aeb8b781cc401d490ccded6a625431c15e76abe6b57eb44ff2b0ca9cc0349697

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
23-01-2024 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
Size

1.1MB
MD5

3184da3c93fddf8cb07c4fddf8c8d7f5
SHA1

6527d1b63794df91acdd0d3df2e44ba23141c373
SHA256

aeb8b781cc401d490ccded6a625431c15e76abe6b57eb44ff2b0ca9cc0349697
SHA512

73c9ce8c354e7ee31cfb5826aa9d3a4b05566c9a6f22508f4d4a0d061c51bcf03691ec6fbdf9bace5fbc6dfeb569bd6515cc34f618cf10ad484659f0e6282106
SSDEEP

24576:fSi1SoCU5qJSr1eWPSCsP0MugC6eTCEQkbvK8N3t3QVkLhoo+SVfhl2/:XS7PLjeTCErvL73RLSo+2fhl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 40 IoCs

pid	Process
468	Process not Found
1988	alg.exe
2808	aspnet_state.exe
2568	mscorsvw.exe
2616	mscorsvw.exe
2296	mscorsvw.exe
1756	mscorsvw.exe
1812	ehRecvr.exe
1708	ehsched.exe
1228	elevation_service.exe
2272	dllhost.exe
1820	mscorsvw.exe
992	mscorsvw.exe
1504	mscorsvw.exe
2652	mscorsvw.exe
2608	mscorsvw.exe
2576	mscorsvw.exe
1704	mscorsvw.exe
2492	mscorsvw.exe
2684	mscorsvw.exe
836	mscorsvw.exe
2128	mscorsvw.exe
2008	mscorsvw.exe
2064	GROOVE.EXE
2396	maintenanceservice.exe
3016	mscorsvw.exe
916	mscorsvw.exe
2060	mscorsvw.exe
2512	mscorsvw.exe
2528	mscorsvw.exe
2360	mscorsvw.exe
2684	mscorsvw.exe
2736	mscorsvw.exe
1936	mscorsvw.exe
2132	mscorsvw.exe
2932	mscorsvw.exe
2620	mscorsvw.exe
2544	OSE.EXE
1908	OSPPSVC.EXE
1824	mscorsvw.exe

