d4144c0b402127a5b274cdaf6aba385f322dcf4b07d2ca444c6d2d6ce88a4d4c

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-09_a706739821b94c2aa998b0f897f10bbe_ryuk.exe
Size

1.1MB
MD5

a706739821b94c2aa998b0f897f10bbe
SHA1

ed75ca484fd0963293dacbace56d435208ad8314
SHA256

d4144c0b402127a5b274cdaf6aba385f322dcf4b07d2ca444c6d2d6ce88a4d4c
SHA512

ffa05042d5ba6312e5c9632c71216384032b22bc878397c84c785e3492911c854759c15dfdc25d0cc0373c2344cb7e4f608e387cd9da5341c77096653a04db5e
SSDEEP

24576:3Si1SoCU5qJSr1eWPSCsP0MugC6eTvqtL+SgvqFE1d3ddJW3CAqPSbwL:fS7PLjeTvq0re0d37JWyAqAu

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 20 IoCs

pid	Process
480	Process not Found
2340	alg.exe
2636	aspnet_state.exe
2012	mscorsvw.exe
2812	mscorsvw.exe
2440	mscorsvw.exe
2804	mscorsvw.exe
2764	ehRecvr.exe
2768	ehsched.exe
1724	elevation_service.exe
1380	dllhost.exe
2380	mscorsvw.exe
908	mscorsvw.exe
2708	GROOVE.EXE
2800	mscorsvw.exe
2600	maintenanceservice.exe
2620	OSE.EXE
1120	OSPPSVC.EXE
2980	mscorsvw.exe
2896	mscorsvw.exe

Loads dropped DLL 5 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-03-09_a706739821b94c2aa998b0f897f10bbe_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-03-09_a706739821b94c2aa998b0f897f10bbe_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	2024-03-09_a706739821b94c2aa998b0f897f10bbe_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1e8e0d47aad3ae89.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe

Drops file in Windows directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-03-09_a706739821b94c2aa998b0f897f10bbe_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-03-09_a706739821b94c2aa998b0f897f10bbe_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-03-09_a706739821b94c2aa998b0f897f10bbe_ryuk.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-03-09_a706739821b94c2aa998b0f897f10bbe_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{513F7E2E-D08C-49D7-A8B8-7E00A3A99BE3}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-03-09_a706739821b94c2aa998b0f897f10bbe_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-03-09_a706739821b94c2aa998b0f897f10bbe_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-03-09_a706739821b94c2aa998b0f897f10bbe_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-03-09_a706739821b94c2aa998b0f897f10bbe_ryuk.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{513F7E2E-D08C-49D7-A8B8-7E00A3A99BE3}.crmlog	dllhost.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
572	ehRec.exe
2880	ehRec.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2300	2024-03-09_a706739821b94c2aa998b0f897f10bbe_ryuk.exe
Token: SeShutdownPrivilege	2440	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: 33	2264	EhTray.exe
Token: SeIncBasePriorityPrivilege	2264	EhTray.exe
Token: SeShutdownPrivilege	2440	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2440	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2440	mscorsvw.exe
Token: SeDebugPrivilege	572	ehRec.exe
Token: 33	2264	EhTray.exe
Token: SeIncBasePriorityPrivilege	2264	EhTray.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeDebugPrivilege	2880	ehRec.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeDebugPrivilege	2340	alg.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2264	EhTray.exe
2264	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2264	EhTray.exe
2264	EhTray.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2380	2804	mscorsvw.exe	40
PID 2804 wrote to memory of 2380	2804	mscorsvw.exe	40
PID 2804 wrote to memory of 2380	2804	mscorsvw.exe	40
PID 2804 wrote to memory of 908	2804	mscorsvw.exe	41
PID 2804 wrote to memory of 908	2804	mscorsvw.exe	41
PID 2804 wrote to memory of 908	2804	mscorsvw.exe	41
PID 2440 wrote to memory of 2800	2440	mscorsvw.exe	44
PID 2440 wrote to memory of 2800	2440	mscorsvw.exe	44
PID 2440 wrote to memory of 2800	2440	mscorsvw.exe	44
PID 2440 wrote to memory of 2800	2440	mscorsvw.exe	44
PID 2440 wrote to memory of 2980	2440	mscorsvw.exe	50
PID 2440 wrote to memory of 2980	2440	mscorsvw.exe	50
PID 2440 wrote to memory of 2980	2440	mscorsvw.exe	50
PID 2440 wrote to memory of 2980	2440	mscorsvw.exe	50
PID 2440 wrote to memory of 2896	2440	mscorsvw.exe	51
PID 2440 wrote to memory of 2896	2440	mscorsvw.exe	51
PID 2440 wrote to memory of 2896	2440	mscorsvw.exe	51
PID 2440 wrote to memory of 2896	2440	mscorsvw.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-09_a706739821b94c2aa998b0f897f10bbe_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-09_a706739821b94c2aa998b0f897f10bbe_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2012

