b5ca71ac6ab1f1c6ec79aa74f932eb619f201dcf17d1653fe5b295fdc02bc402

Analysis

max time kernel
123s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-01-2024 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
Size

4.1MB
MD5

17d2c3cceb784399c8f96d4112c9a13e
SHA1

ad8827de0030b06ed89f641a91117fd642718cfb
SHA256

b5ca71ac6ab1f1c6ec79aa74f932eb619f201dcf17d1653fe5b295fdc02bc402
SHA512

1d3b7afc60af9295a35d22a3e01437670394afe823213d1fa185bcbf87cf79d29d52c3cd004e7300a422f44180ac1e5417eba7e18a58b92193b2f9c2941e0590
SSDEEP

49152:r5Viqwo4KxghcyJLBaSbvviqMjfBVrTFZ1bBzP7n1Y8/17MVfw1QSXm+RFvTCr9K:rBfrrTFFqRlw6a+nfEkKK90

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 41 IoCs

pid	Process
468	Process not Found
2852	alg.exe
2300	aspnet_state.exe
876	mscorsvw.exe
1720	mscorsvw.exe
2060	mscorsvw.exe
268	mscorsvw.exe
1584	dllhost.exe
1204	ehRecvr.exe
308	ehsched.exe
1148	elevation_service.exe
948	mscorsvw.exe
1524	IEEtwCollector.exe
2796	mscorsvw.exe
3008	GROOVE.EXE
2644	maintenanceservice.exe
2028	msdtc.exe
1720	msiexec.exe
2416	OSE.EXE
2552	OSPPSVC.EXE
2108	perfhost.exe
2800	locator.exe
2596	snmptrap.exe
2976	mscorsvw.exe
1656	vds.exe
1104	vssvc.exe
1604	wbengine.exe
2112	WmiApSrv.exe
1640	mscorsvw.exe
1724	wmpnetwk.exe
824	mscorsvw.exe
2192	SearchIndexer.exe
1400	mscorsvw.exe
2356	mscorsvw.exe
1380	mscorsvw.exe
1992	mscorsvw.exe
1704	mscorsvw.exe
2012	mscorsvw.exe
832	mscorsvw.exe
932	mscorsvw.exe
2816	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
1720	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
756	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\419b6ad33f41c52b.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1C1536F7-4E20-40F7-B267-BE953E9D9744}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1C1536F7-4E20-40F7-B267-BE953E9D9744}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{B1E585F3-152F-4B03-AC80-16896028FFA4}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{B1E585F3-152F-4B03-AC80-16896028FFA4}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
860	ehRec.exe
2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2984	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
Token: SeShutdownPrivilege	2060	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	2060	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: 33	288	EhTray.exe
Token: SeIncBasePriorityPrivilege	288	EhTray.exe
Token: SeShutdownPrivilege	2060	mscorsvw.exe
Token: SeShutdownPrivilege	2060	mscorsvw.exe
Token: SeDebugPrivilege	860	ehRec.exe
Token: 33	288	EhTray.exe
Token: SeIncBasePriorityPrivilege	288	EhTray.exe
Token: SeRestorePrivilege	1720	msiexec.exe
Token: SeTakeOwnershipPrivilege	1720	msiexec.exe
Token: SeSecurityPrivilege	1720	msiexec.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeBackupPrivilege	1104	vssvc.exe
Token: SeRestorePrivilege	1104	vssvc.exe
Token: SeAuditPrivilege	1104	vssvc.exe
Token: SeBackupPrivilege	1604	wbengine.exe
Token: SeRestorePrivilege	1604	wbengine.exe
Token: SeSecurityPrivilege	1604	wbengine.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeManageVolumePrivilege	2192	SearchIndexer.exe
Token: 33	2192	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2192	SearchIndexer.exe
Token: 33	1724	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1724	wmpnetwk.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeDebugPrivilege	2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
Token: SeDebugPrivilege	2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
Token: SeDebugPrivilege	2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
Token: SeDebugPrivilege	2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
Token: SeDebugPrivilege	2708	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
288	EhTray.exe
288	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
288	EhTray.exe
288	EhTray.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1172	SearchProtocolHost.exe
1172	SearchProtocolHost.exe
1172	SearchProtocolHost.exe
1172	SearchProtocolHost.exe
1172	SearchProtocolHost.exe
1696	SearchProtocolHost.exe
1696	SearchProtocolHost.exe
1696	SearchProtocolHost.exe
1696	SearchProtocolHost.exe
1696	SearchProtocolHost.exe
