -Pipe 280 -Comment "NGen Worker Process"2⤵PID:1856
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 240 -NGENProcess 220 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1572 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 220 -NGENProcess 298 -Pipe 2a4 -Comment "NGen Worker Process"2⤵PID:2652
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 2b4 -NGENProcess 29c -Pipe 27c -Comment "NGen Worker Process"2⤵PID:2356
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 240 -Pipe 2b0 -Comment "NGen Worker Process"2⤵PID:1916
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 290 -NGENProcess 298 -Pipe 278 -Comment "NGen Worker Process"2⤵PID:1252
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2876
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:1952
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2248
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:780
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:840
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:772
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1992
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2980
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2632
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
PID:2956
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2752
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2152
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1984
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1992
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1576
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1872
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2960
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1752 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1956 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵
- Modifies data under HKEY_USERS
PID:2432
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXEFilesize
22KB
MD59dd4ec2a7ffc621e2d347417f6e966bb
SHA122ab216dd5b4d06193aecfa8e0a9920648481614
SHA2561b53bc07c05b9cee613b657edef4e6f17a4a038c6451c54647cb2c7193d49065
SHA512de94cbb75431684580aad657210e7d63b19b66114a441ef31e8b94a2f806fb06442fdfb5d4d3a5a3f517f831991c55c77c8b5622cf311f42d83867ac32b4fed6
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXEFilesize
813KB
MD593d5908377bda4b29ce9148e06664341
SHA151e81fa9ea7039b63ca2e9567a904465f0e54445
SHA256cb2a41d409c7d4884575d2718fa71c8911aac60072436b2c54c37c8e5dbeecd5
SHA512148e68f765b70689c99680221a5301c98c06bdf15eaf3d2228d62b3aeca2e61f291db07c73c5a2039a8939cc7cd87d1b3f1ca104cdc37f515aba8487b6b0a8ab
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFilesize
314KB
MD552b91cf2dfc0b92f22a82cf3571130e3
SHA109240cef51c2445122d6054a5e38751cf1c3e7ed
SHA256c84efb37ec2d5f41110b5715611fb65c6b0cad900efa2f3cd4fc90443ad2dcd2
SHA51289130f91491a8ee8d7578de177e4a8638c4299ed0a7dc5be5cf82c032f9f87e2edc9d5fcde596d9b786c690c2e4f8b8042e77ba2ba5812437b9d8ac60b8d2bfd
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFilesize
283KB
MD5f0af3a64d5dc56ce957ff63ed325ef45
SHA1684bdde0a38046293a92b2afa47a8dd7e43385aa
SHA256f247c9adacbb4d496f0905a8ab8249aadcbc2dfe5b17ade23b012dd392faf93b
SHA5120235fdff4778d4a129452e726df544a8e0ad989b76ffb8eec49ff0b98864d9b61f45487cd90de73aa0dd818e32c5b6006423b12c89940131ec35770034154a60
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEFilesize
393KB
MD52f7f9040dca89cb20702d85c1a7532c5
SHA1b3e3db4b2c09e89f5c195dce94e7b5aaba19800f
SHA2561d7852b3ec722268c8bcf189a138758f3573434a9781ee7fc927360ed877cd9a
SHA512622725e2116dfa5081e13cfe108db05f6857c65fde73a80b90504d2fd58e87ff0a56f445bc1e07b55c8c04a462eff6159d73bc658bc0f642d0fa5fb9093e2d45
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exeFilesize
1.3MB
MD55550cf0d393683cefa553f0f84068b7b
SHA12e3418d9d2ab1e5337a3e3b9997d5063b1b05188
SHA2565271058bc9e6f251167b913b4d232dac8f60aa87ec94f48de116ec94c5a2c30b
