72f9381794449071c705d08a8ba6de38922ab4322215f18310ebfdc0f2a573b0

Analysis

max time kernel
81s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
Size

3.2MB
MD5

e74c470f0d96f676c6c4ec5050c572a5
SHA1

be451a9c79e750f8153b0023315a3247065b6057
SHA256

72f9381794449071c705d08a8ba6de38922ab4322215f18310ebfdc0f2a573b0
SHA512

4042575dcf47e4ffd63e74a335112823875340a5c53c171aae9761637b9b6127c1b62a6c78629431aea8b0c1cdf58946814d4345f23dacb25e251f286ef4d50a
SSDEEP

49152:Y5k1YCdptya507NUUWn043oHS3fTIYwVq1/xT3DDbw0TUqy8kQ/qoLEw:+NhSMYw8yEqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 32 IoCs

pid	Process
468	Process not Found
2852	alg.exe
2664	aspnet_state.exe
2188	mscorsvw.exe
2416	mscorsvw.exe
2240	mscorsvw.exe
2608	mscorsvw.exe
1964	dllhost.exe
1508	ehRecvr.exe
2276	ehsched.exe
2124	elevation_service.exe
2028	IEEtwCollector.exe
1512	GROOVE.EXE
1612	maintenanceservice.exe
2068	msdtc.exe
2516	mscorsvw.exe
1760	msiexec.exe
2576	OSE.EXE
1376	OSPPSVC.EXE
1360	perfhost.exe
1564	locator.exe
1816	snmptrap.exe
2092	vds.exe
2928	mscorsvw.exe
332	vssvc.exe
2168	wbengine.exe
1264	WmiApSrv.exe
864	mscorsvw.exe
1464	wmpnetwk.exe
2688	SearchIndexer.exe
2456	mscorsvw.exe
1424	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
1760	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
752	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c43700584501ed38.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{A460FDBD-01C6-4800-8EDB-C87720E1D9B6}\chrome_installer.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E4CBDA95-F18B-41AD-B134-BE14F379BB37}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E4CBDA95-F18B-41AD-B134-BE14F379BB37}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 38 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{9A3AF2AB-6FE1-4901-8FF2-84F073FBAC52}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1088	ehRec.exe
2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: 33	2880	EhTray.exe
Token: SeIncBasePriorityPrivilege	2880	EhTray.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeDebugPrivilege	1088	ehRec.exe
Token: SeRestorePrivilege	1760	msiexec.exe
Token: SeTakeOwnershipPrivilege	1760	msiexec.exe
Token: SeSecurityPrivilege	1760	msiexec.exe
Token: 33	2880	EhTray.exe
Token: SeIncBasePriorityPrivilege	2880	EhTray.exe
Token: SeBackupPrivilege	332	vssvc.exe
Token: SeRestorePrivilege	332	vssvc.exe
Token: SeAuditPrivilege	332	vssvc.exe
Token: SeBackupPrivilege	2168	wbengine.exe
Token: SeRestorePrivilege	2168	wbengine.exe
Token: SeSecurityPrivilege	2168	wbengine.exe
Token: SeManageVolumePrivilege	2688	SearchIndexer.exe
Token: 33	2688	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2688	SearchIndexer.exe
Token: SeDebugPrivilege	2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
Token: SeDebugPrivilege	2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
Token: SeDebugPrivilege	2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
Token: SeDebugPrivilege	2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
Token: SeDebugPrivilege	2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
Token: 33	1464	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1464	wmpnetwk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2880	EhTray.exe
2880	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2880	EhTray.exe
2880	EhTray.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1516	SearchProtocolHost.exe
1516	SearchProtocolHost.exe
1516	SearchProtocolHost.exe
1516	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2932	2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe	28
PID 2236 wrote to memory of 2932	2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe	28
PID 2236 wrote to memory of 2932	2236	2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe	28
PID 2240 wrote to memory of 2516	2240	mscorsvw.exe	45
PID 2240 wrote to memory of 2516	2240	mscorsvw.exe	45
PID 2240 wrote to memory of 2516	2240	mscorsvw.exe	45
PID 2240 wrote to memory of 2516	2240	mscorsvw.exe	45
PID 2240 wrote to memory of 2928	2240	mscorsvw.exe	53
PID 2240 wrote to memory of 2928	2240	mscorsvw.exe	53
PID 2240 wrote to memory of 2928	2240	mscorsvw.exe	53
PID 2240 wrote to memory of 2928	2240	mscorsvw.exe	53
PID 2240 wrote to memory of 864	2240	mscorsvw.exe	57
PID 2240 wrote to memory of 864	2240	mscorsvw.exe	57
PID 2240 wrote to memory of 864	2240	mscorsvw.exe	57
PID 2240 wrote to memory of 864	2240	mscorsvw.exe	57
PID 2688 wrote to memory of 1516	2688	SearchIndexer.exe	62
PID 2688 wrote to memory of 1516	2688	SearchIndexer.exe	62
PID 2688 wrote to memory of 1516	2688	SearchIndexer.exe	62
PID 2688 wrote to memory of 1612	2688	SearchIndexer.exe	63
PID 2688 wrote to memory of 1612	2688	SearchIndexer.exe	63
PID 2688 wrote to memory of 1612	2688	SearchIndexer.exe	63
PID 2240 wrote to memory of 2456	2240	mscorsvw.exe	64
PID 2240 wrote to memory of 2456	2240	mscorsvw.exe	64
PID 2240 wrote to memory of 2456	2240	mscorsvw.exe	64
PID 2240 wrote to memory of 2456	2240	mscorsvw.exe	64
PID 2240 wrote to memory of 1424	2240	mscorsvw.exe	65
PID 2240 wrote to memory of 1424	2240	mscorsvw.exe	65
PID 2240 wrote to memory of 1424	2240	mscorsvw.exe	65
PID 2240 wrote to memory of 1424	2240	mscorsvw.exe	65