1696	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2708	2984	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe	28
PID 2984 wrote to memory of 2708	2984	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe	28
PID 2984 wrote to memory of 2708	2984	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe	28
PID 2984 wrote to memory of 2096	2984	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe	30
PID 2984 wrote to memory of 2096	2984	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe	30
PID 2984 wrote to memory of 2096	2984	2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe	30
PID 268 wrote to memory of 948	268	mscorsvw.exe	40
PID 268 wrote to memory of 948	268	mscorsvw.exe	40
PID 268 wrote to memory of 948	268	mscorsvw.exe	40
PID 268 wrote to memory of 2796	268	mscorsvw.exe	44
PID 268 wrote to memory of 2796	268	mscorsvw.exe	44
PID 268 wrote to memory of 2796	268	mscorsvw.exe	44
PID 2060 wrote to memory of 2976	2060	mscorsvw.exe	54
PID 2060 wrote to memory of 2976	2060	mscorsvw.exe	54
PID 2060 wrote to memory of 2976	2060	mscorsvw.exe	54
PID 2060 wrote to memory of 2976	2060	mscorsvw.exe	54
PID 2060 wrote to memory of 1640	2060	mscorsvw.exe	61
PID 2060 wrote to memory of 1640	2060	mscorsvw.exe	61
PID 2060 wrote to memory of 1640	2060	mscorsvw.exe	61
PID 2060 wrote to memory of 1640	2060	mscorsvw.exe	61
PID 2060 wrote to memory of 824	2060	mscorsvw.exe	63
PID 2060 wrote to memory of 824	2060	mscorsvw.exe	63
PID 2060 wrote to memory of 824	2060	mscorsvw.exe	63
PID 2060 wrote to memory of 824	2060	mscorsvw.exe	63
PID 2192 wrote to memory of 1172	2192	SearchIndexer.exe	65
PID 2192 wrote to memory of 1172	2192	SearchIndexer.exe	65
PID 2192 wrote to memory of 1172	2192	SearchIndexer.exe	65
PID 2192 wrote to memory of 1484	2192	SearchIndexer.exe	66
PID 2192 wrote to memory of 1484	2192	SearchIndexer.exe	66
PID 2192 wrote to memory of 1484	2192	SearchIndexer.exe	66
PID 2060 wrote to memory of 1400	2060	mscorsvw.exe	67
PID 2060 wrote to memory of 1400	2060	mscorsvw.exe	67
PID 2060 wrote to memory of 1400	2060	mscorsvw.exe	67
PID 2060 wrote to memory of 1400	2060	mscorsvw.exe	67
PID 2060 wrote to memory of 2356	2060	mscorsvw.exe	68
PID 2060 wrote to memory of 2356	2060	mscorsvw.exe	68
PID 2060 wrote to memory of 2356	2060	mscorsvw.exe	68
PID 2060 wrote to memory of 2356	2060	mscorsvw.exe	68
PID 2192 wrote to memory of 1696	2192	SearchIndexer.exe	69
PID 2192 wrote to memory of 1696	2192	SearchIndexer.exe	69
PID 2192 wrote to memory of 1696	2192	SearchIndexer.exe	69
PID 2060 wrote to memory of 1380	2060	mscorsvw.exe	70
PID 2060 wrote to memory of 1380	2060	mscorsvw.exe	70
PID 2060 wrote to memory of 1380	2060	mscorsvw.exe	70
PID 2060 wrote to memory of 1380	2060	mscorsvw.exe	70
PID 2060 wrote to memory of 1992	2060	mscorsvw.exe	71
PID 2060 wrote to memory of 1992	2060	mscorsvw.exe	71
PID 2060 wrote to memory of 1992	2060	mscorsvw.exe	71
PID 2060 wrote to memory of 1992	2060	mscorsvw.exe	71
PID 2060 wrote to memory of 1704	2060	mscorsvw.exe	72
PID 2060 wrote to memory of 1704	2060	mscorsvw.exe	72
PID 2060 wrote to memory of 1704	2060	mscorsvw.exe	72
PID 2060 wrote to memory of 1704	2060	mscorsvw.exe	72
PID 2060 wrote to memory of 2012	2060	mscorsvw.exe	73
PID 2060 wrote to memory of 2012	2060	mscorsvw.exe	73
PID 2060 wrote to memory of 2012	2060	mscorsvw.exe	73
PID 2060 wrote to memory of 2012	2060	mscorsvw.exe	73
PID 2060 wrote to memory of 832	2060	mscorsvw.exe	74
PID 2060 wrote to memory of 832	2060	mscorsvw.exe	74
PID 2060 wrote to memory of 832	2060	mscorsvw.exe	74
PID 2060 wrote to memory of 832	2060	mscorsvw.exe	74
PID 2060 wrote to memory of 932	2060	mscorsvw.exe	75
PID 2060 wrote to memory of 932	2060	mscorsvw.exe	75
PID 2060 wrote to memory of 932	2060	mscorsvw.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 --annotation=exe=C:\Users\Admin\AppData\Local\Temp\2024-01-19_17d2c3cceb784399c8f96d4112c9a13e_ryuk.exe --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.73 --initial-client-data=0x13c,0x164,0x168,0x160,0x16c,0x140315460,0x140315470,0x140315480
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "2984" "556"
  2⤵
  PID:2096