SHA512c95fa3c99e859c0e39d0632177d6865b8df51fa6b9d8e23ceee1a30dfa7aacd152dcc918d51cd1dd26ecdef05c2c74d210c91420206f90bb9c4212daaf39c9b7
-
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.logFilesize
1024KB
MD56cc7c4e758f4ab01474e2482bfdd64fc
SHA18975c9e6f781ad5f4c9efcc46f88b9135bcbcfb1
SHA25695b6c6fc6f200ad9774db8aa685640771a680ac2d93ab7339b4e941a10baa15c
SHA512be27fd458d70e2c08b330d456320d938fc49b59376dfdbc9e3e9502e3cfe873ae79a5525734c376c27a86bef90af35b648df041005b690ccec9cc6c997b3340d
-
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.logFilesize
1024KB
MD5bc89b53aa8542c5ce2a5cc917462c0fc
SHA10a660888856ac5a0d6eb04d67dd943d3f3c9b8a8
SHA256e71b5302e6e0e386873f0036cff49d36ff549444ea62e8d3a1363a42bc90ded3
SHA51274f7bd4d7266f6a39f36bf18ad967243193b1ef9f56c5f7542b35b44664f71f6c7cc0609c90762298e4bd97acff13e3075602bd2bb5bde638e24f21b87746da7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-msFilesize
24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.logFilesize
872KB
MD5bb2e348b51c88b06258935cca25dde7a
SHA178058027c102ac759fef7ae78bc62368991d1852
SHA2561dcc2a1a51f60adc2bd6a72de93a02548a0877a6f15d8a4eadc43f6e6bb72616
SHA5127cb086a9492b178000f8835a9f91573c3aabba1a03f96a65df3fa68846adb6d45590190f195ed4ff189b6996df2ea05b31cb716c35f67cfe21e6fbc837149c58
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeFilesize
1.4MB
MD590fa766bc90b49030da62e2ac152e974
SHA151e7ca4ab8a992219a5f7927ec3c98bf9223194c
SHA2560fa66eee902d5b271a2a480205f557e8bb2062cb57c8e9bed9722adee77cd1d0
SHA51214d82d1dc846b3ba59e0b5ec1c8449bf8006dbcc8eaf3b82fabed6c7c3cb0bd020fa5db8aabeec26e3396f09b595adb1551529135b77981dae4c0f2d288e5b8b
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeFilesize
896KB
MD5a253671d2d9f4818e2954657df12a7f1
SHA183ca10d51da016ca05dc3abfb56b5de176f74f77
SHA256f5afaf3ebac7739c093cdef4b74302133229526d8736b647edffa84122fb079b
SHA512f63fdf35fd10a16749b2dc1484b2d5fd2abeedc6df2891d46fea447865866547d803dd9f9d906ab932c724f88fea5a048d9693ce21a828f747610442878435fa
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeFilesize
200KB
MD5cbced0fe44c054a8b48a19d025c9080c
SHA1c93c174d0137c91648d05a962148628d4c169ead
SHA2566928e9220757eb59c482abe1eae0082c7f9056eb57f1cd62494d3f267d6249ae
SHA512b0d73f2973432ea07bf6943092669c1eb4189e91647ac1df68263893279f48845702de1b9bec2d8c428cdd7c511ca0e98ed383ca97b969500f6748040be82d3c
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeFilesize
141KB
MD58e58d6305bbcf545c4333750bd462682
SHA1b1bcec501406887e1b0b42213ef3c5181b7f9a52
SHA256061cb8dd304751ab8aec6af2aa49b2b54e4d6d40b4996c41829d1005e07aef36
SHA51241e48b46dfb8bc9adedfb2b128704bb386893a4e9e6c6b6d4f93f4c0757a15fb376a7f0667f95ad662d458efab207a144d92ea40ebf91de903ba858d960d67ad
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeFilesize
1.5MB
MD565d41e855455d3ac010f4a10071a6a85
SHA1da6820e417d9805dc1a20238eb45d8fafd3a9413
SHA25647c585e1b6200fcd3ac16caa906520f6870f2698c2b89b90f3b613c0d9be2f2c
SHA512b45bae430fd848dbfc51583f50ed4f875becfde6bd9c6680a97a08b2d3df06396bdae48f82073087869a2f86f55845042f0af0aac65469e847493a6ddcb2721b
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.logFilesize
8KB
MD50f77a3802013f51a87fd5c557a12702f
SHA1a65f7a364049092f3a1447959b888335c929591f
SHA256fd93df18bfa289451c2cf5c74f88217db271c36f5e616f97f53613ab3bdb4d14
SHA51287ac5451336a138502dfec9b585a2700722eae07ba0877c7259ae3798e2bce575c879b4f981d363b86aeab564190a5e7cdad00184f333196ba015aab82bc8375
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeFilesize
1.4MB
MD5ae2ebf4505d8d685162b28167e6a9385
SHA12d915047fe536aca4f4bd4de392ff1e2b044eecf
SHA2562d218aa319e2635f6978abd7ae40c62f5da60fdd6000132f74256ad128366a99
SHA512b2b19394eb53246875270de270c9c4b1ff9a8d2102bce21b56aaae955252aa557c6eacda68edb383f38f2d40953ab12d6c6394ba9c5a9fd92f1072323ec5368b
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.logFilesize
