60615c93de7f9acf8297cbd5e3b632f3a776d50cd1189e5d4c3df886c89d6540

Analysis

max time kernel
121s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-09_3adb8aafc9a212580469a176827d3fcf_ryuk.exe
Size

1.1MB
MD5

3adb8aafc9a212580469a176827d3fcf
SHA1

0749309028cdbb5caef4f61db05facd2caf2cfd9
SHA256

60615c93de7f9acf8297cbd5e3b632f3a776d50cd1189e5d4c3df886c89d6540
SHA512

fb58dca09227a51df38195a58c6e04b88f47a092bf86536a3b79f80fbc202d78fe9b7ecf15f565f1a7c685dbf2c56c6a255925d080580612f0073af5fb657e0e
SSDEEP

24576:MSi1SoCU5qJSr1eWPSCsP0MugC6eTC3taqRLJoJCjkliTwQ9Ctw7cmVr+EucFc:kS7PLjeTgaqxvwYTV9CtsFTFc

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 59 IoCs

pid	Process
468	Process not Found
2680	alg.exe
2756	aspnet_state.exe
2452	mscorsvw.exe
2932	mscorsvw.exe
796	mscorsvw.exe
2804	mscorsvw.exe
1700	ehRecvr.exe
924	ehsched.exe
1780	elevation_service.exe
2112	mscorsvw.exe
2976	mscorsvw.exe
1996	mscorsvw.exe
1732	mscorsvw.exe
2772	mscorsvw.exe
2456	mscorsvw.exe
276	mscorsvw.exe
1608	dllhost.exe
2128	mscorsvw.exe
2468	GROOVE.EXE
1560	maintenanceservice.exe
960	OSE.EXE
2244	OSPPSVC.EXE
2620	mscorsvw.exe
2968	mscorsvw.exe
2388	mscorsvw.exe
2272	mscorsvw.exe
1752	mscorsvw.exe
2376	mscorsvw.exe
856	mscorsvw.exe
1648	mscorsvw.exe
1056	mscorsvw.exe
1532	mscorsvw.exe
2260	mscorsvw.exe
2152	mscorsvw.exe
2272	mscorsvw.exe
1144	mscorsvw.exe
1732	mscorsvw.exe
2728	mscorsvw.exe
1192	mscorsvw.exe
1288	mscorsvw.exe
2928	mscorsvw.exe
1664	IEEtwCollector.exe
2524	mscorsvw.exe
1232	mscorsvw.exe
1960	msdtc.exe
2512	msiexec.exe
2532	perfhost.exe
1344	locator.exe
1480	snmptrap.exe
2148	vds.exe
1000	vssvc.exe
880	mscorsvw.exe
1080	wbengine.exe
1936	WmiApSrv.exe
1648	wmpnetwk.exe
2160	SearchIndexer.exe
2440	mscorsvw.exe
1192	mscorsvw.exe

Loads dropped DLL 17 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2512	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
744	Process not Found
2440	mscorsvw.exe
2440	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-03-09_3adb8aafc9a212580469a176827d3fcf_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-03-09_3adb8aafc9a212580469a176827d3fcf_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-03-09_3adb8aafc9a212580469a176827d3fcf_ryuk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\543364739b392089.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	aspnet_state.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-03-09_3adb8aafc9a212580469a176827d3fcf_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	aspnet_state.exe

Drops file in Windows directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-03-09_3adb8aafc9a212580469a176827d3fcf_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8F667C15-4E24-4F22-BF01-64DBEE5FD5DD}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPABA.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-03-09_3adb8aafc9a212580469a176827d3fcf_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-03-09_3adb8aafc9a212580469a176827d3fcf_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-03-09_3adb8aafc9a212580469a176827d3fcf_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-03-09_3adb8aafc9a212580469a176827d3fcf_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-03-09_3adb8aafc9a212580469a176827d3fcf_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-03-09_3adb8aafc9a212580469a176827d3fcf_ryuk.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8F667C15-4E24-4F22-BF01-64DBEE5FD5DD}.crmlog	dllhost.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-03-09_3adb8aafc9a212580469a176827d3fcf_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe

Modifies data under HKEY_USERS 37 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{73375BFC-7D76-4989-BB8E-AC9923A9CB05}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{73375BFC-7D76-4989-BB8E-AC9923A9CB05}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3028	ehRec.exe
2756	aspnet_state.exe
2756	aspnet_state.exe
2756	aspnet_state.exe
2756	aspnet_state.exe
2756	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1184	2024-03-09_3adb8aafc9a212580469a176827d3fcf_ryuk.exe
Token: SeShutdownPrivilege	796	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: 33	1268	EhTray.exe
Token: SeIncBasePriorityPrivilege	1268	EhTray.exe
Token: SeDebugPrivilege	3028	ehRec.exe
Token: SeShutdownPrivilege	796	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: 33	1268	EhTray.exe
Token: SeIncBasePriorityPrivilege	1268	EhTray.exe
Token: SeShutdownPrivilege	796	mscorsvw.exe
Token: SeShutdownPrivilege	796	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeDebugPrivilege	2680	alg.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	796	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2756	aspnet_state.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeRestorePrivilege	2512	msiexec.exe
Token: SeTakeOwnershipPrivilege	2512	msiexec.exe
Token: SeSecurityPrivilege	2512	msiexec.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeBackupPrivilege	1000	vssvc.exe
Token: SeRestorePrivilege	1000	vssvc.exe
Token: SeAuditPrivilege	1000	vssvc.exe
Token: SeBackupPrivilege	1080	wbengine.exe
Token: SeRestorePrivilege	1080	wbengine.exe
Token: SeSecurityPrivilege	1080	wbengine.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeDebugPrivilege	2756	aspnet_state.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: 33	1648	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1648	wmpnetwk.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1268	EhTray.exe
1268	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1268	EhTray.exe
1268	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2112	2804	mscorsvw.exe	39
PID 2804 wrote to memory of 2112	2804	mscorsvw.exe	39
PID 2804 wrote to memory of 2112	2804	mscorsvw.exe	39
PID 2804 wrote to memory of 2976	2804	mscorsvw.exe	40
PID 2804 wrote to memory of 2976	2804	mscorsvw.exe	40
PID 2804 wrote to memory of 2976	2804	mscorsvw.exe	40
PID 796 wrote to memory of 1996	796	mscorsvw.exe	41
PID 796 wrote to memory of 1996	796	mscorsvw.exe	41
PID 796 wrote to memory of 1996	796	mscorsvw.exe	41
PID 796 wrote to memory of 1996	796	mscorsvw.exe	41
PID 796 wrote to memory of 1732	796	mscorsvw.exe	42
PID 796 wrote to memory of 1732	796	mscorsvw.exe	42
PID 796 wrote to memory of 1732	796	mscorsvw.exe	42
PID 796 wrote to memory of 1732	796	mscorsvw.exe	42
PID 796 wrote to memory of 2772	796	mscorsvw.exe	43