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 168 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 250 -NGENProcess 248 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2896

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:908

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2764

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2768

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1724

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2264

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1380

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2708

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2600

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2620

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
704KB

MD5
6c3faecb5da58b65b434baed0413de39

SHA1
567ccaf6afad8c8d9393d73c41b51b0560153cd5

SHA256
5a0b22b16384e9baef0767fa49aa78d3ef236596c6b2ab06ef68adf1e281bd6e

SHA512
856a667774d32e6cce677db9db077884080b83f6024ac436a2445c037eb4905c9f0c3e1ad78ddcdf2a20265264512faf0a164f51134ac3a5d229a92d3e84f119

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
192KB

MD5
17972fccc3391fd34061bbfaf9751775

SHA1
c2c7505ac7680b53fc326ba82fe157971a0ddec2

SHA256
90ee89d4d906c0255d04ef19547d836016c5410aa839dd784c10c670a24f88f8

SHA512
79da13fbae55ad1ef9546088f8eb32ec700557df80521aeba7634499ed3fb755664fe6fcd7e9656fc8a04ea71f9544e90cd3e45a69622b41d45dec30291547e0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
3190522713ec87628c6feb049350e867

SHA1
b14ae01639ae35ffe0c669366d36b9e547a4eaf1

SHA256
972bdcffc33422978b9bf380fdfb173daa50931388f2c7998b4ab3b66f7e2c6e

SHA512
3b1bb7d245d78ff738f3616a0d3529f73080ec2642a15d6ea097ba102eaafc1662beaae2b2e79d3eaa4de3b500469d0c9fed9a0d78d12767e7951429e3e64a16

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
1.1MB

MD5
20cc6afdef4eac51863b181a2f138c88

SHA1
2a3d7b0190fd298726fbe1012cfbfa48d604a3a9

SHA256
9d0e53ebb5a4a18b02c562e18549f70d306033b7f71a398560a25e1cea3e040b

SHA512
6df472016b0f1d6368780565aadc8dc17572a91f4963b239ebcc4add96ecff36da8192f554f1dabd9a9156ed62f292878a6d61ea15aa712e507bec9007f61b1c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.4MB

MD5
315459df3445296625ef1d86adaca546

SHA1
86bbd03293e0af4adbd85d37013c4a3924786c19

SHA256
6973375804eb1fb12679b06b2ef61e6aabfe3439925ab7347428921b9ece7a84

SHA512
d0cca5b1f888ca739c926d267aa864240239f36ce2b388ebf4f9bb0ec7f1e6f8bd537ce7918b86683a921c1a6e32aa07ea184551281dfdb955e2861ee3de484a

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\8f96978fc46d9f00d8780351026924d7_e3fd1d67-4513-4809-a7f1-bf54bd53bdbc

Filesize
59B

MD5
db733e033c397fec5917611957620271

SHA1
6f94d1daa0fc4ec1b2d4cbcb93730d8edb77a2b7

SHA256
1f3ffadd3b80c7f95be06e245410768e8302a24e573868da3c6fd91230025bdc

SHA512
9a9bb4cf6380bb0a73ea414ca2226a344c7da003e49610dc38bd10892dc17244e4c88bf8a466131027e3c064c693ad99014e6853fff51edb21cb690b926b962f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
8f1a9d10a803084cc8cd1cb4dfef1777

SHA1
d7e435cde8e9d386be3be4674cf6f0932279831a

SHA256
e2e7f654c7eeb193c133a471f4941698c98f39da9068d243d0aaf38fa202d3e3

SHA512
4de2c954539968294a541fb3ef75eb44d5745d25141fe8d4307776903c307e9c6a2f4d47d9c85f2b4c7412a5ff78c7d55b1d0c98cb7beee82cca52c96b701a86