1003KB
MD5deb034a7e9f23a5541b2724b7b7d17aa
SHA1e3862eb17fcdd776f022a0e34857772c38dc3ca6
SHA256f30302768c1f6250dd443f67088453516de447cdc3a99a15e2d36ac8069083e2
SHA5128b01ab2a84cf5425818981d771f6824b5145291dffa2e02da19cddcb985261a7335816858ad0ecce833519b643fd6512b7b2847cd26db121694a2832ac628870
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
896KB
MD58053f19ddaf4f292ec9e3b8f039ce00d
SHA108372c3e127ea00ba25fcdd3612c20b573a3a016
SHA256933d203d1f08a735bd28cd3d12c90aed25727d8758fb322c9da912581434440f
SHA512bf2c9b7897c72a7e95f8a63ecac834292588ab6254a15c65f5cf6ef7113bd758163ac20e0daba6a13ca3635c62e0a998c0b8bb19f64224f97b43bb92ce5786fd
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
169KB
MD5d21084904f73faa2c4f68a7b814841c8
SHA14e6b511bd9228df00681ff2bfb277b6359f29d0b
SHA256d57ed12c184cd744e576feab2bcc6cad50742b63a20341abd889b005e365c6ff
SHA5121cc743f26027125a5252afbacc5ba07e0d49aff50b8247cadaee9e6d345b189093508feb2b34f632150b3539fde9cb70b9d0de9ea05373418a5e316f3105b4a4
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
246KB
MD56db33d9eab076bc1e452b611374326b6
SHA16642516043d9fbf39c0d15a4824cd02974ea2cf9
SHA2567843c45c9b7f02f338a2bca331699258e289b20582a75e3a439c1fd36a6a858a
SHA51207f5c840016ba5e669459865a12461b98f8fbba0721b7bfffa4f62e7f2abed099701ac97d21b68ff6c2780f1885db0ba310a3841be54d9b61016ab14fd2b6e58
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
112KB
MD5e2966242503bbe055730303d9ea1b240
SHA10703f1408647c2d9d52deef86d33e0431d4c896d
SHA25615d457d92b686b408fca8a6db05bb19c102bc83c3ec5760abe57aa7c098c5a40
SHA51225dc228eac077f1c34e53cdc3cf83b68ac2369eb39b676c05f8d336fada18fa4c8250ff6609cdcd46cd02f3bcc1839bd531371bfc9b2a6d18d383c8df4155a80
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
95KB
MD50f93244e35e68d323d4278e92739fbbb
SHA1c8756ec81d91e06a0cf3b8f4465651aebb1dcc1b
SHA256091fb29a5d4fc20fa5ac08e6c0ca9049d06f9aae39ee22f6ccd924fe5f24326d
SHA5120199cfa099141ebc10e60c76f1e54ad5a29ca68bd607df205e0f72a539437bfe2f424055bb8d8999a39247c9a9dae1d74ce207d39cc6a996ff600d05a3c973dc
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
72KB
MD5368975cf43a9805960cd81885b8a12c2
SHA16dea1f360099652892ace11c976c91faf300141a
SHA25603cbc46f2c631052801158f7e40a810976d5c6a24547a5a3da1e0ddb6301a14e
SHA5121ae1effdb39fb03fd2aecadf3358f3790707672f59e4a6f4e65d2a1b81a8a0b09d8e17b73a2b11004964465f8d9b8adebbc2d41fb78b8c598ffd7bbd637262e7
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
56KB
MD5302a40cbbd83e1c4a785203e0254908c
SHA109f19af8716670438e7d9dd9ebb81ecfc25fafc4
SHA256fe7dc42bed3797c2a522acd623328676240fdb88fed01137a9cacab781342574
SHA5123aa7d780eecc2f3e7764ed3ef11e8db546d469ad3ea3745ff6f1ae96756077b8f83792cfae5280359d9052b8037ecaa9d95d61fb6cd0975f31e7cac746cb2d57
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
90KB
MD50e82a9d62452820c5413b3676a01ae04
SHA1ec5b4ddf5b625b0b684bdfbaf33077a7c8b5022f
SHA256642d62e0f455fb791eb5b4885e798a069aeb39348f9f6f5461dec11fcf7b56b9
SHA512ceedc99932dcc58eabf5e96082d098980f948dc515f7bb929298615677f71f0d8704c202d728718099e09ed68fb43737201a50000ddb32776a396188b61e3629
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
30KB
MD588ed41bc062631e1d3378f0f4adad152
SHA167f2b1ee8dc3edff8dce96e6532e4be395e9d934
SHA25674695b0be8afa021588a43788657b42e6a4f9009c493244f26d1733e07624088
SHA51272a6d19b2cd39acadbf8c579e55cfb8b72a6ad658e38233af63e3603a5625bb746c8c531f0ada3b07372ae550522f296d18df2814c9701cf6b3e706c6784e17e
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
65KB
MD528bd3f1f2373b59dfa500148e70d734d
SHA1d0804795dbc5535eba2b20d1e5be2cb679d950bd
SHA256c58794ba9b26aa98001afecfcec82470300c7456e98f4dc0049af7cef47b5c7f
SHA51285fa99078124124c47ce3b893de69c2575721309ed3ed369eef3e49100c8930f78953091ba08d34fdbd8dd8220d3b1bdbefb7c5c00f30852937f64e05bf00cc6
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
59KB
MD5e7e9911faf73a7b13a336359b66828f7