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2852

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2300

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:876

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 258 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1e0 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 24c -NGENProcess 1d4 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d8 -NGENProcess 1e8 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 260 -NGENProcess 268 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d4 -NGENProcess 26c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 268 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1e8 -NGENProcess 274 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 23c -NGENProcess 268 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 270 -NGENProcess 27c -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1d8 -NGENProcess 268 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 284 -NGENProcess 23c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:1336

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2796

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1584

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1204

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:308

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:288

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1148

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1524

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3008

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2644

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2028

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2416

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2552

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2108

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2800

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2596

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1656

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2112

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3308111660-3636268597-2291490419-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3308111660-3636268597-2291490419-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1172
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1484
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
fad30731763b76d59730f61f61cdfd06

SHA1
06ddc64aec4f3b346d1b161927e3c5c678320309

SHA256
13a9c334944de8e1c759cd499784138632bd6145cd1f9e0b7efc0b83a1f123aa

SHA512
90e7ddc2b9c0969b98046ce2135e8dd27a1ec730fc20ba3de522522b961bedf3883482976560efb305eb98ac694d277163710bda0fc0ec4d3950a556cac48796

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
297KB

MD5
2d0ebb6502351fcd322fa156f9544ff2

SHA1
27a4fa72ec5d6cb87ab69bd12ee5466d70d22f9f

SHA256
769fc771eca391ff2c80781625a28e58779110d8a86690b17b2715fb6ad3ef34

SHA512
a5dc919d5e23107c4600a02348c19ed9432592c8d3a58176aa9f96d3d1d6622734ed5133fa3d8ffdfa40afbf74f584c47d90b629af6f4bdec43089654490cd29

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
d7c7c165676c87682f684196666f4bfa

SHA1
c8bd83c27da60a1b96405fe11e9a3b21f29fa8ca

SHA256
275bc2412ab3be93bfaac408127dd8ed2aacc2d7cf90453c3838151f63819a1d

SHA512
df40362c1eb5ef2e91af5ada084a0ee67b6e4980145ea2534312454238355816b6890e1acf19ef3fac9458bba55ad5e544e3325497e10f231ee33e88b46788f1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
521KB