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
320KB

MD5
944de867a18b5f78df5b16ad15b17aa9

SHA1
d6871bbd0f1f1a4ba5c2d53e5053c38653f037dc

SHA256
520ff3f13a9438f2be11463a75b2509c53d24e0c75121c2274332cafb55aa331

SHA512
2af8a712a5f854ff8e34b3f9e96b6ea8a9765758643670ca8e227078ced38186964c6437f8c7a0c135a726523842a001520672d6cb84da0b9836cdc2cdea649f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
fd2d949bc7f4869eddfc96a39e46ac31

SHA1
ca22c1dd9f188fe5d330c1ca9911d4bf8cfc9226

SHA256
afb993cb8024d82a25afaaed3bdeb674abe34d45fa8a4e220323d1f881764920

SHA512
0095ba47d9901ded3f8557e471d6aedd652dddfea5a92003b08add2db23faba4dc8c78ce264e79d07abad34382342c73778c096b3029ac6bffd37e84d1b003ae

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
31ff82737aa83b2053df0ff4b1118b0e

SHA1
e9f9bbdcc8a38c15581c4ba30347b82a3333da07

SHA256
1397d9bfbe1b6a4d6a952b470f986048231f6da22bcdae454d2d193673179e7a

SHA512
3403c705bb5abb2c82bc16a3051570f27d169477d1de193469f343707a75a88c04edd7394688320558de20cb54e350c8b914dccc30d14ca25d985d15d1ffd62a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
17b01bc3ae103049e7e923b53d85c264

SHA1
1532d3c15ff6f13cfb2f34bda43f0199b3b7c5c4

SHA256
4de72777d0b871a0a2ca481815c4aad50aaf2c8dd3c1aff05f737d3f16f1644e

SHA512
2cfc96ea62b05d0c80da2bae86a24b91b54de22c5e67cbc83d9ccc827b245280faaf333e1e89fa8f995cfecf0d41b60fa947c779891d363362ac1cda124c0838

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
4513b985dab11a59f05cda703dde4daf

SHA1
6d1410c5f82c070bac74475bbc8cddf569e7a533

SHA256
ee1b1a205b082e6f40ab11a7c90581f24dab9710384e0e6e33e81d5b86e4e416

SHA512
09478fc30cf85cf326033192df1fca9b6384484021639bf6ae028cb84db8d848c849f27f34e23640c6f7ca36c52fd631fcdb82f4a064da6bf43cde2572884dc5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
256KB

MD5
cf368f62a3ff11088573d4e713d1c3d5

SHA1
0accde746fe4b374268bcd4a020642684dd7d91d

SHA256
4f7636c495df031f86f7d1f76216037512db65ff074e72d0eb5196e5c2b4fddd

SHA512
10b72df1889da94d6cc17a1e99519dfdc6ffd0a7efb739971ee22212ab0bd2c0b90595fb3f5cb847ad73ebed1537213e0923ecdac765df49d6a3f5807355bce9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
704KB

MD5
04c4d8b3a26e0984ef95bc9c8d2166e2

SHA1
cb02c6a5a19c48571b1962cccbf3f66986f14340

SHA256
ded8e2291b4c6992db56217334edbfad4d1d97f5090c41bb44df0cab81abca49

SHA512
d9388a03a66a85b39c071a2c91cc7900844feee033d19c24a88bb4249ffeb0e4eb1a544bc100d92ae02ee6c45b0cab91bcd7c6327d4b0ebc11b2b6c149458889

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0cf37e41d3b78e2ed138b61303d1e1a8

SHA1
a10b807f79e97c260946dc19246df94e5ce87a81

SHA256
15573561809f2abefe4184bc84d99459569eddc77ed98ca73a905cbb2c801f01

SHA512
a06141697bb0b92d168b943aeba981b38b67e572c4d3ec125992140b59c49ecadcf13de6df8b298a457dc3071f96f22eebe2179572cf2184c1e0e2920fe21a41

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
44a8c5491e3d9ae4bc86e8ca52b9b75b