SHA1a1cdf08a844387db818f74aeee77933f270ecdd7
SHA256ad9c548dae4531a42f2a75a7b84166a919a08ce5b7799e71ae0402c1ec92ca9d
SHA5123094b97f6d19c7156d28501dd1a630c7522ae24e9a361a9d60576227f472f4d2d64c42013c869cc367749f8b41517d7e794f567ae7a66931e3a2ff08cbdd5771
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
226KB
MD519ad6ea767e11ba1ea3b04a1665f28f3
SHA1069cad4fa2c9a8abdb5109ecf386e06c2f1277d4
SHA25659f87156923b69bf510473b69d8cd3e6f4bb3a0bff3bbb1cec4cbbf61c37d736
SHA5125bf25f8aaa0a82e33a6a75d8018d5e8e9c58783ae57a771a0a81a109a00b5bd305b51e05f3fd15e5d3f87b602f8d02a23f6a00ddb2192e75ca8ea5f33779bfb2
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
192KB
MD5cb58375431b08baffcb3e22d6c781424
SHA1c85b3b853749ee61a8e012400f4d3fd40d6ff8b8
SHA2567719aa3d470dbed2153861a19148cdfefa399603954a398dc22355a55eb10743
SHA512a806ee3a143eeb8df6bffcfd517aaa6428351f44ab843a7e3c7232977695b7fd43226f04f53f7ff2fd4f2f9fd5259b47d055735caeccee97af4ccbe6c6603446
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
126KB
MD593e66af6dcd7b3c77995bb175e9ea0fd
SHA1cf30e9b3fda888a07d41afa118be3472ae3ad752
SHA25613e587d6e159488331a91ad8dd5a83b13434ae47731f391dcef864d77a31222c
SHA5129505431e1996dd6d57f1b1ff025d58393b76051e1d29ee23b16d9cede0697e46ba5f451c52b722605e171d9b500c9501492fc53da676fd14acb3434b0f33c51f
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
1.5MB
MD54a91eaaae3997aadf96e179814a1bab7
SHA16cb04d457277cd6444ab4082f383959184e49b18
SHA2565656e2f57f25abc5e7a91f2709fe51d28a6531dbc8ff909bc183f2ef6e83d8ba
SHA51293b6305fc4b0ed41250c691f7cb9af162c21bf8c73439716eafad1ad63b8c4cde0bd921b6300205603b0f26ee1b58887bb24ddf0f3e30d74170b0840c83a8ac3
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
61KB
MD539c138229328cbc4e8492c6f25d6505b
SHA1da26e612e64df53d172c487ec4b02a91e504f9f0
SHA25605b4f2e170326d6c57785b393729be85321dd3a08a7f9cd41522eb56b27e03da
SHA512f00640f30c0b19a5808c7f70adbf62a53c844865a07993ebf4680e2d7e26cf255aa376f67b64abbc4f0c38e4b0cf0556482f69901e6d97c754de221e859d69ed
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
136KB
MD5941a0f58c5b87f167eb3bb1ba7c9482e
SHA1f4f44f5786e79c3c480435bd757137027fdc32b9
SHA256016262789bd5f34ada5a34fd0a34242071a72e03edf3f9fe78bb97aa21427b56
SHA5127e331c9344785704ba685c5e29182dc5ebef5c09ab1d737f9941c07dff29588a5f46b8844d3c44d92db87bb9832217f21c002cfe784fbcea53774c162f2aa47c
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
64KB
MD5058bf2f1d618a10b8b396c7b92e337f3
SHA1fc83e6795f809e61d57df3cdcf95af15eb7475c3
SHA2567ed7ecaacd43cd791e7ef295e0ddb6195e3f401ee016d4235957862002b4d9bf
SHA5122bc5ea652081b393b39d37b4669d60947ca49f79c30a8e1b7ec51e24becfea7711336e6e543fcd440ca28a21147c0d2450b268bc988368abe55d80cabd331af8
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
174KB
MD554c34a174add440f9edb2c100be87300
SHA1be933e9bc7291d2d5bcc3843105423a2fbd30a13
SHA2566576bed593c539a798c264b9d916ff2e6e2893a8b0f7c6f59b080f43e928a8cc
SHA512d7f5b80e9ef500d30c45b1a601bb6ee4fa1e05f0dfc829c8571e993de63987e58488d60a06ee35e2c1f5feee5976c381e9a86b5fd043fd7f09573e29638c4c06
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
78KB
MD5a4363dc13bb9081145548700844cdd5f
SHA1d424bf6584f88dc1e856a0aaf9ebc3a9ef857c64
SHA256c1c5a03f46b75bacf9d46cfa46daa8b0fcd8ee800a5cea7d02397986feb44c5f
SHA512bda498702279922bed63b3222c9d1e9b900b1c33864b793d11cfc0cc964ecb9648683ef02f6c62c3abb80dc009feaf9160976f384735688e80f51083ac7c0684
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
185KB
MD58b0eac910470e4e9902bf711dbfefc47
SHA19d56ead64abca16015df2e0397d1dfe3a4ca39d8
SHA256596961d607bd3c704e18143fccc051e98dbacca9fb2bc9756c90a7ea61c65894
SHA512fa96b7182c0aac7e75ef497b22b8662db2c6ff7d73e696dc0c1493bce49688003d5196f3888315f5dbec239e223c977dca82ca1777414300bbe3fc77f5daa066
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
89KB
MD58b686923992e92d3917487c1c4b4102c
SHA1d23b615163e9372cf0846b6abddc1ba6516638ae