PID 796 wrote to memory of 2772	796	mscorsvw.exe	43
PID 796 wrote to memory of 2772	796	mscorsvw.exe	43
PID 796 wrote to memory of 2772	796	mscorsvw.exe	43
PID 796 wrote to memory of 2456	796	mscorsvw.exe	44
PID 796 wrote to memory of 2456	796	mscorsvw.exe	44
PID 796 wrote to memory of 2456	796	mscorsvw.exe	44
PID 796 wrote to memory of 2456	796	mscorsvw.exe	44
PID 796 wrote to memory of 276	796	mscorsvw.exe	45
PID 796 wrote to memory of 276	796	mscorsvw.exe	45
PID 796 wrote to memory of 276	796	mscorsvw.exe	45
PID 796 wrote to memory of 276	796	mscorsvw.exe	45
PID 796 wrote to memory of 2128	796	mscorsvw.exe	47
PID 796 wrote to memory of 2128	796	mscorsvw.exe	47
PID 796 wrote to memory of 2128	796	mscorsvw.exe	47
PID 796 wrote to memory of 2128	796	mscorsvw.exe	47
PID 796 wrote to memory of 2620	796	mscorsvw.exe	52
PID 796 wrote to memory of 2620	796	mscorsvw.exe	52
PID 796 wrote to memory of 2620	796	mscorsvw.exe	52
PID 796 wrote to memory of 2620	796	mscorsvw.exe	52
PID 796 wrote to memory of 2968	796	mscorsvw.exe	53
PID 796 wrote to memory of 2968	796	mscorsvw.exe	53
PID 796 wrote to memory of 2968	796	mscorsvw.exe	53
PID 796 wrote to memory of 2968	796	mscorsvw.exe	53
PID 796 wrote to memory of 2388	796	mscorsvw.exe	54
PID 796 wrote to memory of 2388	796	mscorsvw.exe	54
PID 796 wrote to memory of 2388	796	mscorsvw.exe	54
PID 796 wrote to memory of 2388	796	mscorsvw.exe	54
PID 796 wrote to memory of 2272	796	mscorsvw.exe	55
PID 796 wrote to memory of 2272	796	mscorsvw.exe	55
PID 796 wrote to memory of 2272	796	mscorsvw.exe	55
PID 796 wrote to memory of 2272	796	mscorsvw.exe	55
PID 796 wrote to memory of 1752	796	mscorsvw.exe	57
PID 796 wrote to memory of 1752	796	mscorsvw.exe	57
PID 796 wrote to memory of 1752	796	mscorsvw.exe	57
PID 796 wrote to memory of 1752	796	mscorsvw.exe	57
PID 796 wrote to memory of 2376	796	mscorsvw.exe	59
PID 796 wrote to memory of 2376	796	mscorsvw.exe	59
PID 796 wrote to memory of 2376	796	mscorsvw.exe	59
PID 796 wrote to memory of 2376	796	mscorsvw.exe	59
PID 796 wrote to memory of 856	796	mscorsvw.exe	60
PID 796 wrote to memory of 856	796	mscorsvw.exe	60
PID 796 wrote to memory of 856	796	mscorsvw.exe	60
PID 796 wrote to memory of 856	796	mscorsvw.exe	60
PID 796 wrote to memory of 1648	796	mscorsvw.exe	61
PID 796 wrote to memory of 1648	796	mscorsvw.exe	61
PID 796 wrote to memory of 1648	796	mscorsvw.exe	61
PID 796 wrote to memory of 1648	796	mscorsvw.exe	61
PID 796 wrote to memory of 1056	796	mscorsvw.exe	62
PID 796 wrote to memory of 1056	796	mscorsvw.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-09_3adb8aafc9a212580469a176827d3fcf_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-09_3adb8aafc9a212580469a176827d3fcf_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2452