SHA1
f8ae749678041858d279274db529de8b2ea4a392

SHA256
5ba543f07dc9568f121376bee1f12b10b49f0de7272b5501df7b4dd461ecc282

SHA512
25f2ce0665027efb59c57e6c1c88b9ca79e0609e19e03fd39b475a413678894b684f35ac71da7bb6a4b7c0134c8b2bddf9d97b760b65bb3493784590c5247918

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
768KB

MD5
c014bc8a7dff61f1b9d07ddbd686e3cd

SHA1
8adc0e3d807277025ea570554fd3511cee81ec0e

SHA256
9600e773ac47c94f899b9023e728418e1ce816e4fa8849dd290d83724d5541ea

SHA512
d8935c50a793629f8f1620bb4115b4db7a64b4c40ba08c96e76b9cfe8d420e523259f11ae6ba7756160eeeef818532f5209fe5efcd5680adad6d0070f415f5db

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
6f754d627005eca691f084f086677416

SHA1
747b559e547907e2ddf126f60e8de1a580b124bd

SHA256
36c01883780a6deb08975249d184f1f372860905876cd606728c8237efc7940e

SHA512
fe767439b1a9f2475a1ec2d4c1a9f0cfbdf4dd427540bf41a486f365654f4d3ba2b4211a499470dec271fff074529fd9e0c2b0868c444718429a4fb6a0311503

Download Submit
\??\c:\programdata\microsoft\ehome\mcepg2-0.db

Filesize
512KB

MD5
a3d8d675667747736dbfa4bbb10e1c91

SHA1
5d5914128499d6b020bdd12ef5e2b22099cc0039

SHA256
d41580fc0ad30a06376a07e6b2286a421c974410371554fc64eeda819652effa

SHA512
3e9737c889d90f2093bf6bb2ba0c0c4a1f8ca23bcb47af79b62eb11442f02b352444631ecd5f222d033eff2c0c370600ccc17b7214849f51a80d8a53ed9d070b

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
6b937ae10bcc051c2509a909f76441f2

SHA1
2a52e20550a1eba0968b6f5d0c9a403069c20f0b

SHA256
9fbd2826b0b829dc7282c9804f47816165e69116f84f482c898e994557531955

SHA512
78a44788540d29c35711ded8c71361c803f44937f0f402593d9cab44a7af8146afd6949948cb3ba54a3f042874558e6e0062d93d7207e9d236f213d9eb691d4e

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
61085eb8cae173b2bfc5b73c3a5dce45

SHA1
f994342101e26dde0f41df3ff959f4053b1aca8f

SHA256
45cd1b4898bee391dc4256435733727b1cad5e9d45040efdb021bbb719994cc9

SHA512
a1e1450a911e7e7773ad8ad18c7793d52641c29fbcd0940612267ce407d2201cf0b018e5c68e4eff4ad5469b1070b59c298692ed330023305d767710725c5be4

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
fe16418362fbfe74853d9ca669af7461

SHA1
f7fec1b201bf8c6d76f098fee8bc1e6b7e134994

SHA256
0b159f14afe772bb48c0ce6973031ed368456aeb925084da0126c80f57d3801e

SHA512
d0663e01f6a2ffc1483457fb5dbc8dca679af47268824ebaa5ef00377a82ac223f6694bd71d90a20ce8cfb0584f1f9a7ce4d3320b1de9316efc4f1051080e628

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1024KB

MD5
73b1e6168186a2dec0d41a48afa9e693

SHA1
69d0b3a6f2b5baaf427fd35c2513ba950ff3f772

SHA256
76c902c5d6325824505b487ec83572ed093c7d9cdfaf97d1928107ffd80d3511

SHA512
a17b70797459d1c3292e2f2bb8f87872e160583a8aff339e68ac540d9248f6fa6b05f98b58e8620afca6e2feab686aa64fe8390f1e8578fb620eb03e77779d6b

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.1MB

MD5
217eea0584fe789265e202468c13c900

SHA1
7a382a31c4a37ff63dcb7e92fc7198f6836ed53b

SHA256
edffb7d2028c9bffbe64984e854888c8137147ea567014572c098b9855c87066

SHA512
65b36fa7bcfbc533a2ce85ec1af4c7591fe1bc13a21a5c411c4404e781afe85530f4716e1d9b64e00e413ab3ef0a44866e071d9a631d0f730e200e06a4c140cb

