9b64b610c493568260b981d8efbca0baadfd0b2dba81c7f9901fade5594f6675

Analysis

max time kernel
71s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
Size

4.1MB
MD5

5e1985d4bb3e321dc10db63bdc2e7f20
SHA1

eb3f8c770d1962aaa9e3a5f4e6b4fefdc04948e4
SHA256

9b64b610c493568260b981d8efbca0baadfd0b2dba81c7f9901fade5594f6675
SHA512

8c14f6db79b69b03a8959cec997d67b07d70d54da5c305a4b0ca95b948e1cca9d65aae4b0eac865879c29f2f3abf874779fb0b675e1cfe94c9c3048a5bd75de2
SSDEEP

49152:F5Viqwo4KxghcyJLBaSbvviqMjfBV+TFZ1bBzP7n1Y8/17MVfw1QSXm+RFvTCr90:FBfr+TFFqRlw6a+ZfEkKK90

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 36 IoCs

pid	Process
472	Process not Found
2768	alg.exe
2448	aspnet_state.exe
592	mscorsvw.exe
2824	mscorsvw.exe
1724	mscorsvw.exe
2268	mscorsvw.exe
308	dllhost.exe
2132	ehRecvr.exe
828	ehsched.exe
616	elevation_service.exe
2212	IEEtwCollector.exe
1976	mscorsvw.exe
2652	GROOVE.EXE
2416	maintenanceservice.exe
572	mscorsvw.exe
1576	msdtc.exe
2860	msiexec.exe
1688	OSE.EXE
1732	OSPPSVC.EXE
1944	mscorsvw.exe
2380	perfhost.exe
2492	locator.exe
2868	snmptrap.exe
2416	vds.exe
1216	vssvc.exe
1836	wbengine.exe
704	WmiApSrv.exe
2572	wmpnetwk.exe
1040	SearchIndexer.exe
2500	mscorsvw.exe
2028	mscorsvw.exe
696	mscorsvw.exe
768	mscorsvw.exe
1800	mscorsvw.exe
1180	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
2860	msiexec.exe
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
760	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\vds.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bbc17279ae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{D9005A2B-BC2A-4153-8911-AE3B3F543790}\chrome_installer.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{35BB89B1-6AF7-4C51-8F0F-D91978C91B27}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{35BB89B1-6AF7-4C51-8F0F-D91978C91B27}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{7B9BEF68-6B5A-4A2A-A004-B0E15DB99E91}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{7B9BEF68-6B5A-4A2A-A004-B0E15DB99E91}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
884	ehRec.exe
2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2484	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
Token: SeShutdownPrivilege	1724	mscorsvw.exe
Token: SeShutdownPrivilege	2268	mscorsvw.exe
Token: SeShutdownPrivilege	1724	mscorsvw.exe
Token: SeShutdownPrivilege	2268	mscorsvw.exe
Token: 33	1076	EhTray.exe
Token: SeIncBasePriorityPrivilege	1076	EhTray.exe
Token: SeShutdownPrivilege	1724	mscorsvw.exe
Token: SeShutdownPrivilege	2268	mscorsvw.exe
Token: SeShutdownPrivilege	1724	mscorsvw.exe
Token: SeShutdownPrivilege	2268	mscorsvw.exe
Token: SeDebugPrivilege	884	ehRec.exe
Token: SeRestorePrivilege	2860	msiexec.exe
Token: SeTakeOwnershipPrivilege	2860	msiexec.exe
Token: SeSecurityPrivilege	2860	msiexec.exe
Token: 33	1076	EhTray.exe
Token: SeIncBasePriorityPrivilege	1076	EhTray.exe
Token: SeShutdownPrivilege	2268	mscorsvw.exe
Token: SeBackupPrivilege	1216	vssvc.exe
Token: SeRestorePrivilege	1216	vssvc.exe
Token: SeAuditPrivilege	1216	vssvc.exe
Token: SeBackupPrivilege	1836	wbengine.exe
Token: SeRestorePrivilege	1836	wbengine.exe
Token: SeSecurityPrivilege	1836	wbengine.exe
Token: SeManageVolumePrivilege	1040	SearchIndexer.exe
Token: 33	1040	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1040	SearchIndexer.exe
Token: 33	2572	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2572	wmpnetwk.exe
Token: SeDebugPrivilege	2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
Token: SeDebugPrivilege	2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
Token: SeDebugPrivilege	2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
Token: SeDebugPrivilege	2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