SHA256c7b5aca0dbd14b366f9a1b2b452cf9f4f6db7ec4488dade157948841a44df928
SHA5125913245d0b56fb4db1df962773aabe8b0e4dbc2fb5b870a0610deebcff46a32691bcd19188cfa1d04fe6ef8b1a88529d9e4b74028fe5d7c8ea8b767baf468a09
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
103KB
MD5aa162e0d05d4cc4c09281fe8df44cc73
SHA13a17ca3791b7230ffb9fe6a14210ca46104bc96f
SHA256191facb9bb485fea4ae52c6f14abe41c37056f6daeffb7921f3637dfeb242b8d
SHA512bc8be121b8a72c2b01607a1c1889eda7f5b867da7bea1182e7aab54abbc01d1f25208cd0c73fbe69c12324d81c617eba5cce122a4ecad7f7ccfd4a36e0d7fb0e
-
C:\Windows\SysWOW64\perfhost.exeFilesize
132KB
MD54aba139d60d3b6f078de96383ddaaca4
SHA1dfd5d92d743e31fd29363b0f95a55f6f27667075
SHA25645bf0383c9b348cf01193b45ba292cb657a10376f3ca80628d6120b7fcea47ac
SHA512db16058b3fe3341691f1bc2a058aed36ff22e21809539187fafbd6cd4fc7db73552a624f89c41017a069ec94bfd45e21df84c7b805b49a0987f515b33999666d
-
C:\Windows\System32\Locator.exeFilesize
65KB
MD571052ce928a3d2b140967cd75e87e055
SHA159f470edfa51923dc88117b7e3df1f82e43085ad
SHA25696ff7195ef3bcb93b568f82a8bcb880d369090991c2d31b47e954cb856ab502a
SHA512ec78bcf3ea2ac40b4a8f26d2a63431739fa04622f505485f8efd8c636eac63946b840fc0e6c8b302ca8aa0656d83d65273b01c6989bad6706602a8abc1a3bdf3
-
C:\Windows\System32\dllhost.exeFilesize
45KB
MD58872c1c3c18872c249524954d73c9d21
SHA149a10c7c2d170af3490834c3c1bfaacfa03eec09
SHA256e705220681ccf51df1193c620043ca38c285299ccebe8049772e7c8438d687af
SHA512f8c85262292f329329b611835c9f8dfd81d09aac66ad374e6fb98777b9d46f916b1ba1b68553752af0ef2c1583e9d46f2b9d1e14531904f955d50f88fd826941
-
C:\Windows\System32\ieetwcollector.exeFilesize
791KB
MD534b22c02f92d5a1fb6037741b8d24345
SHA15b792895e3d71922fb771c11cbd14e391788a56f
SHA25659b1e82a15f1b0a5090100bac116e3717c6dd3fed5e88bc383ab71edbb1cb815
SHA512b315119af86ccb5161eee47136e4744401acbdf5d9e919c36ad8fe1998789900147914a45bcad2d17dd9824e42b9f0a9eb6dbe7a4b6a60176675247aac4c36b1
-
C:\Windows\System32\msdtc.exeFilesize
254KB
MD513984c67aaf4e9ba006541a450283a61
SHA1fb8cb656d64110d7f1fcae570768393d6cb8381c
SHA2560e6bddf8437e60af076003f97948e31c95532ae23517a35b43fcd0d7f1395a1e
SHA5129412d772a9df6b375d3f86c2335db72265c148274cd12c4d73dc76c3abc9320b8808d33e137fd1db0a71f02db704d0ad56cf132d84e0da82b69543dfff122ecd
-
C:\Windows\System32\msiexec.exeFilesize
209KB
MD54f232f3992cb7c981eccd03a2e26d3aa
SHA168f9a4a13c8d5ac397706feef0f7b26f3f9de92e
SHA256ad04ba1e38cab36bd4e76a73d154d7483d0868f10bdbaf2210c691c90710ae5a
SHA512160cdbf29eeb558de3a5fc025e5906a8fdd94582d056262056116fcc10392ca4860f9a1774d7bbc257c1c433913522600836a5486c0028f91c2cf48400a303f2
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dllFilesize
248KB
MD54bbf44ea6ee52d7af8e58ea9c0caa120
SHA1f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2
SHA256c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08
SHA512c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dllFilesize
58KB
MD53d6987fc36386537669f2450761cdd9d
SHA17a35de593dce75d1cb6a50c68c96f200a93eb0c9
SHA25634c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb
SHA5121d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dllFilesize
43KB
MD568c51bcdc03e97a119431061273f045a
SHA16ecba97b7be73bf465adf3aa1d6798fedcc1e435
SHA2564a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf
SHA512d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dllFilesize
198KB
MD59d9305a1998234e5a8f7047e1d8c0efe
SHA1ba7e589d4943cd4fc9f26c55e83c77559e7337a8
SHA256469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268
SHA51258b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dllFilesize
70KB
MD557b601497b76f8cd4f0486d8c8bf918e
SHA1da797c446d4ca5a328f6322219f14efe90a5be54
SHA2561380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d
SHA5121347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dllFilesize
87KB
MD5ed5c3f3402e320a8b4c6a33245a687d1
SHA14da11c966616583a817e98f7ee6fce6cde381dae