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=92.0.4515.131 --initial-client-data=0x184,0x18c,0x190,0x17c,0x194,0x140221ee0,0x140221ef0,0x140221f00
  2⤵
  PID:2932

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2852

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2188

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 250 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 24c -NGENProcess 1f0 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 24c -NGENProcess 250 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1ac -NGENProcess 1d4 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 24c -NGENProcess 260 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  PID:584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 240 -NGENProcess 1d4 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:1768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 274 -NGENProcess 284 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:2600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1e0 -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 20c -NGENProcess 208 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 274 -NGENProcess 284 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:2388

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1964

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1508

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2276

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2880

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2124

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2028

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1512

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1612

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2068

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2576

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1376

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1360

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1564

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1816

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2092

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1264

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3787592910-3720486031-2929222812-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3787592910-3720486031-2929222812-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1516
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1612
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
efb12db9818bc82232a449aa9f626a6f

SHA1
b4436e878715cce342fa9556d70fb4f174ef51be

SHA256
8880d5edea659dc1bf3b2a30f7996e8e95d2aa4de56f7d3eb135f692a28389b0

SHA512
54dd10ed33c6ac2367ef1151af6901d3735fb36142945783432ea38499900ee4bf255548562798222dcac4d8e608d0a6d3b4b352236b708e621ce9bb36c55bb0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
91b504dcd33f95ca6b1c806c112f955d

SHA1
2800143702cd231a0c9855508f1fa2dc3b5b8d5a

SHA256
76b924a06fa82ed50504ca773a2d71ad45eeac96fd87c432a4f09b7e3e68bdba

SHA512
5df60e8f9f78c79a0540dc60414b624eee85d84d77c39ee0ab680e36a14a214b5ebe5b86fe69c0f3efddc4c018e17a664f4285609e959524c7acef877b86c36a