Token: SeDebugPrivilege	2940	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1076	EhTray.exe
1076	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1076	EhTray.exe
1076	EhTray.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2252	SearchProtocolHost.exe
2252	SearchProtocolHost.exe
2252	SearchProtocolHost.exe
2252	SearchProtocolHost.exe
2252	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2940	2484	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe	28
PID 2484 wrote to memory of 2940	2484	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe	28
PID 2484 wrote to memory of 2940	2484	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe	28
PID 2484 wrote to memory of 2728	2484	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe	30
PID 2484 wrote to memory of 2728	2484	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe	30
PID 2484 wrote to memory of 2728	2484	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe	30
PID 2268 wrote to memory of 1976	2268	mscorsvw.exe	43
PID 2268 wrote to memory of 1976	2268	mscorsvw.exe	43
PID 2268 wrote to memory of 1976	2268	mscorsvw.exe	43
PID 2268 wrote to memory of 572	2268	mscorsvw.exe	46
PID 2268 wrote to memory of 572	2268	mscorsvw.exe	46
PID 2268 wrote to memory of 572	2268	mscorsvw.exe	46
PID 1724 wrote to memory of 1944	1724	mscorsvw.exe	51
PID 1724 wrote to memory of 1944	1724	mscorsvw.exe	51
PID 1724 wrote to memory of 1944	1724	mscorsvw.exe	51
PID 1724 wrote to memory of 1944	1724	mscorsvw.exe	51
PID 1724 wrote to memory of 2500	1724	mscorsvw.exe	63
PID 1724 wrote to memory of 2500	1724	mscorsvw.exe	63
PID 1724 wrote to memory of 2500	1724	mscorsvw.exe	63
PID 1724 wrote to memory of 2500	1724	mscorsvw.exe	63
PID 1040 wrote to memory of 2252	1040	SearchIndexer.exe	64
PID 1040 wrote to memory of 2252	1040	SearchIndexer.exe	64
PID 1040 wrote to memory of 2252	1040	SearchIndexer.exe	64
PID 1724 wrote to memory of 2028	1724	mscorsvw.exe	65
PID 1724 wrote to memory of 2028	1724	mscorsvw.exe	65
PID 1724 wrote to memory of 2028	1724	mscorsvw.exe	65
PID 1724 wrote to memory of 2028	1724	mscorsvw.exe	65
PID 1724 wrote to memory of 696	1724	mscorsvw.exe	66
PID 1724 wrote to memory of 696	1724	mscorsvw.exe	66
PID 1724 wrote to memory of 696	1724	mscorsvw.exe	66
PID 1724 wrote to memory of 696	1724	mscorsvw.exe	66
PID 1724 wrote to memory of 768	1724	mscorsvw.exe	67
PID 1724 wrote to memory of 768	1724	mscorsvw.exe	67
PID 1724 wrote to memory of 768	1724	mscorsvw.exe	67
PID 1724 wrote to memory of 768	1724	mscorsvw.exe	67
PID 1040 wrote to memory of 1184	1040	SearchIndexer.exe	68
PID 1040 wrote to memory of 1184	1040	SearchIndexer.exe	68
PID 1040 wrote to memory of 1184	1040	SearchIndexer.exe	68
PID 1724 wrote to memory of 1800	1724	mscorsvw.exe	69
PID 1724 wrote to memory of 1800	1724	mscorsvw.exe	69
PID 1724 wrote to memory of 1800	1724	mscorsvw.exe	69
PID 1724 wrote to memory of 1800	1724	mscorsvw.exe	69
PID 1724 wrote to memory of 1180	1724	mscorsvw.exe	70
PID 1724 wrote to memory of 1180	1724	mscorsvw.exe	70
PID 1724 wrote to memory of 1180	1724	mscorsvw.exe	70
PID 1724 wrote to memory of 1180	1724	mscorsvw.exe	70
PID 1040 wrote to memory of 2188	1040	SearchIndexer.exe	71
PID 1040 wrote to memory of 2188	1040	SearchIndexer.exe	71
PID 1040 wrote to memory of 2188	1040	SearchIndexer.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 --annotation=exe=C:\Users\Admin\AppData\Local\Temp\2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.73 --initial-client-data=0x134,0x15c,0x160,0x158,0x164,0x140315460,0x140315470,0x140315480
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "2484" "448"
  2⤵
  PID:2728