SHA256b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88
SHA512d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dllFilesize
58KB
MD5a8b651d9ae89d5e790ab8357edebbffe
SHA1500cff2ba14e4c86c25c045a51aec8aa6e62d796
SHA2561c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7
SHA512b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dllFilesize
85KB
MD55180107f98e16bdca63e67e7e3169d22
SHA1dd2e82756dcda2f5a82125c4d743b4349955068d
SHA256d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01
SHA51227d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dllFilesize
298KB
MD55fd34a21f44ccbeda1bf502aa162a96a
SHA11f3b1286c01dea47be5e65cb72956a2355e1ae5e
SHA2565d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01
SHA51258c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dllFilesize
43KB
MD5dd1dfa421035fdfb6fd96d301a8c3d96
SHA1d535030ad8d53d57f45bc14c7c7b69efd929efb3
SHA256f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c
SHA5128e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1
-
C:\Windows\ehome\ehsched.exeFilesize
64KB
MD534014c2cfa4c11f1f8659e9d752d9d50
SHA166e4ca4c54466272908c5b98e76cb8f3e1047ba6
SHA256c17be80086a6c82d65a4362d3b10cfbf2502f18e0a21bd8feed7a634a0802341
SHA512b17935a26820f4a80a4ee6b49e6decac84e798311128df8742615e407e7f39eabaa10484173baf108d15e358a162687aceab7731ded0dfd4844773794c98c671
-
C:\Windows\ehome\ehsched.exeFilesize
1.5MB
MD540d8486c8830c58962adf9d57587d577
SHA10d22e2fee26baeb3cb6054d271ae1fe5b20c8f03
SHA256f1b2ac7d83b3ece0b120612c6f64c955de39309b74e6e07ff535ffbc3aa59597
SHA5127115c31d8b63bf046634a4eed18a38534bd99a7d9811980f3e5eba283ebd1ca6a4d74f665a8618844a7a4a9e7bb22a3f6f211ff7b2f1265f54ce94b5b7bf9b2a
-
C:\Windows\system32\fxssvc.exeFilesize
215KB
MD59b6df1e3d6df3312f9c6c0e4d642a6d4
SHA11c39e3eacd9c6d9835f78e7898d0040186b4c41d
SHA2566e74e4ab1914f1b7e80ae8bd4f37d29c1b7e9d9de337e78610e15aa0b66abded
SHA512381d49e2b5dd171df9d0b3277808a1eb047aee409460aa0a8b0db7056c17fc60b0987cdf0f9429b489856b01b67c1eb216378a4e9a608d2923c135c6bae5f014
-
C:\Windows\system32\msiexec.exeFilesize
165KB
MD53fe8b6ca6c0cc822d33bd74679228f50
SHA18afa27522a5d54bd3fddabb040b73da76b5b31ef
SHA2567774b4b759de8bcfc6d807b54595088d6d2306e86be6cade0bfe507635ab13be
SHA512a7257bd7507a97465c0a7ef7ce15f2e04f1f9f5fb2427c9961e03cbb48eafe81f47d5a7271b19afacf74b29495028334c6d6e07f6cb3cd44e721dcf4aaa38104
-
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeFilesize
1.5MB
MD5a50506f26d343bf4c626c44ccbcc168f
SHA1e8e4292eba77355a323129c84d3b9ef3469f2043
SHA256a669bab6765e489d473866d021a1dc3238a97a51b8b4b871ffd2a37fad8efb55
SHA512fe35b3065595822a7ccdbb61befa6d2b1ea8faea7fb4517784d4dde4b69c80fd2c194c75474a5334bf723da112f16b5e0467da0497d396159833731ba7a6fcf2
-
\Windows\System32\Locator.exeFilesize
136KB
MD5971bef97836c2b00461dcf83b4b6ad5a
SHA1b3f310cc9e97825984cfa3ad4f014e59cfb15d07
SHA2564d1fa71645ddf043d74e0126bb633917fe5e12aaac7a81561fa2d316f9cecbd0
SHA512ae1626dc4052d18e6fb4392e555be11b9fcad1b93747d1c4ede635b15e1247969a02371d8a57baedabec8a7c8d4cb191ce7783c65e6d33999922321b0be2ec41
-
\Windows\System32\alg.exeFilesize
1.5MB
MD53d6de30a764b9ed9889ad09ddf67996b
SHA1a481436a42e64e9ad32931c843015279d3b696d7
SHA256db50e367aec38b4002a6cdc0a01fdf2279a94e826995a5175f018031e4883eda
SHA512a71bd0b64d2a8e99cd735a724c2a6fba803d91dede2455b81b7f80e949796bd071145503b6a264c32ca5a78acd89cb0fb0d7ed8488962f713e704e3c7c88ede1
-
\Windows\System32\dllhost.exeFilesize
1KB
MD5dbf89feb5fb7f107d25af043b36fb330
SHA1dcbb3e83b65c709627ad10c4f2c20158045ec797
SHA2567aeed0b20a135bd2b9edbf2e9d68c0681cc12c749aaa060a235e3c2a12a73596
SHA51231377d226bb4d5e2214d0f0279a6d14948eb7659ceae80109f3c0f2edf4614bd4cc1abe9d6769eda627475916f8b71946f363a44f25c25a4eddeea9c213b9580
-
\Windows\System32\ieetwcollector.exeFilesize
974KB
MD5540c6ca13dd376799a25816532072057
SHA1622dd0eb7a17c0dbbf9b549a1f2be3857bc5530f