MD5
80bd0a5a751280bc995104c0b55246bb

SHA1
ada42d9ef48852f1fa3b3cfba9b338ba71fd12c2

SHA256
0bd7c1bf55ea7f2352140a7cf6be5ea7f2c9bcb814dbb36726175afd7bf7413d

SHA512
e902022467fca425ce1f547671288f3296b158a111d8ff80dd998328af060fd98b248c97212389d1fa47bade83d6283d2fbf0d96e743246eb20621cf01761c80

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
467KB

MD5
5990d0d23cccc8a32c6281fd15c394dc

SHA1
30793d5c141f2b1188c05feb5104486b3526da02

SHA256
4fe9fbb8fe246cfe750961d4a83ed95285810dc6f98882daf1acb179033b2556

SHA512
8801fac03e255d2087a277ceb69ea1a3e0349a4c4288e77d2769e5c959b52497162791b3bd101cfba6791909de2a257c5577bf45075391394becc9518f199218

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
d94127f891b4fbbf608bbbb5b8d12ffe

SHA1
7fcd2d74de41ab5b7f1f6eb36ca1c48fcbc4fef4

SHA256
d1c39be1814cc3a4c951bb435756bcfdfa1e09b40071c6f11bf1ae7a183ba838

SHA512
945114d28c685ec3497c39cb65c2a37068f42a39fb33aecff4f009a94009f718beb472d0619eb41713509811b005eda5ed7f2863188364fc9985a8d56cd29ef8

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
13f57645dfff5534761ecdedbf052cc7

SHA1
ad4bd4d39205af30116630728bf72f08fee71007

SHA256
470c950d31b4edb1dd0d75197469b705d4db4900b0381a711aa37df19938f7e7

SHA512
0d44f09d76f4b0b658a357bf3709d1745ce4be7e4883bb45a31b1fe3ac82c9b69667d2361295e4df6dabab36543e45a3232f835e38ddc931f7236b119cd652cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259408972.txt

Filesize
1KB

MD5
02d25ed58c57d7ca6e12ffefbb3e2512

SHA1
523ae7920836e7c1a41f8f2894233df08fb22a85

SHA256
44bf58e1fe3da24cc27f14969b662c25804d521e8765ed18a75bab70c615acc6

SHA512
2cbb81374ebc703dd9d183325fd7becdf2328f67d815f458ba1861a28f70c2d9807b9d8dca5b8bae0b2c70080ff2e1b8083c7936c8201d4b84ee71c0560cfe05

Download Submit
C:\Users\Admin\AppData\Roaming\419b6ad33f41c52b.bin

Filesize
12KB

MD5
528a9701fe74d09dff26cfa502fc07ed

SHA1
c924bbe48ef2eda86ca6f3d7d39dd4bb321dd423

SHA256
cffdd93d509c0f6f538edd8ba1999b8c35b189e8f24f2ff2941378d4d9c2e22f

SHA512
3c97c96bae2f605b4a13779b8ac256d8f9a626dddfa17baa58d1311df846a51492651d54b9b575c55a3a022b9f8dca8add06e5a79a9a93db46e89e65facef4f8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
7f10a09a3bbfbca12efc235cb645c2eb

SHA1
1f5432e788df8149e0564df89d0447f7a2466de8

SHA256
8defa1657d044c302165ba6fad6be4aef662e617771b7abd6a0d74d2ba6ff15a

SHA512
c1b783d9f83010879d8e0924483d7d5ae2acbc18f55f24aed10a033e22f562ab6ec24d25babf21446a9fc0fa35982b300bd5951f3519f5aa45eec57f81d62479

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
bcb38b2ba0f7e8a7b4acf3f1aba883da

SHA1
030f37ebd371601e7a2c3d1869c763b8fbf77261

SHA256
09eb820ae1ab78aa94483409515a6dc658eb168d2d630574e83927611c100b6d

SHA512
2d970404226a7d04e6df37d5adcc02ad4ccb0192a8d1dcade207ad95bbe9dd100a6741d11eeec8c784877c8a671a325a3e9b069d72e006d67d12d3118116f0de