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2768

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:592

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 258 -NGENProcess 1e4 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 268 -NGENProcess 240 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1ec -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 25c -NGENProcess 258 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1f4 -NGENProcess 274 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 278 -NGENProcess 258 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 270 -NGENProcess 1f4 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 188 -InterruptEvent 284 -NGENProcess 20c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 280 -NGENProcess 25c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 280 -NGENProcess 284 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 28c -NGENProcess 26c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:1672

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 240 -NGENProcess 1d0 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:572

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:308

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2132

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:828

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1076

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:616

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2212

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2652

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2416

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1576

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1688

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:1732

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2380

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2492

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2868

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:704

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2252
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1184
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
fa0018321d85aed56d337c8b44788b71

SHA1
ddd2e020267030f6ed5f0120137f7f8bb7f25b20

SHA256
4bc9485314425b4d26a76726dfe04daa1e7517f21e784c5545af7849ed645a79

SHA512
baec901bb9fabe75c7512f590e871b9f737374cf8e5f825f89db8a253d8171e7243daebef6c6ee8884a551bb08a126bb895cb85da7bdb0d9606a4e37c3b0b3ad

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
2e9aedbd3bda2023b55012202aa9b41d

SHA1
1b016265d3a8d324f2408c0ea6f32a996c00cccc

SHA256
909c72d6ae411693d31a56dc97692acd0b61444ca5ac2955874919a64b3feea1

SHA512
ae795165e2eda588311d35fb7b6170ebb4392fddcf244f5b3282b22cc0114281dc901b513e25194932e2b013563657022bc38f5987d8952f4f1387213ab2c207

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
0ad1fe00f8a37ad757f4ef414e61f533

SHA1
f14a02e231ad3b95f194f9846bbd7a8b25f9c6a6

SHA256
b79f090c2c21b08fb1e4e334ee31f45c4ec4b816aedc83c300b363c499545e83

SHA512
fb3940d4088e5576ec17111631d99f8040f3bc5e9b2d9959393bede996cbd310a5e8cf6cee6507d354c454b6d05cedc095e0a71cfe7da87970df01c6559246fb

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
042f19b4dbda1a67cb958f32d8171770

SHA1
f700b5088fdeed4574375c1f1edda794b7a1cab9

SHA256
757b75da36f6cabf9baa234b454824d89191ce7c99f97d1feb506ca3e94ab7e9

SHA512
9fa395893b6c383054cb2d55707da44a62e8468e9c917ad7d5528396620b7c24b575b6594169ba90cf365e08f86a0d18388bf0942e97b54a53f11e7bcc50e663

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
d722574b1c630385ac85057e66ff83aa