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d4 -NGENProcess 254 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 250 -NGENProcess 244 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 264 -NGENProcess 268 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 260 -NGENProcess 254 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 254 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 254 -NGENProcess 260 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 260 -NGENProcess 26c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 254 -NGENProcess 1d8 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 288 -NGENProcess 244 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 290 -NGENProcess 288 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 290 -NGENProcess 288 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 244 -NGENProcess 184 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 254 -NGENProcess 294 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 274 -NGENProcess 184 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 280 -NGENProcess 29c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 28c -NGENProcess 184 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2a0 -NGENProcess 274 -Pipe 168 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 29c -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a8 -NGENProcess 28c -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 244 -NGENProcess 29c -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2b0 -NGENProcess 2a0 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1288

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1bc -NGENProcess 1c8 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 25c -NGENProcess 250 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 25c -NGENProcess 1bc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 264 -NGENProcess 250 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 260 -NGENProcess 26c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2440
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 234 -NGENProcess 250 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1192

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1700

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:924

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1268

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1780

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1608

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2468

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1560

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:960

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2244

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1664

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1960

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2532

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1344

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1480

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2148

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1936

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
838fe79c24de73e7bfdd0c0d0b4c23c1

SHA1
3abb931e5dd763e4d50ef08c53493142a99e4318

SHA256
bcb8d7c1b0f8b9cb9aea4dcdc63e6ce5fccc24402490ab3a37d123b76cdb6198

SHA512
cf432eee63905d5de52e5773c9eb500a47a25ed7403a7d282f6c65415b43976b810b1934ff30ac71c6039f3f69727ced61e0ed21cd41c5884640cbc0c50b597e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
10.2MB

MD5
7698eff5fc7568b9f0552a4dce9ec733

SHA1
835e714c93ffbdac16b0651cb1cb63cb560a4868

SHA256
a02dca69e170369301aab21c14d572688c691292efe816b80f71ef6b00f2d34d

SHA512
83cb3b15d742c439bbf063e6e39c39054fb55c0ff575e852f89e5580d54705a7a62a6b0ea09b7d12b94e6a58c8edb2dcc0b9d6060803d1755afbf4f997cd1029

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
490b57d0df3a85240d5dbceaf928073a

SHA1
f36fce73891fba3978043dd9df6fa12795c30b0b

SHA256
deb77698f4ddd284733a162c46ff95ce30b21da39c559e38fefaabaa6cffdb91

SHA512
5a4333cae5b6366e529b4656091486c526ceaea96ac2cfe4404ba5b93f7da4ebe704f6be42d6e4e363c86ef45b72b07c912701e78274ded93a78d51e77fc285d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
2.8MB

MD5
bd51a6f670cec81ae7a023ab3ec5d16f

SHA1
cc801238adc771722db9b9699f35b33ad4952377

SHA256
fae956d199c2bda03976695442c4dcb4b502de50fbb660773316ec34fc85e93f

SHA512
81ddeba3214628077707e8c76b99bbe99d6c59055792af4fc390095b7842bb2cdb4dfe6c14048b98939063b29f0fa102c1e09c5800fd3c774cffad65970ccfad

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
9397c9e38a75c93f2dcf092ec37e538c

SHA1
49735ccdaa99eebcfd1eb1cbe793a8ec521a149d

SHA256
0df8bc9738ebb65ae8991510753101e19df30dc34c94edc7ec043f7e1902b31e

SHA512
ed302c3082c59520fcb360ce18cc1ceadcb452cc930d7a3047595381625c8f156cfcdaebb9234cf547cb4147e16902adb643444639475808009c73761c7b2abd

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
d188724ee0be60e7e60318789d7614a6

SHA1
7c9df52b8f66bc6b4bf22061d3144435fdcf47c1

SHA256
c95534d227f8d5a2e8ed8c8bfeed1ad65c8b696576223a32ce9fb650e5e47f18

SHA512
40b71d542a6eca343bc40ba806f7f6a1ba451f4debaa372e4707fa9efd2944a2b494b58e0b9bb6ca5764144d62c3da0bddb18d3ea60c41a079e8b09f2d49706e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
98c760fae31797b5f8bdc71752ca44fd

SHA1
c96b9732ee949377f22a2cd46a51931f135bc498

SHA256
7a9dbab2c4f85edd7a83a990f8d403be7a98d894910c90b8923996520daea12d

SHA512
329f3c06ac35d25db8e68acc6748f89b8f61d704e4368816a0e255293086d545811b42a0a254f229c92b5e37d5cc8c82269bb638f8faa264c43ad15d29ae0935

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
82ce819259617e8eb7d99349abeba28c

SHA1
887e940fa389feb42c992eb4670664cbd6c7621a

SHA256
91614dfa5820dca669cef7f8a1324af9f3d18066f9629b699613969984e29684

SHA512
18163465b2b2a3013534fd58d9ae810e5b176a754b41997fe80d9cbbcc23911e4a0dc857a76ea7e3d7f2bdc391a9cf49a83ee6c183972de3298d4fd331397272

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
b096ab5b6b8f4b48a90669b487ec86ea

SHA1
74d5ff365d69b70a46860da750db9641366f9170

SHA256
1c6d6fbd08a0c454b938a8abb54260a9cc150e9c28d313a9bde7f8c97afdfcc5

SHA512
f473e11530f924d6101b923c394b282cacad8be340e4d0954c03022840218951802d0322241a2e87ed92719ec2977fba3d1369d06be82ad5827dce468db85c06