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
c60df49f439b91576471617b961e8c30

SHA1
2c50bdd09f44618f7c0fa8b3b990a65e9a574d81

SHA256
0ee9a5774a633ca78bc8ab4cfb52ef525fc24ad20576ed019441d13ac6f0d8cd

SHA512
5dff2c0b5bad516835587c071a495a7978032f8f7e773268f8b211f98ad06d0b5ee24f067f76b8c1c7acc94088a9ba6c0246f81df6f06a52eabd1e5df169a195

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
9fcfc33222fbbc2d789ea1286bcd0e63

SHA1
18c440c8f2abacd8c830c1a0f48fe09cea20ee5d

SHA256
e4ed35be53debf450f3add59938a84ee3ab0a6d779ad728702ab8e4bb91da108

SHA512
5e7ddab0314170f52d4a73525c6c56bad62dded22ec44dc98a710db7d024880b75a17263875931c55c8082eae9a555e453a3db81dade43e722871c0d41f57c10

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
25a3989b312e199015a69e0e05e4848e

SHA1
7778e503f95d9a67942ee8c052a594de92b7a8e6

SHA256
7aba094faca5cc6559bff1c84f7c7d0963de4f33e342119047cac4540f3bf5f6

SHA512
cd8715d4f27b28581d121808d2022f8d192cf722217ed1d318923b2dae3219ffa9f057df280c83095851ceb11d498656ccf5569bbfd035ab3aff392a06b595a8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
536cb40577422b97fcc057ba9f436ee3

SHA1
2944a81257c6240cf3ed4997de2e06649a7587c1

SHA256
6de193a5159909a52b4d4524f1f746c714ae5a1fd74eac056d1631aa077c84e2

SHA512
c0866af63006c952a0a79dcdff00f7ba55306e61226ff6c8444c47de4cbad3a2c38e02baff60d8ddd4b57bb1cb022085cb6ed3aecd78ab4df29301ac68c27ad7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
bd1be06716202f0febbf3ced94efe802

SHA1
4078f649706ac892e14dddd9d18bbfc08d8ee9d5

SHA256
22d60576a459b605cfc115b2b53563abc31cae1248751ec76355248f71aa226d

SHA512
d8a41bc0a24b08e48dde008825f0137526b45426e6ad28b8ced3aa3e723117aebc6518f0886d9b0580005be2485eba181c50e22606ee5e86c2616a9706226279

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
479086f8e95914382af5f2fe653c6870

SHA1
c7aac4c89ccb2447aadb755d549805fa73da9812

SHA256
00b5a62d2ed2b629ef27b7916e051219ca615a15b6cc6628ed5b964c2a02d40c

SHA512
7aef6f8837e5a7db6fd6eb0b4550282b314f0370fa66abe0e2a26ff0af262a183ed6896bb7d26c4ab63b603bd4ccbded112042bc641f1b51188f6b6d25151b7a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
7152685a6dc22fe40512b0cfea0a0703

SHA1
46dc083900a73af9d426540ce71622add6ad289b

SHA256
18084dc7043d26d028fb7caabda69f43d52a6757246cd5e434c5acdd4df5abf9

SHA512
866d72ccb3e2f8c8c3ec4b6c30e9e1faf9a37c692ca1bdd1c66b990ecbf97f5b48164827ee46bc05c8f0dc54c62dd52e8056fe6755849e5ceca527aadb934128

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
95c9e91b4ed5e924aef7cfcee603fb1f

SHA1
8199d930764453c1b9f6b5d6022f6c7d99769c28

SHA256
144ff600834bc4473f1133b0b3f8e9ef2e7b41d06d2493290fa630e75f294215

SHA512
abdba79f0a80952dc2777fb8e04ec22a9940a753b0e6abd692e8c878c18ab7794b43ca876eae1f59cbe7a55d05c5e92eabaab2f4b1e675abe8b4ee15a03a52ac