SHA1
32de91ceb14581f6a0795409d9b65e84d49b9376

SHA256
721fa2601908b1bc8d08e35d7210964b9339e843f14fbdc626e39d02810b7afb

SHA512
777100a6e218326c1570d6f9102e2afd5a6b4ba880ed903db187d7daaf476677c4bf4ab4a4f568b69f504aa742877bb511a36938c6672bbadfca7f6c18e430e7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
41d729a20604aa6d06660b3880f9e7c9

SHA1
8cf5f5f90909ae1abca455d717af7f5d20acb9cb

SHA256
2e97b0fa7ba34bc592c97c46bb60cf4d189427cc8d05de320ed15a58486e368c

SHA512
0e159b33d0677f1324aa24335d73ad74b269bd17242bb97c0aedd85b1d740b2e4152f0ab67fa0884595ff6676651652422db802277af8502378f44ce5479ac71

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
32a3b1da505b7c0a39f267729d7b505a

SHA1
c63074c84128afd26a1fedf7f9dcd5423e4e6c2b

SHA256
20ad6084d85e0849e7fbf58d029f65930f802ebdec2904d295a6775af9a2db6b

SHA512
d22ff2faae4feceaeab1a16544490e68d2bc4e1b6d9319071fdc0eeabf892c4c9d9480a1c774599c3e5760f87b5d49e693528ec2e2f853b41779dfa2cd0dad01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259416944.txt

Filesize
1KB

MD5
f803ab428994cd9899d3c2765088d0ab

SHA1
58fb954430b138719eb286859d3fd5983a3663ef

SHA256
916a78e751cd0f5dbc8aebe0880f6688c529985987d3009d49aa29d1bdf9e52b

SHA512
5c8f1d9ba7fb804b33261967c48fb496ea4eaf356bc8a9412c26be8c0f8d9e82213ce5942e9603d5f5714809a540da95902f1f19ce298f9c112ed79d1fe3f88d

Download Submit
C:\Users\Admin\AppData\Roaming\bbc17279ae4ef42b.bin

Filesize
12KB

MD5
b9cd2fbee299f6fb93f2f579180a9093

SHA1
5aaa61bee903b6865cc258a06edf15affdc9f1f7

SHA256
ee8b3f07b5795a26b62daa450a7039e0e4ee29221b8a5de561bb9289efa11494

SHA512
c1ccb000cb91d493a480c6c76f58936d73bb2e8055a4ee48ced25489d597a87eb90476a891373c7aa082dff566d6f03322936064b80d223028fecf2d8745b11c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
09ae12c2de1983e087c04944dfbf6daf

SHA1
a69e642797c0517cb4e46fbe93fe7a0f72c1dd8c

SHA256
d0bbf6886faa2e1a576d4971c77784dcb1f801036a6e298a691380fffadf91ae

SHA512
7c6b76481c36fa445bf661b928eaf1057526134c8066cec6782e49acc53d9c837154ac33d31ba24239c6600805f2600af0f6a5de390be12730123b34d553b3dd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
af25497b3a7ece6932c7a9e491d302a3

SHA1
e696516b6dbcb5110ac4aaad3de1a10ba3539f94

SHA256
147786c7fd386fb0041b6148dca78dc4b2677956c20af165006886aa3f2cdfd2

SHA512
f37b4ee9af9363162a827b92edb4a51de72c465fbc971b61bd593e4e97d814f5e626637a4843a9d6933bf9aa08069f0b061829b83e7b2727ad57dae8c9b1843a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
61cd3b296165091b1a2606c8fb3c37b9

SHA1
0baf789edd91bfc1cbf68875c7c8e20c2d02ba60

SHA256
e8d23067bef328d7b5970ea92e7da676260233d5b03679f61320a748de0dbe9f

SHA512
d187517107483570600a6299acd0fe6e390aa7645d38add6cdfff04498d42e60842f2776deb9af0500f20674e71237d6be434855b46b1d14e02f2a7a64fd1c75

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b1ee0670eccfd6290a84e02bd32c78b2