Download Submit
memory/572-193-0x0000000000F40000-0x0000000000FC0000-memory.dmp

Filesize
512KB

Download
memory/572-146-0x0000000000F40000-0x0000000000FC0000-memory.dmp

Filesize
512KB

Download
memory/572-145-0x000007FEF49D0000-0x000007FEF536D000-memory.dmp

Filesize
9.6MB

Download
memory/572-191-0x000007FEF49D0000-0x000007FEF536D000-memory.dmp

Filesize
9.6MB

Download
memory/572-192-0x0000000000F40000-0x0000000000FC0000-memory.dmp

Filesize
512KB

Download
memory/572-147-0x000007FEF49D0000-0x000007FEF536D000-memory.dmp

Filesize
9.6MB

Download
memory/572-197-0x000007FEF49D0000-0x000007FEF536D000-memory.dmp

Filesize
9.6MB

Download
memory/572-165-0x0000000000F40000-0x0000000000FC0000-memory.dmp

Filesize
512KB

Download
memory/908-170-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/908-177-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/908-187-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

Filesize
9.9MB

Download
memory/908-218-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/908-226-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/1380-203-0x00000000003D0000-0x0000000000430000-memory.dmp

Filesize
384KB

Download
memory/1380-186-0x0000000100000000-0x0000000100141000-memory.dmp

Filesize
1.3MB

Download
memory/1380-138-0x0000000100000000-0x0000000100141000-memory.dmp

Filesize
1.3MB

Download
memory/1724-128-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/1724-176-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1724-122-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/1724-129-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2012-82-0x0000000010000000-0x000000001014B000-memory.dmp

Filesize
1.3MB

Download
memory/2012-39-0x0000000010000000-0x000000001014B000-memory.dmp

Filesize
1.3MB

Download
memory/2300-134-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2300-135-0x0000000001D20000-0x0000000001D80000-memory.dmp

Filesize
384KB

Download
memory/2300-1-0x0000000001D20000-0x0000000001D80000-memory.dmp

Filesize
384KB

Download
memory/2300-8-0x0000000001D20000-0x0000000001D80000-memory.dmp

Filesize
384KB

Download
memory/2300-7-0x0000000001D20000-0x0000000001D80000-memory.dmp

Filesize
384KB

Download
memory/2300-71-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2300-0-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2340-91-0x0000000100000000-0x0000000100150000-memory.dmp

Filesize
1.3MB

Download
memory/2340-14-0x0000000100000000-0x0000000100150000-memory.dmp

Filesize
1.3MB

Download
memory/2340-21-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2340-15-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2380-183-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2380-159-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/2380-163-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-152-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2380-185-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-184-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/2440-61-0x0000000000300000-0x0000000000366000-memory.dmp

Filesize
408KB

Download
memory/2440-141-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2440-54-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2440-55-0x0000000000300000-0x0000000000366000-memory.dmp

Filesize
408KB

Download
memory/2636-35-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/2636-28-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/2636-106-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2636-27-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2708-213-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2708-230-0x00000000004E0000-0x0000000000546000-memory.dmp

Filesize
408KB

Download
memory/2764-117-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/2764-116-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2764-120-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2764-442-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/2764-441-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2764-92-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/2764-162-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2764-100-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/2764-94-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2764-168-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2768-426-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/2768-427-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/2768-164-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/2768-107-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/2768-115-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/2768-113-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/2800-220-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2800-227-0x0000000000BA0000-0x0000000000C06000-memory.dmp

Filesize
408KB

Download
memory/2800-446-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2800-445-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-80-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2804-72-0x00000000005B0000-0x0000000000610000-memory.dmp

Filesize
384KB

Download
memory/2804-78-0x00000000005B0000-0x0000000000610000-memory.dmp

Filesize
384KB

Download
memory/2804-144-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2812-102-0x0000000010000000-0x0000000010153000-memory.dmp

Filesize
1.3MB

Download
memory/2812-46-0x0000000010000000-0x0000000010153000-memory.dmp

Filesize
1.3MB

Download
memory/2880-269-0x000007FEF49D0000-0x000007FEF536D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-194-0x000007FEF49D0000-0x000007FEF536D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-207-0x0000000001080000-0x0000000001100000-memory.dmp

Filesize
512KB

Download
memory/2980-458-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download