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
380KB

MD5
2e54775f23207d59bd00100fb4c704df

SHA1
0547714623b7b68e0a2a005a0abea1fba644f60f

SHA256
4f81788a43b4dc80ce712e2508899e4f6fcdf3579f80b3921583eb57c129fd71

SHA512
0089dcfacaa82fe4472b2e7795b798c73b36815ec5ccbab294a2c52ee6cbb751615a9ea0b3cfb71e9ee50e8898895a8c633e1c1802a772f0234ca16e737e175a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
5a4f9d8351e7ce5541578162188a5caa

SHA1
00967c534db5e74dd0d5be7c3dcde293a196e4e8

SHA256
21422cd8ed6e1555686c0bfc65732f0925793a9f109bf95a3cc5b11252222ca8

SHA512
0d36dee158e34546033aba4b6b1a4bc70a7663d00a5e4645d08cce69f5fffd741d03019f5c020e639915185340b6bb99ffb858d10b47445bbc8ed057214ef9b3

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
5aa336d9a6e1fef85c25f48b95b1a624

SHA1
0b5c68b717678aa92567deb86317a05c93277ca8

SHA256
d9254d307432e999a51e30d41ba8a644528837728c075b21de2c917c1dd82c33

SHA512
3e832902039e02cae6e80a4692ed448a4dad1854bf14182ded596a22cf3765244797f95541e436569ffb2bccf808a8371b65827244d982aa7d42022c0ac9eec9

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
128KB

MD5
493bf611b0d0a4ef53082ead81990df4

SHA1
f5e9b8465ea959a9af7209339d7076288a3aa1f9

SHA256
a049c867764a3f4322f558c2586c43bbc182c392b44eda898ef64fce6bbcbd16

SHA512
a2bf5d2f142b6064dad7acf1b9adc8bf479e84381b28932aea7be88afcfd2e000da7f3e9d7bb377edf456b60c95eff7176cde5eb27e49f42c393a1c4d1238553

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
41c34f5d74028d473b4429d5d83ca0a7

SHA1
aad385535b5689205bfc6ec6fa3de0f79980f0fa

SHA256
c1d8af013e0c89a4c7489b9bbe7b17ddbd7f6f29b264dc2618efbe3fdddf38f9

SHA512
0aa764e017035d8d4591e4c4003633883b44bf4196a9b2bac152732af7d65160ca5ac5579bdd23af0397a692701e927167250a0cc71b9e31c6f8a6afd227d558

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
273KB

MD5
615b9e4b30f1fe0233bb56c0c551836a

SHA1
53f7fb9c36c9e0b7f0109d0aff3750b907ccb69d

SHA256
40340b29f4d50954aec9bb8b5eec6ed3cc373b356648f380d968cd8644b431f6

SHA512
d3829fd62bd3ef3da5ce9cfccc90dfc321b0892f7d9a3f0e123fbdcc310003a52958a3013942c561a203293fb686d2b1fc73f9b237ed8126e5489c9e4a5e5392

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
1abb957140cc323f5843f257f972d274

SHA1
a3373730f5040b741fbe06ac23df7b18a64f4b21

SHA256
52aa5daec904c00094bcb9a88c67adbd91ed67ffe4a68421fd9752f045eaa665

SHA512
74b9df1064c255a948c413e5722743b174688e896e5ba279897e05c231244e2c6ee46b65da132a41c5a6b6d8c81d0d4abd046937c072e0453c075da0d833ebd3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
0b54d3ce24f65c964f550f1279027e31

SHA1
49e9643dec5ef3791bf24e9a2a8ae519b583f455

SHA256
33ab3d66d229d658cc9b7c0d78b1e3533de2753fc4c7a9f031c2160b4fc89b60

SHA512
ab9edee24b35225b7202e28ac3e7a554d957bdd721f358bae7f26603233796d21ff728b514edfc64631d6d7a92923d1f81541a893b3f91d8850d7db9ee148cf5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
1.5MB

MD5
4fd20d9e66f7f45414d614ae11a5ac81

SHA1
dbf13bdb7a4bf67398b95953705809b53632ca9f

SHA256
10c79d4257fea66e4715a02ba4a90f44e0d3eea1516be6496fa9890e60f6c27a

SHA512
4306191b54815ad789fc24d6e705a2a4f0ec124c50332bea605538c7ed28a8fec5666fb9f864a62e73736e28b648fa2b2bb7531e513c8654eeed155177986855