SHA1
6232bb5bc38edf2d2e8aca172babb80a9772e2ac

SHA256
aa4c53bac93edef474634f5b66ae5e251f35e7f56423bcb8cd3bb31c2b4984bf

SHA512
17970c7a960bd8e437373c9eac5bfff6806890b2f30e87fc5c8c897b6894960cf215cceb53c1fb68203bd86358e47c43ad74121f0452c50eabf2541c9b691506

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
f7d695651616ee876ce3ab1c7baa6e57

SHA1
bdd9eb697877ced199633f847549abb60c419b01

SHA256
943ce386c3403d90159215e7b1924e4f9496b1281a9583e6df404e1540223e35

SHA512
6738dea4bd66c625c9ca7c685995620fb3add96bee774331d525f5f5647e655fc3386b4d8acc653705e9c3529d4656277802276ca9e9c39a2125b7ce89cc0347

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
1439884b08d2eded85543d0f0938ba83

SHA1
cd82cc0686593b5d8e81e0c8e76c51bf93db13f3

SHA256
828d2acbd2f82ddabc55b7fd60ff391792a95c60ec07c3b358b1ec35d497cb67

SHA512
db135e8815faa97ce7212a7097989582e7f40fe878e4852049e9ef16afc239d71acaea3a392b6f046aa7aa0930d8c0ed1280c910903635d965d49ed9fd6f0165

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
70aad10010a65060bcd1e7761ca76732

SHA1
726f46b7d5f3596ad3b14f8ecb7242947f6d3d33

SHA256
39e8d3f87070547253c826c15595ee9a3c46d63cd94bf3426ac4888b50dc980b

SHA512
4fe2695a2a8710eba7cef96ea4032d5fc1d62aa4fa72d833f9e07a611c5b7949da6c07fb4aff9554c603672ca8365102362c8ca9c4ac24c96d7b2b9c9ca42a45

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
b5ed2698c701ae9da899339e91defdf6

SHA1
c6ca0fdb455ec7c1806dcfc420b461e749e09c17

SHA256
8613c0ce94e65649fc9af2a6449c288eafe32b957619df076d1705e4bafb170e

SHA512
45468d20f217f7999e2c0eaa9aa7991b6c4d5f9977394163608f4f98dcb9f921a8b10f01d8ff400bbcda401f7b0c22e7d6d0959ac1bd19453c89c01d3655a102

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
5f85d94a8246e72fd2c19d82f5fd2456

SHA1
98710bede31467952b9b1a5e47756d59f0dec078

SHA256
78b9fc79412826ce327efc3b84636946f1d421457d27bdbfc81b5cbdda8806b4

SHA512
1195635bc8ab32f0859bc6b92142522b3c88dda19847ee052261acd2bc85aa2015c4a61e7fd8630accbbfaaed35c5c28292a444730380b635c569723dc743008

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
f01bc718ebed197075d5b978a8db8ac2

SHA1
3d4991246928a26b7bccdaa7faa622e60f27f3e3

SHA256
e5363cb058b8fe9df898b7bf6b3f3d971f87dae6f14aa198441f203018234abc

SHA512
40baa145f80b32e324bc5fc0faa9b32f77cb431f7ff48b0942c001bc8014f7a868de8a4fc6d8edda68d3d099d73953379245f01b5eb3706a14fcb67a9061d963

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
19884a02ce8064b7e575f01bd737a65c

SHA1
fe566965adf5a34e8b27594200bbcc9b05193306

SHA256
e9a97791c6f7ce4869440fb16a2f5815cbdd8233eb9689d65d7e8e0777a81dd2

SHA512
f3b32d072b15ea33361431492fcaf27b1fadf2a318104ad2f16e3f56d2a0208d5f7b4b97023f030ce4aee6634da38e0b812d3b804b5f0609f93d7b54cd6ec7ec

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
02167f373d9ac7cf70289221eccdc260