Loads dropped DLL 5 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d87bbe943db14c9a.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{457A3A65-A1DA-4079-AD34-F52C28F93A8D}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{860800DD-69F5-40C3-8D5D-1950B05AEDFB}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{860800DD-69F5-40C3-8D5D-1950B05AEDFB}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2024	ehRec.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1112	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
Token: SeShutdownPrivilege	2296	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: 33	1412	EhTray.exe
Token: SeIncBasePriorityPrivilege	1412	EhTray.exe
Token: SeShutdownPrivilege	2296	mscorsvw.exe
Token: SeDebugPrivilege	2024	ehRec.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	2296	mscorsvw.exe
Token: SeShutdownPrivilege	2296	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: 33	1412	EhTray.exe
Token: SeIncBasePriorityPrivilege	1412	EhTray.exe
Token: SeShutdownPrivilege	2296	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	2296	mscorsvw.exe
Token: SeDebugPrivilege	1988	alg.exe
Token: SeShutdownPrivilege	2296	mscorsvw.exe
Token: SeShutdownPrivilege	2296	mscorsvw.exe
Token: SeShutdownPrivilege	2296	mscorsvw.exe
Token: SeShutdownPrivilege	2296	mscorsvw.exe
Token: SeShutdownPrivilege	2296	mscorsvw.exe
Token: SeShutdownPrivilege	2296	mscorsvw.exe
Token: SeShutdownPrivilege	2296	mscorsvw.exe
Token: SeShutdownPrivilege	2296	mscorsvw.exe
Token: SeShutdownPrivilege	2296	mscorsvw.exe
Token: SeShutdownPrivilege	2296	mscorsvw.exe
Token: SeShutdownPrivilege	2296	mscorsvw.exe
Token: SeShutdownPrivilege	2296	mscorsvw.exe
Token: SeShutdownPrivilege	2296	mscorsvw.exe
Token: SeShutdownPrivilege	2296	mscorsvw.exe
Token: SeShutdownPrivilege	2296	mscorsvw.exe
Token: SeShutdownPrivilege	2296	mscorsvw.exe
Token: SeShutdownPrivilege	2296	mscorsvw.exe
Token: SeShutdownPrivilege	2296	mscorsvw.exe
Token: SeShutdownPrivilege	2296	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1412	EhTray.exe
1412	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1412	EhTray.exe
1412	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 1820	2296	mscorsvw.exe	40
PID 2296 wrote to memory of 1820	2296	mscorsvw.exe	40
PID 2296 wrote to memory of 1820	2296	mscorsvw.exe	40
PID 2296 wrote to memory of 1820	2296	mscorsvw.exe	40
PID 2296 wrote to memory of 992	2296	mscorsvw.exe	41
PID 2296 wrote to memory of 992	2296	mscorsvw.exe	41
PID 2296 wrote to memory of 992	2296	mscorsvw.exe	41
PID 2296 wrote to memory of 992	2296	mscorsvw.exe	41
PID 2296 wrote to memory of 1504	2296	mscorsvw.exe	42
PID 2296 wrote to memory of 1504	2296	mscorsvw.exe	42
PID 2296 wrote to memory of 1504	2296	mscorsvw.exe	42
PID 2296 wrote to memory of 1504	2296	mscorsvw.exe	42
PID 2296 wrote to memory of 2652	2296	mscorsvw.exe	43
PID 2296 wrote to memory of 2652	2296	mscorsvw.exe	43
PID 2296 wrote to memory of 2652	2296	mscorsvw.exe	43
PID 2296 wrote to memory of 2652	2296	mscorsvw.exe	43
PID 2296 wrote to memory of 2608	2296	mscorsvw.exe	45
PID 2296 wrote to memory of 2608	2296	mscorsvw.exe	45
PID 2296 wrote to memory of 2608	2296	mscorsvw.exe	45
PID 2296 wrote to memory of 2608	2296	mscorsvw.exe	45
PID 2296 wrote to memory of 2576	2296	mscorsvw.exe	47
PID 2296 wrote to memory of 2576	2296	mscorsvw.exe	47
PID 2296 wrote to memory of 2576	2296	mscorsvw.exe	47
PID 2296 wrote to memory of 2576	2296	mscorsvw.exe	47
PID 2296 wrote to memory of 1704	2296	mscorsvw.exe	48
PID 2296 wrote to memory of 1704	2296	mscorsvw.exe	48
PID 2296 wrote to memory of 1704	2296	mscorsvw.exe	48
PID 2296 wrote to memory of 1704	2296	mscorsvw.exe	48
PID 2296 wrote to memory of 2492	2296	mscorsvw.exe	49
PID 2296 wrote to memory of 2492	2296	mscorsvw.exe	49
PID 2296 wrote to memory of 2492	2296	mscorsvw.exe	49
PID 2296 wrote to memory of 2492	2296	mscorsvw.exe	49
PID 2296 wrote to memory of 2684	2296	mscorsvw.exe	50
PID 2296 wrote to memory of 2684	2296	mscorsvw.exe	50
PID 2296 wrote to memory of 2684	2296	mscorsvw.exe	50
PID 2296 wrote to memory of 2684	2296	mscorsvw.exe	50
PID 2296 wrote to memory of 836	2296	mscorsvw.exe	51
PID 2296 wrote to memory of 836	2296	mscorsvw.exe	51
PID 2296 wrote to memory of 836	2296	mscorsvw.exe	51
PID 2296 wrote to memory of 836	2296	mscorsvw.exe	51
PID 2296 wrote to memory of 2128	2296	mscorsvw.exe	52
PID 2296 wrote to memory of 2128	2296	mscorsvw.exe	52
PID 2296 wrote to memory of 2128	2296	mscorsvw.exe	52
PID 2296 wrote to memory of 2128	2296	mscorsvw.exe	52
PID 2296 wrote to memory of 2008	2296	mscorsvw.exe	53
PID 2296 wrote to memory of 2008	2296	mscorsvw.exe	53
PID 2296 wrote to memory of 2008	2296	mscorsvw.exe	53
PID 2296 wrote to memory of 2008	2296	mscorsvw.exe	53
PID 2296 wrote to memory of 3016	2296	mscorsvw.exe	56
PID 2296 wrote to memory of 3016	2296	mscorsvw.exe	56
PID 2296 wrote to memory of 3016	2296	mscorsvw.exe	56
PID 2296 wrote to memory of 3016	2296	mscorsvw.exe	56
PID 2296 wrote to memory of 916	2296	mscorsvw.exe	57
PID 2296 wrote to memory of 916	2296	mscorsvw.exe	57
PID 2296 wrote to memory of 916	2296	mscorsvw.exe	57
PID 2296 wrote to memory of 916	2296	mscorsvw.exe	57
PID 2296 wrote to memory of 2060	2296	mscorsvw.exe	58
PID 2296 wrote to memory of 2060	2296	mscorsvw.exe	58
PID 2296 wrote to memory of 2060	2296	mscorsvw.exe	58
PID 2296 wrote to memory of 2060	2296	mscorsvw.exe	58
PID 2296 wrote to memory of 2512	2296	mscorsvw.exe	59
PID 2296 wrote to memory of 2512	2296	mscorsvw.exe	59
PID 2296 wrote to memory of 2512	2296	mscorsvw.exe	59
PID 2296 wrote to memory of 2512	2296	mscorsvw.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2808

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2568

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 258 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 250 -NGENProcess 264 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 268 -NGENProcess 260 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 270 -NGENProcess 26c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 248 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 250 -NGENProcess 274 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 278 -NGENProcess 240 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1f4 -NGENProcess 270 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 27c -NGENProcess 250 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 268 -NGENProcess 270 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1f4 -NGENProcess 288 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 288 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 274 -NGENProcess 294 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 274 -NGENProcess 290 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1dc -NGENProcess 294 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 29c -NGENProcess 1f4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 290 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 294 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 1dc -NGENProcess 1f4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 250 -NGENProcess 2a8 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2932