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
40077e58c61fad92519e140e0dc34022

SHA1
2cce66177530344f88e37eb84f0043be701bf444

SHA256
6e3868949a3dc1443296f14a96c93c58e3b50bfc4b177f37ac0b233ed8baa1f0

SHA512
20e5128d8533a27568aacd900a58a947cbbce92dbd1bac8dce44871d1f7edb57b8d303c21c1b9945e386bb42265c48ed32347b3f4b275e0dd835c30eab2f662f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
02290a1a859b861365a5a6323ecb602f

SHA1
c0df70622fe2436c9009d78a443ea3e357a7e299

SHA256
5a7d63c93a4c3391539c0ef5cfc1e06b66613d0b111531f7b2f09e465377b32b

SHA512
18e1e6f5cd81965dc7e4fa0c85d0bbf01d04d308faaadbc3b8ac635e311615b5ca22c4f024578ef3208cc8105c7a04dfa7f790813c335f9f62389a11b7a9aaf0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
30f24491f3829d22daf1e41456ffa5ef

SHA1
df354ad26fc785e32ebad8d80aaafce0cfe3b0ec

SHA256
37d03907d5aeee3e5b56df044e50089e08ed9dcb45148c3490e327e34247f03c

SHA512
569a47502edf1628d50a2271309ffff4923e6c139df81f7f861ffe0a4b50efc105d9c5d8a25d21efbeb97dd6612917a68203a67ec3b8665b11c401dc2e274ad7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
151993b98cdc2fb00be3af4135d4b28e

SHA1
de83e372465138d227de436ac1d0cfe0da5b220d

SHA256
23a62b4750b131cf4fcde50d42f3a0d037565dd5e9f074e3659d49aad80f2b09

SHA512
e1a3a07b3543bb6a7f1d276daeb2207d9fc9476276fb831b14c7d877672f21a40fe0b204102401505924444afce39202177eba7a1b666a2a4fc83da29035c8a0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
bb4717a8d77db0ab5edffbc48b5daede

SHA1
161daf0b4d5d6f3afac31f3b75a8192c3f685726

SHA256
716f7868473de80129d73a1c444fec678666a2997ca7ebc1e5f5f927443719c9

SHA512
1b8adfdaa25ed5c11bfa80a220f3e0f49ce3188372bc87e1db2fcd5964d5fb5a6aa2e34c867b16122374779981ef905db046f4a7501187584b5a9b85a8dd192e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
eb499fb46c5ea5db032c36910f0844a8

SHA1
edf35e1ffa556194aa9672d9da6e69a914d6e4b4

SHA256
049303036f6432b20bc8c25ad1c9f7933b6f63bc3b78d7c84d89d6aee98af5f8

SHA512
e8ab2832a41a8708002b419a42740de691ae7c726d23bd6eda6cad7c35628218b6a7b1dabcb24d5448130c976420c08daa615174f1283cc850d38a8305dcabe9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
38584cbdba3c682513f3d09c5520e27d

SHA1
027afd343b265d1cba2c7672dd22056c3d23e4a0

SHA256
489766ff6e667f12fe7ac261dcade87c1c53b9a418eb26b9237905a13a114d9f

SHA512
3db8e11d9ecaf2c631bc723c56811e1c01702037df2922f2abbadbf95baf30223f50f7a92c3903cefdaffb1ec806326f7288ca9118b1a49e4698b4693ed8d160

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
ad69fd37684dbc5e9f80bb16db3eeda2

SHA1
4c33f6398779ee890b41f7a50571074c87ec8472

SHA256
e8c1cc5f4320cdae04c5a0f7f74c354fe5bbdb77db74d90f49f887ee26f6a0ce

SHA512
a31a44f360e134ae4dcdbdc6c9cc8a6ca60384c1ef2d7e7f9d36ddb7c6200d52177f7c47f430355c3dbf651de6536dc7c71d2a21e8f69652664aefe1010bc5d9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
b89e73dfa667aa3312258980f160e2cb