SHA1
b32fbf3433b35486b48c3ca3a621ea4f0da9106c

SHA256
95cf9fb98176ea8ed0c5038cee2abff3dfe050c7941122118b73b349fd665055

SHA512
b6bc19f25f2abc1fb3b38ff378695858aa10de6cd4844d5974010fd7da9a1aea02a072117db209636421d9d3766d63bd2373d2e1e5ce0de15869743b04003ad6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
3fc3ecd7771f1b0d2501186060b323b0

SHA1
a8395c7be207573a7d6f48f0c6db2dbc08706a9f

SHA256
ed438e64ad8571a2206e15bd33c987f01709a21b97b9328801171ab89a0a337a

SHA512
150024dfe9f7edec61e89f6c737cb074eb3a5aef1d91eff7be06898fff6e64098414ec9d0b4305d2e11052de709eda10afd244566627cd2f05e3d17675f66512

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
b3321504a726e23b8ef895b03fc238be

SHA1
8b4a2d6cb126deae869b8c6ad0c0582d02f977d3

SHA256
a281d7460842605f55ad1b3116c5286a041d34d8e639682782fa11b935e18e15

SHA512
c7decef5bb08a8adf56b0348072e4022a87e139b75b5a4cbfb1c7e09f8d1881a27c763ca9162da2f92dbb62c3f0bd037271b78825f1fcc2dbc2bbef5962c1314

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
17716e3ccfe3e68b619ba7cfe6f963d1

SHA1
a0e8d1af2ae3395bff5c33571b1a2884c7fad55c

SHA256
3c8870b40bd0bffb685b0e1933ccc79a3e28be466b30f675a43c70bf7bbf71e9

SHA512
92a9ee6bc1832ab8cdeb385bbd2fe8732463dcadc84a5ed6a55535fddf92f305b66c1f5b736ae8bc6e3902b68524f063b098769e42e9a9c9f27cb8cfcbe5947f

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
81faa6032703b591044aacfd0424860e

SHA1
2255cbff1f86ec43af0e0ce8ff0b3e1c1a2cb459

SHA256
0c4eeaba45efddfa4b4c41595f37dc27c65725f07d015d982ef604ba99ff8f2b

SHA512
5755e85a7ce52928d5fba61898a13a773727558bb354296dee5aa01e598f320d2c1f85eded99bab6f94f8271d25cf3dfe7f66e2d0cd3b64fb6b8b3ac57609144

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
7166a15931f324e2e2891493fea6f390

SHA1
af347421aeabb0b8349c0b198b3e3438662fcd75

SHA256
037dae1ee7c45c73b8531f3aec757981a898367e04fa6121313fd37aef8793de

SHA512
c656a8a099435c8e685c8a64a36c121fc0ca3891a97ab0937795115cd9e7288a4dccfb59177c691982cf5ed27f1944adaf1d05cc021472eb2649222355dfde8e

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
b91c90618020e50101577866fee82f3d

SHA1
1e991b14b092afa7c1d51fe988812ca7a80b68b7

SHA256
af03edbb631907f73bc4177e4a1bb85813b0b8d20a2a68315969237a5ec0ff03

SHA512
dd2c9138411c5c5ba9d85fb4104679cba904b5eee6e74d4620df102160a5e2a5f056e2951aae47306c056eeda3a61c6abfa78bdb9cefb8920c8df62515b1e72d

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
b4d13159a372698124ce98eff543d9b9

SHA1
d8f37d480e137978b79d2b67345bfd94893211dd

SHA256
00727e7ce6d767359bf1220399969048fb7ab7b7a7690722b4030fe5953073b0

SHA512
72d81a707def747a73d91f6a11c75072cf2cc29621504ff4f0ea9a3d29af100ace43d94bfd4fc68b4f61b924a8f8846510bae5e573c2dd97083c30c974a0f7a5

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
6ddf2290cb40072416f68d673f611efc