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
e6a78f050e5dd29ad050f318bc9e2264

SHA1
7150196efcd3bc04f20ec80e3a267386e6880d4d

SHA256
e2256f65c969f40f8d0e711ee861792b152f1abdd0cf63c485fa95b971fb0653

SHA512
0ccf62f4ff9b4f3448ca33c3c246631897aa0af0bda830b618051f6f19264b89293eed8aed4ca2fa52f0c97167d2e72dce356d5f23476d74555910d9db416925

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
64KB

MD5
4f377a008a3a6aed73278a16e82d8dff

SHA1
48f494fdcc7285b9378427849ce4e3c7a77551fb

SHA256
c0de8c889a270c50ffd9b07771c1c0b0ea79fff6f3e2c7f8e3288cf5f4209ede

SHA512
6f9ed86b897e16b27ef3e31ce37f2e6602a390264a75cde6bbed1e8a3dcdc9ce274a71a77662e2de165315cf723454e8159cc3340652c309bc11e08bd6429885

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
896KB

MD5
0a6a1e082a35a723f53c1097ca32edbf

SHA1
6d2f72ad048b772f215e42ababf228b3c3d92de2

SHA256
2239cdf46166694616cdedba2f452c7f6c29cea444dd4f72d449fb413cdddd8e

SHA512
17aa08d0c6a1f654ddc46a12ec858e42be26e205886487c41d2af6d0f27ca5870cf327ca097b4f6914ab4bafe75d07a2af7fe62ef4cb9fcd7b476925f434886e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
29ce7f171c63048fd289083d460c0179

SHA1
bf6d3222ddb0d1d409e8a308b6ee1817ea40e2ef

SHA256
427928a83df7464d1579151fe320494841cb2c83caa9925356d3a8d1a6f4f1ef

SHA512
7f6f27ad89767ab7c43104e565b8cb704da164c531d27070153c1c2775680577ad5be7ac3cc46c8a77b854bb907cff773aede5440a5f83efb415e6b302e2965c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
75eacc26c8734c94dde60693d6df4869

SHA1
394ee9db2554fc369bbae17332fcb5349a5a6d64

SHA256
19ad26bebc4524afd32eb3be3599d2a13118faa092f729077d221da30e5b88e0

SHA512
f7bc5d55977a1cb2de494f3a90afe3eb9e70ac910987b54d8c8a8a9218b93e8b0a34b5c520ac5bd365b0c76ec8675d90ade216e6c621442db5f3738d0cf2f4b0

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
896KB

MD5
7cae71429327dbd4a8c0c28f0aca2008

SHA1
956ea75b65a97467889a8a009f3c97ca5a35b5c4

SHA256
9a3b27f3e07d97e77c6729488d9fe47d5c590259a67093bb0009ba2804c0b62d

SHA512
98cd7d910ac0f1481bc04861884131e53946023ee591e4ff613fe4950bc2e9023f82829fb088a450be50c7d49ca649f82a9a54ff37b76298f5db5824b06c1fbc

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1022KB

MD5
a804fa92f484ced5a7da6f167226a35a

SHA1
b060952366c312262a0f2feabac87c214339fe84

SHA256
d651688091f37daa33e0df007e8c5fae188c82a35063dba680b9965bea42c6f6

SHA512
b97e81fb975183268d7b0d478874478871680fd432e51fa3dac310397e55112d5082129a3d15900a6c6331fe4fa48c3d12c14a7edee9e40968cbd36512738a95

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
832KB

MD5
2d50be05805256fa40d57c7e05f3f09f

SHA1
9b3d5699ecc7fe6339bf48db5645eff18f77663a

SHA256
7ed407864f251c5e0e1ae073de9d3205d0fb906a50b0a8be144ee642da74b2d7

SHA512
41ed194a05f508ea44d11c9ede46f92eee9a61dde08fda29ea92db7223aff8dcaa7e1b840e21a5ca250d2a59f0810107b057b440d130db3df55b0fba9fdbfbf5