SHA1
9dc9d904044b1ae202c8058e242db032fa5a9583

SHA256
910447f2e50b0b7b5bd0def0fdb6985ae996efbed567449883724d4877f22033

SHA512
c03ff935e7aa89a6ec674eabb7c64d4938f152ddc5a9e3e84e0cbacfd5d2b2d2b9bbcac03df90f35a5bb161d958440dd630342f8d79bdb18b48861ca47b068a1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
549b4e8cc4fcd61332eb9bb1802ea339

SHA1
7d485de009d8d8380f039454eb58647a25186b70

SHA256
bc68c63bc6042f00b729090bf28afa5a275e775bd5c2702b13009413325edd53

SHA512
6bb0216f5ace70e9930d1bef8717f51cc1a8f110fdd5309adc10bb34178f102fb89e29cb4f62cb4647fea69a8fc1ad73cd3b47cef149916b32f9ca4ecd1aec6e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
e39fb6c041e531abc5e109c9eefab12f

SHA1
76f83217bf54dd8c8d74b77c2147c9aa4e98c9ce

SHA256
140a369365d4e081de3dd9f957e08406408025f2cf115a0ae272a3ec1d5f5539

SHA512
85f8a9e1e4794558db12683f9d2e30a3fbdf5c8eb1b2a4c95f7b9ab68d62d963057f05f3f8824cd6db46be733947cebec77e20d68b883b4eb4d91c0df51b040c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
c036866dff63917362728e60d7639e14

SHA1
09849f4e0fc85eb95003c63d10257429eec720aa

SHA256
fd6d0aafb303df5a6876cc510c70395318ace45d5304d63f5dbe44d8589d4304

SHA512
d3588fea853f7f1328fb4d1e3a4241458fd97e3f217ca067a2541b199f07948453b935576385be5459679e1388585c0c25a9abed889e514751ef838eca7e8839

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
28530ed362b1de93d77dde9a46654f32

SHA1
20a22bdfa042440195bcecf4a014f45d4619f85c

SHA256
49ba15bcf6f7c0bfcba150987103d11fe4d821a643240a828ee1f7219ffbf897

SHA512
ed6e137355f7d6376ad3ea5887a1916e6aa67e095a5ef7a7d61977d159cd75917d091bd371cd3867df406cdc07b84b5397a1817fa454200db7bec204b3d9588d

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
1af122823c4c68786087d5e3b4316759

SHA1
6049ffe80a74c5861aa17f3d4b6abf61b13b1bdd

SHA256
3b8ba4fb166d3dc886054754472dfa7c68189b9b699ad63431d89c1b2d92ea3b

SHA512
76fdd3c6d99a9e6a20079f0ea64a2299c93ffb1593b8a92f8168574aaaea2d697950d9cefd3c2a3d8d7e0cdee5323af4c0c722114cc535aafb284a71451860b4

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
08c28bcb03d21404e866300f3a3e1f32

SHA1
e75d37805253d09abf04a24e726f040479c8efec

SHA256
73b3c724e5701cf8b8e6a09ee9b40095ebac786ea3e8bdfa838a8984f6384e20

SHA512
b2f227f1daf86944ff19505e6e27442885b7820de45b03cce82f05a54e7ac2904d5029f16ce5885caaca2d5a5f58142bafe3e8a81e6dc6ddac459c1214d2c5d2

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
0e27607ebd4b84a5cd5594adab1d1aa2

SHA1
5c1047f36a8a64b1083550ad01f99153ad27ebe8

SHA256
778471687ee61d9d3c034a7f4bef97073d2d46b9eba8a63d87fa961fecf8cbf7

SHA512
7379064eec72f7dbaddbc11c558e923ba61a2e965a2936465a60f3ee5c46ee50989330f8f57ad8b926d11be824ddd5776f709e67463b7a263610105f0e49c5c1