SHA2565f6e4f06a3fc38e2ba2bd2705aadd9322b6ffbf2da79f9550a69accb632fda3b
SHA512b50b4054385af500953d5a40048f767b87fc7520363f8570da691920dacb0798dbb435b482df5d0c75ef55297ffe64c85aa5d26db4068642d656dac797edddbd
-
\Windows\System32\msdtc.exeFilesize
227KB
MD569515d633c6cdc7d6115b2289522df3f
SHA1a0b4d81716c40556bb916d9c934231b9a19b3362
SHA256d560ce07f4021a7e7de8be5bd904ca8f5025dd34b6e78726db605427ec77bcf3
SHA512bc084bfd42841799f16957cfa4dadecd3be2079f1bd3ad146f4ef49170550bb48bd8b1e256e2d3810ba01c0bbbc4d7a7d29c659e709cb843678b2670fc389ea3
-
\Windows\System32\msiexec.exeFilesize
152KB
MD526199efbf2dd0dda201fa548824fb277
SHA1f63d202e72f8343f6468330990eb85130bb3faff
SHA2562cca8bf3a52ae87bf29ac08db1f63eb843a550934a4ab0b54d2ec6e56030d7c3
SHA5124e95dc9c22ac358f20c5b92d8c135e8140a40217474ee10abba05ae87be5d0caf54c95d4558f88401a733b3d1cd0ea1e517b6c94b67cbff2387fe8165c4b2d34
-
\Windows\System32\msiexec.exeFilesize
156KB
MD5e17edf4c3df4d67dcea0c95e1b6dea04
SHA1aa676741c5089df11eedf82ca8c774d5947fa8ab
SHA25641bb0ed01c1083a1b18755807d77527f80cfded7c8358deffb5d6c7341b33cb4
SHA5128792004961904483df4265a2b914a693b8485f6d9f850c4ef7a47cbced5c84de14e8ec4dc0d67774dde04053981764ee7a77df938e92ebabd970fc22f3f87a26
-
\Windows\ehome\ehrecvr.exeFilesize
1.2MB
MD5f1e2df3b0c1806a571ac649f458e40f5
SHA11821c97ddd890162de292bc65a57e16a91d50519
SHA2562142ba2df5854f8ae47b687cfdd3a9a0921f6ef6b8e0726cc1cdca2fd9264d2a
SHA512b2c3eb23621a298360f73a392809d8341e54983c2a683bedcd5f3c5f3b131274bc3c2fadb9deada3d8b8d394ace01a6de947954dfe160ed42f2f2b489db6d156
-
memory/772-183-0x000000002E000000-0x000000002FE1E000-memory.dmpFilesize
30.1MB
-
memory/772-260-0x000000002E000000-0x000000002FE1E000-memory.dmpFilesize
30.1MB
-
memory/772-194-0x0000000000230000-0x0000000000297000-memory.dmpFilesize
412KB
-
memory/780-148-0x0000000140000000-0x0000000140237000-memory.dmpFilesize
2.2MB
-
memory/780-241-0x0000000140000000-0x0000000140237000-memory.dmpFilesize
2.2MB
-
memory/780-153-0x00000000008A0000-0x0000000000900000-memory.dmpFilesize
384KB
-
memory/840-178-0x0000000140000000-0x0000000140183000-memory.dmpFilesize
1.5MB
-
memory/840-174-0x0000000000360000-0x00000000003C0000-memory.dmpFilesize
384KB
-
memory/1664-97-0x0000000140000000-0x0000000140183000-memory.dmpFilesize
1.5MB
-
memory/1664-104-0x0000000000200000-0x0000000000260000-memory.dmpFilesize
384KB
-
memory/1664-96-0x0000000000200000-0x0000000000260000-memory.dmpFilesize
384KB
-
memory/1664-177-0x0000000140000000-0x0000000140183000-memory.dmpFilesize
1.5MB
-
memory/1692-171-0x000007FEF3ED0000-0x000007FEF486D000-memory.dmpFilesize
9.6MB
-
memory/1692-167-0x000007FEF3ED0000-0x000007FEF486D000-memory.dmpFilesize
9.6MB
-
memory/1692-250-0x000007FEF3ED0000-0x000007FEF486D000-memory.dmpFilesize
9.6MB
-
memory/1692-187-0x0000000001080000-0x0000000001100000-memory.dmpFilesize
512KB
-
memory/1692-257-0x0000000001080000-0x0000000001100000-memory.dmpFilesize
512KB
-
memory/1692-168-0x0000000001080000-0x0000000001100000-memory.dmpFilesize
512KB
-
memory/1692-265-0x0000000001080000-0x0000000001100000-memory.dmpFilesize
512KB
-
memory/1952-222-0x0000000140000000-0x0000000140187000-memory.dmpFilesize
1.5MB
-
memory/1952-138-0x0000000000180000-0x00000000001E0000-memory.dmpFilesize
384KB
-
memory/1952-128-0x0000000140000000-0x0000000140187000-memory.dmpFilesize
1.5MB
-
memory/1992-201-0x0000000001000000-0x0000000001060000-memory.dmpFilesize
384KB
-
memory/1992-193-0x0000000140000000-0x000000014019F000-memory.dmpFilesize
1.6MB
-
memory/1992-196-0x0000000001000000-0x0000000001060000-memory.dmpFilesize
384KB
-
memory/1992-202-0x0000000140000000-0x000000014019F000-memory.dmpFilesize
1.6MB
-
memory/2076-21-0x0000000000840000-0x00000000008A0000-memory.dmpFilesize
384KB
-
memory/2076-22-0x0000000000840000-0x00000000008A0000-memory.dmpFilesize
384KB
-
memory/2076-95-0x0000000100000000-0x0000000100179000-memory.dmpFilesize
1.5MB