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
d320b33297585bbd5a650d992a16a2f0

SHA1
044219c4011e9b20c4a34739a75cba19d4a7bd2f

SHA256
b8a78952f9d685cda391bd9ce915e7d53d0cfa54012adb13e43a0b8f397f2230

SHA512
a4920dabe6cde1169c0d020d9bccf6ef9562a8e1ef03bd453f989ea723e2f89a346233205ea3987a4f6b0022d7325c4db2ae2680dd23a506740406dfa426906f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
448KB

MD5
f962b161ffb07781a346e460c1a283e7

SHA1
c36f810e353ebc74e84b5e18606ee4dc5abd5d4a

SHA256
b42f723843e13974b5fc8c42a729ddf167879eed82366d8541727d871a26f409

SHA512
c2e11415f519aeea4f420df804e7fb783c79c9ada355dbb1ea6fc2ce65080c6547264343ac8ccad405587d1546a47fdef03096d2428af88d35e4684290a0ab1c

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
a960d8c5b3d54501c52da77eb9b9eaaa

SHA1
3120eb3bace06fe2d5a5621bfe0acb2095edd2d1

SHA256
cf04ebfa2b6e7c4cd1037ca162699b90eb575a086f08a23e389090fbb9116930

SHA512
d7c8757b6423c32151e5457c6ae934e0bcb569610bdf607ec7bb2a03081fef84dbb123b87ab92195002ead47fec27b475877a640923a4e36dda54d6ef42a6312

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
400fe52672c8d8e79d2404ee5bbcae12

SHA1
b1219c7654e56fbdde3f017d584a7316e208d631

SHA256
321db1fc95386c873df4f0a10d9a8f35b67e2dbee9c893e0b75a569d21155c08

SHA512
5d8476d6a7bd17e62557b7d1fe874bb17ac9b4cc33c9dca58e87682f596bb652b3dab56228d76b24d8b4f2bc63676983fe47b6d33c9763931632940b2f34aee6

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
495a81842dd577b18c7864c1efec7c84

SHA1
9c824f70eec9d623652abd521b4232a0e9cd166b

SHA256
fd4834518026941e366634133a67734e1667ad2aedb849882fbea0c6b29be52c

SHA512
660495bfe73e5a876f36cc3fbb298600dab6afc2fc672c66dab75327e2f750c45b40545f91831e472f65072ca7a9d1b44bdd71ee2e36e11f16fa6537bba89efc

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
83c906e35bc80fe5fbcca587bc948acb

SHA1
dedd09024e1207d9c323d6c77361af21cc8c63e0

SHA256
8483dcb95c49cf385182b4e03153560f8da2cfc165b2a79f12b076d02ff120ff

SHA512
5995bbbcfcec835c8c1001e520f7ea184ebe7616a8cfc2e62a94beeaaf22cfadc1982ff628f0106e6122fa56b7dcca98ea78dcd6be93034476f37eb9a63f4bad

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
286463a90e7c80099f0ba599236c24d7

SHA1
82010ce447064069933a18255da8484978d40d1e

SHA256
c63027d72d617b779aa5efea7322530f9ee30828779b834296f338474128ceab

SHA512
2b5312cd0a90d07ca288cd8580a7505647025c4aba5357070ba01948efd0d54c4d00eda96de1766220abaf1a938d470c6ec2070cb64c81f3bc67b62565a559e6

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
e5a2639dcfb8d3651f467edd58d308f1

SHA1
6c2dbfd109d53b59655d688697cfdfa1286f3d6e

SHA256
c7958e97c1677fc440136e99b2e99d9276cf456fef21705b2ac04b85e31d7abd

SHA512
af1b583f94746c835348494279959c853e948344851cb93cf3e6270b7c38295954150abc87fbd9e5957d5ef9a8cb5c13f43ba414b934f12cd212362918d7197c

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
375943f7b3cd15e863c5f37e8c491d03