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
142798d81c18c1ee304c516003ab1495

SHA1
685c309f4c7a49e4c06dae9440f767aeafd036e0

SHA256
0bebc39fd207b981fb40233e6d318687f218120990ca066a53b82ef161dc6dcc

SHA512
168d0ae36efd60a7a9880111d82b70480cc415f294f224c762d5fa2881fe590937dc860be6d63151078e748d13097346973fbf744ccc406a24c9feaeabb7e6bd

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
020340cc1a79890f82e6ffa5f316e22d

SHA1
9f7232f2376c582280017258e5b8965a1d61ca2c

SHA256
52c1c3020c84924c42007ed2cc1f600630c673a0a7a93fc9576aaa3d6dcc7a19

SHA512
e5b223fd4d6a98b4559bc8d569e7d1faa84311f45b15ae04f1bb40fd35a1396520de7e0ed28d69482203d18496ce077cfee9d18a58e9d78553f88523d069f94a

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
ca1d9ef0406cf43938c008851c19e1f6

SHA1
58575a05ab82a8456417bb9652c82376c84a93d2

SHA256
d95eb52eeaa2e389d3f069ccfc24da9cef570b203856cdfc6424ad220e399f9b

SHA512
8a3e40b07680a83668d0a3118b4eee7aad844198f034d2fe845520d47fa02c93c3639872f9fa93442f4881495b223f9024aedaa6c7139d12818eaa7867011c1c

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
545eb59279cd7a510f182a89a58ac19d

SHA1
2c43d3965fb338b1b164679471f059f85042b585

SHA256
f5127e42d082c8dfbb69fa6338c6fae483ab4a0a8a3c58272d3e4d7623a4d0df

SHA512
bc6b599be09c207592392d94b73ced0ad0a42288a77a32885904652ea6a870f18cd534c45a86ad7a522e04b812d1680dae87dd7946048210b6f9abd6c42bb0f9

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
573ad10d826fbe6f22ba82c2d211d8e7

SHA1
ae4c0c5873a8d9329400242aaa1e0c3496646a3a

SHA256
3d937207877df8917a015b4a37fc21c738e8dfd88c9f64fdf3a4c32109b8dfc0

SHA512
a592b3443e6fdac6f4b66cf11da9a6c3712671dd5d272c32fc445e7d4b0647997a22943357ca24e849dd6e47305986a9f4a714fffbbc371cd3527005af2df15f

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
1d0823fbb73ed8629779643697d1f7e0

SHA1
5f0b857df9ebe28db98186b14a5c8342ab2a9082

SHA256
96db69f09832e69b319d9877d4a1119f336a2bd28170ed8de7aeb276c733211c

SHA512
94fd2e0d75ca7c3557bc41ccb709b5b34336e27d60bc1eceddb93fa8ee8c026fbad471509660328921cb0ea90e813856635a42c3206cab2df5c02a189947dfdc

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
69dd0355ff2afd3301ae9b88f4610ac6

SHA1
2b09d24e3374a1fbd7eb7f718a000217e7b7395e

SHA256
1cc5a27cc9a5af51e17f90b359b5f4f4f1c06725996f2d7e2dc84b71048c68f4

SHA512
62109eb329110947d20c5b3e1be240cf2864b8df09b490e2b17f0cd261e23ff75a1d2d1efef664c459694a3bb0ac5dc1dbb28beb18d87ae0c537b18f482fe533

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
88816718983f2bd7a9c608c852feb301

SHA1
7215fa8ac8e997457b7f67f864c87cc141a1dad3

SHA256
ddc25806a6beaf3227b86479d60b8e4d6ed4a1e78bba717526eb443bc9c39fa1

SHA512
dd63fad819c6ea668fe3901a950dc41c49452aca967ffd14e62d01489a35ed00bf9793cc9f83ed8ee410816265a7d8551c5499ac0cf415b3ec3a6e3f33a76b21