-
memory/2076-15-0x0000000100000000-0x0000000100179000-memory.dmpFilesize
1.5MB
-
memory/2076-14-0x0000000000840000-0x00000000008A0000-memory.dmpFilesize
384KB
-
memory/2152-287-0x0000000100000000-0x000000010016A000-memory.dmpFilesize
1.4MB
-
memory/2376-285-0x0000000100000000-0x0000000100187000-memory.dmpFilesize
1.5MB
-
memory/2376-235-0x0000000000B30000-0x0000000000B90000-memory.dmpFilesize
384KB
-
memory/2376-223-0x0000000100000000-0x0000000100187000-memory.dmpFilesize
1.5MB
-
memory/2376-225-0x0000000000530000-0x00000000006B7000-memory.dmpFilesize
1.5MB
-
memory/2580-56-0x0000000000BE0000-0x0000000000C40000-memory.dmpFilesize
384KB
-
memory/2580-55-0x0000000010000000-0x000000001017C000-memory.dmpFilesize
1.5MB
-
memory/2580-89-0x0000000010000000-0x000000001017C000-memory.dmpFilesize
1.5MB
-
memory/2580-63-0x0000000000BE0000-0x0000000000C40000-memory.dmpFilesize
384KB
-
memory/2632-252-0x0000000000230000-0x0000000000297000-memory.dmpFilesize
412KB
-
memory/2632-244-0x000000002E000000-0x000000002E18A000-memory.dmpFilesize
1.5MB
-
memory/2700-39-0x0000000010000000-0x0000000010174000-memory.dmpFilesize
1.5MB
-
memory/2700-45-0x00000000002C0000-0x0000000000327000-memory.dmpFilesize
412KB
-
memory/2700-40-0x00000000002C0000-0x0000000000327000-memory.dmpFilesize
412KB
-
memory/2700-91-0x0000000010000000-0x0000000010174000-memory.dmpFilesize
1.5MB
-
memory/2752-281-0x0000000000430000-0x0000000000497000-memory.dmpFilesize
412KB
-
memory/2752-275-0x0000000001000000-0x000000000116B000-memory.dmpFilesize
1.4MB
-
memory/2808-28-0x0000000140000000-0x0000000140172000-memory.dmpFilesize
1.4MB
-
memory/2808-35-0x0000000000A90000-0x0000000000AF0000-memory.dmpFilesize
384KB
-
memory/2808-29-0x0000000000A90000-0x0000000000AF0000-memory.dmpFilesize
384KB
-
memory/2808-114-0x0000000140000000-0x0000000140172000-memory.dmpFilesize
1.4MB
-
memory/2876-139-0x0000000001A30000-0x0000000001A31000-memory.dmpFilesize
4KB
-
memory/2876-205-0x0000000140000000-0x000000014013C000-memory.dmpFilesize
1.2MB
-
memory/2876-117-0x0000000140000000-0x000000014013C000-memory.dmpFilesize
1.2MB
-
memory/2876-232-0x0000000001A30000-0x0000000001A31000-memory.dmpFilesize
4KB
-
memory/2876-115-0x0000000000290000-0x00000000002F0000-memory.dmpFilesize
384KB
-
memory/2876-124-0x0000000000290000-0x00000000002F0000-memory.dmpFilesize
384KB
-
memory/2900-152-0x0000000000400000-0x000000000057D000-memory.dmpFilesize
1.5MB
-
memory/2900-76-0x0000000000400000-0x000000000057D000-memory.dmpFilesize
1.5MB
-
memory/2900-75-0x0000000000580000-0x00000000005E7000-memory.dmpFilesize
412KB
-
memory/2900-82-0x0000000000580000-0x00000000005E7000-memory.dmpFilesize
412KB
-
memory/2900-81-0x0000000000580000-0x00000000005E7000-memory.dmpFilesize
412KB
-
memory/2956-262-0x0000000100000000-0x0000000100542000-memory.dmpFilesize
5.3MB
-
memory/2956-266-0x0000000000260000-0x00000000002C0000-memory.dmpFilesize
384KB
-
memory/2956-267-0x0000000100000000-0x0000000100542000-memory.dmpFilesize
5.3MB
-
memory/2956-273-0x00000000739E8000-0x00000000739FD000-memory.dmpFilesize
84KB
-
memory/2980-271-0x0000000140000000-0x000000014018B000-memory.dmpFilesize
1.5MB
-
memory/2980-215-0x00000000007A0000-0x0000000000800000-memory.dmpFilesize
384KB
-
memory/2980-207-0x0000000140000000-0x000000014018B000-memory.dmpFilesize
1.5MB
-
memory/3032-7-0x0000000001C00000-0x0000000001C60000-memory.dmpFilesize
384KB
-
memory/3032-295-0x0000000001C00000-0x0000000001C60000-memory.dmpFilesize
384KB
-
memory/3032-0-0x0000000140000000-0x000000014017E000-memory.dmpFilesize
1.5MB
-
memory/3032-74-0x0000000140000000-0x000000014017E000-memory.dmpFilesize
1.5MB
-
memory/3032-293-0x0000000140000000-0x000000014017E000-memory.dmpFilesize
1.5MB
-
memory/3032-8-0x0000000001C00000-0x0000000001C60000-memory.dmpFilesize
384KB
-
memory/3032-1-0x0000000001C00000-0x0000000001C60000-memory.dmpFilesize
384KB