Download Submit
C:\Windows\System32\alg.exe

Filesize
192KB

MD5
acb19fb56dc003410a85eeeba7ad229d

SHA1
bc5511ac0c82458fe7dc5c8a593562639b5ffb37

SHA256
dd55c03a47537c5c782d36c1967e8d1ae246070445db122ca47c6d7afa43fe57

SHA512
95c9b39cd345875fed2f015b80043141d737453636c0062e8f89492debd9ef45ba2b40084a24d9d53d3dc24375119e0dd86d798c90995cc8385129370d523607

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
544KB

MD5
1e737420247915a539cf258885df8b4e

SHA1
ebf70fa09e5c5aea349d462b59d3b2b38f6883cd

SHA256
ce47f852d7acccddba89651437e8d59eeeffe156f98445e55fb7310e365e554e

SHA512
a23eafff98e2e14c1043abfc3174208addb0ce0440f0a7464a2a16d66dc90d203b0d22f0ea89e2b498f5a3d7c26d281c27217756336702af55d74926454f8460

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
689KB

MD5
c93e2e65be495d5ae6ad24120d5544c4

SHA1
c52f1663f7d24e177920d5cf0c832cdfc265bc0b

SHA256
16aabc753ce359d53fbae3586f9dd3a0ed10ab02a3c1aea393c93ee14d4ee2c4

SHA512
93beaba6156ab7ce0331e64a5dbd044897e4bbf6a306ff9fb761b71d0c579bb72c559fce7d2d7d0a86723e9522630ceee3bd96ffe14bd9870b51087904f8e5cc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
57KB

MD5
e920d95a5b60f59e4ac48d6973d30354

SHA1
9bc3e80464b6cf5e8d8a6d6be00df3aacbef9bf7

SHA256
0006d7ca6560ff2e32d6d1316c41198543705580ec248512252379d7eaa20000

SHA512
58d2e66238c786944a19b22c17631d9a4b8ae1e8ee0b6708bb23d238b91be8c58632a714ce9b967e8e90eded8e1fa0df9e9de62af836fc09d3a0a6763266293d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
f3d93c8b90cced2eba7a6ce63b9aacf0

SHA1
d12936fb197f599b67e2383321df653244d75252

SHA256
5e23a9515c56de39a135463bf8cfbd69e24b2f9144d043f153cfb61dfecc3175

SHA512
c2b57d48ba20e02266d67595a5afe525db6c2d4a794f277831556893c6a480a9a78f1bb08bd49b8cb21f64dee046b765f1576db51716c7712350aa5ba8749105

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
c1c3159a44c0dbee1de01c61179fd965

SHA1
00ac05c6ec2567015d4236937223121bd9a9e388

SHA256
954ebadc494b61b1ff6a17c470039416fdd4fce34421e526efee82c959811598

SHA512
666392f9f135e903c81f49839e52ca2bdc994e88944aa91ae8b98270711503605a59785ab05f9d0f2a75d4b26b033178cd76256c43e34e9184f397fa1bed22e2

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
35ca5a5f1028f23ef3223f3216abc65b

SHA1
ae67c9b3725466f4f4faed92fc09448000d7c77a

SHA256
3449551beb2a81450363b862489031e24c9c8b15b7f42eb16156f7302a5e7d75

SHA512
cb5709137420956437fca52f17bfa81f3463dd21f9931057aadd408a7812ad220670de1b19426ae26c64658ce95ca548d091ff10902b63521de5c2b481380cd3

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
192KB

MD5
3d5e3dfc83de968fbb534bf1dd17aa37

SHA1
3b8a833e349d398ee2c9483d7473ce2513d36f64

SHA256
6d14a4e02434f0a873b072a88b6b2ff27655e52feab0c215cd9a624092119a04

SHA512
a20978ba4ed778693f222b9f1dc52e7418bc70a34e682ed5cb4bd6a6f234eaeffcb1bf017f5dfe90ba5486de9e2f920c755d8f4baad39e3ee19528fd556ad7ed