SHA1
46ad06094f8ac5c1c4139d80bed1fd7d2faed480

SHA256
2cb2a24f0e50b1675bbc87d3f5158bb4074f34cdfccbfa90c8a2fedd76f6ae22

SHA512
fcda50a768cf44b31ad76bb6523a818a3fb39ba4216d8ede54f56a473d89b4f076fe1f9ceb939d95ffb169930ecddb2ce38fa5c43fb361f435b6a0a3927a8c34

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
52c5574e64447d56fb81e59013e587dc

SHA1
4d8d2ca06a3c1bfc10589fcf886054da2a1a5b1b

SHA256
26671b9e57b4756d10f743ce39c85a09af54db5f50718af7a1d35f208779868f

SHA512
8a66d244e387f4244e52b6a86ba476a6898ba17c7c14484e132201275f5c46be1ba0d983ab7db34c67c315e45e8d2edf9a07d9de8ac1bd3117f124cd78c3eeae

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
4070c047f7c1119b2481d155ffd194b8

SHA1
e55bb0fdb7f8233f4af264074b17b89299889209

SHA256
f79699256431d276209f8ac03e74f028fa6eae7e1d5bebb4452f91c1de0994c5

SHA512
a7511c5e1dc97829565930c6d6403e5d15abd6da79b87d8d8757c9e9ba00f17ab718a4fa34ea2d7aeff7b2219f82d24d3bcd343c1b078de0033c028777dd80ce

Download Submit
memory/308-143-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/308-281-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/308-147-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/572-289-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/572-291-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/572-274-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/592-71-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/592-103-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/592-65-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/592-64-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/616-183-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/616-191-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/828-318-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/828-175-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/828-170-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/884-300-0x0000000000CE0000-0x0000000000D60000-memory.dmp

Filesize
512KB

Download
memory/884-217-0x000007FEF4860000-0x000007FEF51FD000-memory.dmp

Filesize
9.6MB

Download
memory/884-219-0x0000000000CE0000-0x0000000000D60000-memory.dmp

Filesize
512KB

Download
memory/884-222-0x000007FEF4860000-0x000007FEF51FD000-memory.dmp

Filesize
9.6MB

Download
memory/1576-272-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/1576-280-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1688-314-0x00000000002A0000-0x0000000000307000-memory.dmp

Filesize
412KB

Download
memory/1688-310-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/1724-177-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1724-109-0x0000000000710000-0x0000000000777000-memory.dmp

Filesize
412KB

Download
memory/1724-107-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1724-102-0x0000000000710000-0x0000000000777000-memory.dmp

Filesize
412KB

Download
memory/1732-320-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1732-326-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/1976-242-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/1976-225-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1976-228-0x00000000005C0000-0x0000000000620000-memory.dmp

Filesize
384KB

Download
memory/1976-275-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/1976-270-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1976-269-0x00000000005C0000-0x0000000000620000-memory.dmp

Filesize
384KB

Download
memory/2132-312-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2132-304-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2132-153-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2132-159-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2132-178-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2212-226-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2212-283-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2268-119-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2268-123-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2268-128-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2268-190-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2416-271-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2416-264-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/2416-273-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/2448-139-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2448-54-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2448-53-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2448-60-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2484-0-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2484-7-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2484-13-0x00000000025F0000-0x0000000002A21000-memory.dmp

Filesize
4.2MB

Download
memory/2484-37-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2484-8-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2484-43-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/2484-3-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/2652-287-0x0000000000A30000-0x0000000000A97000-memory.dmp

Filesize
412KB

Download
memory/2652-259-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2768-30-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2768-46-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2768-121-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2768-31-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2824-88-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2824-81-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2824-82-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2824-117-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2860-296-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/2860-299-0x0000000000580000-0x0000000000771000-memory.dmp

Filesize
1.9MB

Download
memory/2860-301-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/2940-21-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2940-12-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2940-14-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/2940-101-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download