SHA1
31baccfda0eb92bfc31337211319ef3f0c686081

SHA256
26709ee7cfb8b7c0263cb0bb5e1802bb0c53818fa1823471d2ef2f56c907ad4e

SHA512
75f976aec635b8f8029775fd4762010e75e3451744f30b25cb54c401834509513194b532244e1673e54e069fddd53934c14f7ec9f1e50b2cbf82160236e8ea1a

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
1e9ea0fa76a38b1bf1e3ea449657acd9

SHA1
fd5a4f5efe37a6a61a146a52a916702db5815a78

SHA256
3670d76d3268be68f08d86a11f347846f98832e87e3d18ea19d5908826d6879b

SHA512
20d053cb08e7e4d4f4640fb786796d1c1364399a0274203343fa61117bf0cef50c31facea059d6e1e65ad94d699e27f7d179e3ce01eaaedc6f199dc1b285a6bb

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
c4d82ba7e34ef5d7369adbf469cc0c4d

SHA1
873fa8a893243daa60d3606ed383df4691f6b479

SHA256
91d3f603ececfe9f28f180803d994ed5e57657b61ac5f9c30719eceeda1f8ba6

SHA512
67ea8e2edac72fef8fbec1496413f0279be4257e69e5d011d0e7e44f93154da4db005afe5e8056b9d42823dd0ba189c290d6c18c252abda021958513cfdf0b72

Download Submit
memory/796-60-0x0000000000630000-0x0000000000697000-memory.dmp

Filesize
412KB

Download
memory/796-66-0x0000000000630000-0x0000000000697000-memory.dmp

Filesize
412KB

Download
memory/796-131-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/796-59-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/924-162-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/924-119-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/924-111-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/1184-1-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1184-7-0x00000000003D0000-0x0000000000430000-memory.dmp

Filesize
384KB

Download
memory/1184-74-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1184-139-0x00000000003D0000-0x0000000000430000-memory.dmp

Filesize
384KB

Download
memory/1184-0-0x00000000003D0000-0x0000000000430000-memory.dmp

Filesize
384KB

Download
memory/1184-8-0x00000000003D0000-0x0000000000430000-memory.dmp

Filesize
384KB

Download
memory/1184-138-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1700-105-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1700-95-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1700-102-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1700-152-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1700-106-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1700-113-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1700-96-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1732-238-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1732-212-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1732-219-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/1732-224-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/1732-237-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/1780-132-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1780-133-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1780-124-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1780-125-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1780-202-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1996-195-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1996-209-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/1996-222-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/1996-223-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1996-203-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2112-184-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2112-161-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/2112-183-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/2112-182-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2112-154-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2452-40-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/2452-55-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/2456-242-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2456-248-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/2680-22-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/2680-94-0x0000000100000000-0x0000000100144000-memory.dmp

Filesize
1.3MB

Download
memory/2680-15-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/2680-14-0x0000000100000000-0x0000000100144000-memory.dmp

Filesize
1.3MB

Download
memory/2680-21-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/2756-28-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/2756-110-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/2756-29-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/2756-36-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/2772-227-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2772-233-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/2772-239-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2772-253-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2772-252-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-76-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2804-75-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/2804-143-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2804-83-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/2932-85-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/2932-49-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/2976-206-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2976-205-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2976-204-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2976-187-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2976-186-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2976-185-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3028-145-0x0000000000290000-0x0000000000310000-memory.dmp

Filesize
512KB

Download
memory/3028-141-0x0000000000290000-0x0000000000310000-memory.dmp

Filesize
512KB

Download
memory/3028-140-0x000007FEF45B0000-0x000007FEF4F4D000-memory.dmp

Filesize
9.6MB

Download
memory/3028-142-0x000007FEF45B0000-0x000007FEF4F4D000-memory.dmp

Filesize
9.6MB

Download
memory/3028-208-0x000007FEF45B0000-0x000007FEF4F4D000-memory.dmp

Filesize
9.6MB

Download
memory/3028-188-0x0000000000290000-0x0000000000310000-memory.dmp

Filesize
512KB

Download