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.7MB

MD5
127f98f3f1b200828767c3007e40908d

SHA1
526d57e4421716e76ee5abe5f54455911751c2e0

SHA256
c033dddd43dfe5b571e94d58cb4f44d9dbf6b6c07463eeca22146bc30a304ab8

SHA512
1d080038ca0e19bf34fc17e4fbbc02661e367c713a8c704458a02d6345d45b36ec6d8b54a9ac3db9f831cc0be7f0a57c72c68969e264110cace53ebe6b78767b

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
75aebd7b378ba64a7ecd9aa839408441

SHA1
a41c150ea082ccc235f1b1c6078a062b0f422f75

SHA256
712555886cb750f09bc12cdd3bf3e5317bbb63fddbe04f15091ef0b88755a438

SHA512
6d72da13ea7f57b16ec060826b7d72aa1e08f4d89b570508d8958bf82c1b726ea24e21c0ee71c530f1051a31b45adc8a10c9bf32c4592d3eb8b3bfadd9cb538e

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
f1971b25607ab1f1dc5d41413941cfaf

SHA1
9a439b7512c6b32d68a9174e3923a1630eed56e6

SHA256
5bcde304c37e5e784e21837755dd0b3890d2d911228c1301debebe23547552a8

SHA512
90bd39060135d266a5fbd30c5b084c40e2834b78ade3ac420c53a522501204feecb400c1037ff33dc39f4ae304eb63359f52d56a3631cc46006b5f68c8dfe224

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
740bf924637c3d876dcc8b7f3efa5b2e

SHA1
46b042317a3e86b38619f7cb89a18f488c967ca0

SHA256
b4b7d55a4fddb26212f9bc3d0a5cdd3201957065d7f56b8bf40380d92e641df7

SHA512
b9f2ebb9242e0e35a50bc119570f897bf5f2baad6f9cc7f208627d07a880a2b5a28e011f3b3924b02f6f3c94cb204440d103ea83ff3422666a209ce59a9a00e8

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
b38176c9e10c82c36cb9b561ed9c9633

SHA1
5d8562e60174b295b47f7639481ac69540263a2c

SHA256
8313647dc81781225a1f1c0a2b7cc32b2eff5455744bb61da311c2bb1a20ea05

SHA512
72e8921b9d19fbd1cf8531236cf6a6c63aed4021985f5cc05b7c2b3d0d5e40b8684c10e221bb51693972636a34cea3a260ed5676a7e8d1a49a5a3df70a3c97b0

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
09bcb20d4e1583fed033e249724ab7e6

SHA1
efd888bdfc8c2aae7261166124c0a60fcbd5df0c

SHA256
0189fe0c49eb41350144e45ed8b63d3e6dd3ea44124ac16acb7b6be36393712d

SHA512
be5fda6aba17144b9726f40e9d28c6fb10205f2d35b2b02fc2471051bc9c1f1ac300d25ac4a7b692c08b63a98b3891ebd49af6693ab2a6499a8727216f4006f5

Download Submit
\Windows\System32\msiexec.exe

Filesize
669KB

MD5
9bcac93754c47a95a28523f1dc783c1c

SHA1
ca7ae16904744ecd228ef59f69ee183d7fa3aa73

SHA256
bce0ba55c23873b4c00a076e22b69969acbf11ee29996e061e40966233011d77

SHA512
6b04d5ef423c30bf7562ec697c9478c8fb1e2369feb9af2503d3b21dd52b781d7d6191523b936c968fc8b2cbaf03f0a9a3d2cf8e136c1172edcf55c0d0d132fc

Download Submit
\Windows\System32\snmptrap.exe

Filesize
305KB

MD5
ba632e48ae35b364233c11b06c944104

SHA1
fa6f67eaa9762518049a77fa4978983624e54edb

SHA256
1f1f52bb01da07ce0d20afd79d0c04195a9b63aa90fdc1550d4b1d2d3a1a85e9

SHA512
0e870ac761ac1de385160ede491be6a16f5a8c69592e4e2ab4bb05d9fd3ce6b773c3894a3ea1dcd7151e44eaea5c06b0817bcc65ce805709e5aeebca67cf1014