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
d04cd2641680ce5032a2a59199d3bb71

SHA1
2d62c1347c0a46699d300429a9e3388f69bdf08d

SHA256
c431e858f73e4c0fecdb532f995c3ef1e485c124e0bf6faff687f06abf95c582

SHA512
f4fcca129374b118fa30decbbd61039a2931629e59ffa5f69337c4a2013e149e214f88715e7d7674c7193bb185c53fccdca23a6c746de1d160f13c4215314b1e

Download Submit
memory/1088-271-0x0000000000A10000-0x0000000000A90000-memory.dmp

Filesize
512KB

Download
memory/1088-244-0x000007FEF42F0000-0x000007FEF4C8D000-memory.dmp

Filesize
9.6MB

Download
memory/1088-185-0x0000000000A10000-0x0000000000A90000-memory.dmp

Filesize
512KB

Download
memory/1088-261-0x000007FEF42F0000-0x000007FEF4C8D000-memory.dmp

Filesize
9.6MB

Download
memory/1088-190-0x000007FEF42F0000-0x000007FEF4C8D000-memory.dmp

Filesize
9.6MB

Download
memory/1088-255-0x0000000000A10000-0x0000000000A90000-memory.dmp

Filesize
512KB

Download
memory/1088-183-0x000007FEF42F0000-0x000007FEF4C8D000-memory.dmp

Filesize
9.6MB

Download
memory/1360-363-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1376-362-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1376-361-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/1508-142-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1508-135-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1508-156-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1508-201-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1508-217-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1512-268-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1512-203-0x0000000000920000-0x0000000000986000-memory.dmp

Filesize
408KB

Download
memory/1512-198-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1612-209-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1612-219-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/1612-252-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/1612-251-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1760-257-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1760-269-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/1760-263-0x0000000000530000-0x00000000005E2000-memory.dmp

Filesize
712KB

Download
memory/1964-119-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1964-188-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1964-127-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1964-117-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2028-246-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2028-191-0x0000000000470000-0x00000000004D0000-memory.dmp

Filesize
384KB

Download
memory/2028-186-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2068-247-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2068-227-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2124-165-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2124-173-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2124-239-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2188-46-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2188-114-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2188-47-0x0000000000540000-0x00000000005A6000-memory.dmp

Filesize
408KB

Download
memory/2188-52-0x0000000000540000-0x00000000005A6000-memory.dmp

Filesize
408KB

Download
memory/2236-0-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2236-1-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2236-7-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2236-8-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2236-13-0x0000000002860000-0x0000000002B9D000-memory.dmp

Filesize
3.2MB

Download
memory/2236-68-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2236-84-0x0000000002860000-0x0000000002B9D000-memory.dmp

Filesize
3.2MB

Download
memory/2240-77-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2240-78-0x00000000005E0000-0x0000000000646000-memory.dmp

Filesize
408KB

Download
memory/2240-159-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2240-83-0x00000000005E0000-0x0000000000646000-memory.dmp

Filesize
408KB

Download
memory/2276-160-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2276-216-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2276-147-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2416-67-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2416-130-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2416-60-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2416-61-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2516-230-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2516-359-0x0000000072CF0000-0x00000000733DE000-memory.dmp

Filesize
6.9MB

Download
memory/2516-242-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2576-274-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2576-283-0x0000000000430000-0x0000000000496000-memory.dmp

Filesize
408KB

Download
memory/2608-102-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/2608-103-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/2608-172-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2608-94-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/2608-97-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2664-36-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2664-35-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2664-118-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2664-42-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2852-29-0x00000000002C0000-0x0000000000320000-memory.dmp

Filesize
384KB

Download
memory/2852-22-0x00000000002C0000-0x0000000000320000-memory.dmp

Filesize
384KB

Download
memory/2852-21-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2852-95-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2932-16-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2932-12-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download