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
e51f3077b4ef3e8b9c2e6efe8fb55d6e

SHA1
170adfb2dda200d630885483688d598aee5d17fd

SHA256
e667b17a5c4bd98aa62fc68134e80592758909b573080de436429c271c28c94c

SHA512
cc5133f0507a354e91b5501222fb63ee62fbc12365c6a84f1e02deeb7038fc66716838401f46f18f13a8708e57573c625dafa18536da507d37455adf09b18755

Download Submit
\Windows\ehome\ehsched.exe

Filesize
384KB

MD5
c75744985d174622fe30536c65921952

SHA1
175a9de35fa697edec3cd365f9cd7c1b5a999e97

SHA256
0b15cb5c4b5c4ed67f2a3a15fe5cd8c6540a4d37eafc23731f6d9d615f2c4c7e

SHA512
9f8683ffdd96058e3f781cbb34fe202b155d7f87a386fd51b51a5cd7c7a38cc866feb77be04f7b3f7a783a440506c864a0d87ed9a33938713ec4408814a322ac

Download Submit
memory/268-108-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/268-100-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/268-102-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/268-172-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/308-268-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/308-259-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/308-154-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/308-146-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/860-297-0x00000000008E0000-0x0000000000960000-memory.dmp

Filesize
512KB

Download
memory/860-228-0x000007FEF4720000-0x000007FEF50BD000-memory.dmp

Filesize
9.6MB

Download
memory/860-232-0x00000000008E0000-0x0000000000960000-memory.dmp

Filesize
512KB

Download
memory/860-182-0x00000000008E0000-0x0000000000960000-memory.dmp

Filesize
512KB

Download
memory/860-306-0x000007FEF4720000-0x000007FEF50BD000-memory.dmp

Filesize
9.6MB

Download
memory/860-288-0x000007FEF4720000-0x000007FEF50BD000-memory.dmp

Filesize
9.6MB

Download
memory/860-197-0x000007FEF4720000-0x000007FEF50BD000-memory.dmp

Filesize
9.6MB

Download
memory/876-97-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/876-55-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/876-56-0x0000000000510000-0x0000000000577000-memory.dmp

Filesize
412KB

Download
memory/876-62-0x0000000000510000-0x0000000000577000-memory.dmp

Filesize
412KB

Download
memory/948-178-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/948-213-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/948-214-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/948-299-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/948-212-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/1148-281-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1148-165-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1148-175-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/1204-141-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/1204-160-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1204-242-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1204-275-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1204-132-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1204-133-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/1524-215-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1524-198-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1584-117-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1584-124-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1584-229-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1584-119-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1584-125-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1720-271-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1720-273-0x0000000000540000-0x00000000005F2000-memory.dmp

Filesize
712KB

Download
memory/1720-70-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1720-95-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1720-283-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/2028-252-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2028-261-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2060-82-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2060-87-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2060-81-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2060-158-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2300-52-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2300-131-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2416-300-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2416-296-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2644-244-0x0000000000B10000-0x0000000000B70000-memory.dmp

Filesize
384KB

Download
memory/2644-235-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2708-101-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/2708-20-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2708-15-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/2708-13-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2796-294-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/2796-230-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2796-216-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/2796-226-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/2852-116-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2852-45-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/2852-32-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/2852-31-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2984-34-0x00000000004B0000-0x0000000000510000-memory.dmp

Filesize
384KB

Download
memory/2984-39-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/2984-12-0x0000000002680000-0x0000000002AB1000-memory.dmp

Filesize
4.2MB

Download
memory/2984-0-0x00000000004B0000-0x0000000000510000-memory.dmp

Filesize
384KB

Download
memory/2984-8-0x00000000004B0000-0x0000000000510000-memory.dmp

Filesize
384KB

Download
memory/2984-2-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/3008-231-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/3008-227-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download