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1bc -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 1dc -NGENProcess 240 -Pipe 19c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1824

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1812

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1708

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1412

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1228

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2272

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2064

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2396

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2544

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
9ba84bb9c520638a725be1d285f886fd

SHA1
5ff9100ebd919f7d1309323623193baa93df5226

SHA256
18cf1c72241a947498b6a943365b835d614fb5f5c2444a6ffb125e0c6567d7d3

SHA512
456d878bcec45cdcb87c3c57cf3f60d0fceb65fe2ff36d41856132ec226fdb07b43fd0fc27f5c77a0aba3d0a4d1774f1fbb92ae56b289c6375aa176bf38d4b35

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
3.7MB

MD5
938408fb195760991690742089ad232e

SHA1
1676d46f8922a587f9138609c5b7b3884a75021f

SHA256
b6a4d5c7c2c650db14ac60bdaf7a01f296dc38355bd6f388197f6736fb981e2f

SHA512
61d2062b9d8501ae856b862ba3441d182b9675a0cc98725d11f3aac084caa843c30ae0d50e51ce3bbc34830bdf83fd1cccc42aa03a96f97c911a6bd667a26dd3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
341a72d3f389b563a4ea6d2fdd2af3f1

SHA1
3297fb4cbfaeb44052f4c7442a11a5d60c805e4a

SHA256
ffcf3d763df8b86b477f5a3c30ad605c4f221a930e91c7b53bbc69354cc448fa

SHA512
61a8c79347af74e5d35aa80f44dcb689db14fe023058b239d67bceca3832af38083338fd73333d975fad54045c88cae07f194227435b32c83d631a020139eba0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
704KB

MD5
23ecb3e9bb764e6825384856d7329547

SHA1
d6fa15cfabdf723467d10d7a294fac6ffd8713fa

SHA256
e33b94b69a0a308fd35b80d85d46e6b8394242b163122a831158af027e440cb1

SHA512
e1729666289d372b05df61e0243b7a91029612f0f94a1a948ad14883c9e1670773595d939f3b431d0c91911cbb88416e4d7ff577eff91245fde9bac565516636

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
5b846ea440da274421701c97ee38e968

SHA1
c7d7e5a59d27f8b303f633c8a88774c7036ea532

SHA256
5150ac5acc7fbefacd0bce627058fa2980b2c5070f143fedc05f8fcfbbc36dfc

SHA512
168d511b755960184e277044a7c5726896bb50dde27848312d3941007c03895787dc4b5c9948775e5e0532b3a82872c9ade1453d9d2b2766c78142597bd399bc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
328759608c660d9f733b027fea9c915d

SHA1
b9997dce7a5e3cb93ad240374cfd321d50bad04a

SHA256
f83fa8983f4b9688191bf0816857e0ace53eb45d4422a834d6925b4fd78af782

SHA512
d4815ec9c73ab145c128e422b412b1420ec8a696899e2bd57ae4812e24eefcb6b8f969be89b7bc888c0ec52e4a747ba642f0bf123322d46708d9199339db6140

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
2255f78b653fddf6d964da6bbba04e4f

SHA1
a336b2d26ef08d6683e398301be9dfa02c34ec66

SHA256
74ae1ed75f527bcbc5e10f209c547940676cc78810f07aaa8d16e093847f28cf

SHA512
3e3df39992335395b367650540cff49716290fd896451410715d8a8bb7ebb24dfab48b831b8c32cf2480286e810e9ea01dabf83e4a93059ccd9c1e30f36d7e62

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
832KB

MD5
0b6e1e2967526e13c57896453b81bbb0

SHA1
ad0710fc53194eaddec2b8836a4f2125d10aa67e

SHA256
bce27ac988ade4b7290e1e00447ada90fa0769de4bd108a7ab906ae65f1c760a

SHA512
328471046b1f202cb0e0afc2246091b384b476bfa601440e591df4c3c0f437c5a46e479ef1e6a6aa30f882a57cba12e2d814156e4a698ad5df5a2d52c26a5778

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
5e192149224f02fd65d7edaee1489fcd

SHA1
1176699fe5ff553dc61bbc174248601d786857fc

SHA256
8438d104213349165460bba136afe5d66f5918e33dbed5df34eefcbc602d7127

SHA512
eb4130df0b8eb1401d4eeb558ed14e15d69202f0e8f137db2165f29bcfabda3ec49cb90595473f633a38def8d2046dd36fe47f36e58a043c8d544c1c9d36d069

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
e11ff6e75e2185f93562c04eb74a7e35

SHA1
23affad36a758f1cd74e2cad9e5b9c520f5df119

SHA256
8caa0650ea9a105cd4c0e8c457040ac807a8c74cc0afc24ad54ff2d639fc1548

SHA512
4a6947be392b8ec270651c2117df7967981632c4a45de565f0e41caa7b100f389804cc4cc0ccd63b95ff7cb1a43036f4eb4de0be820fc87743a04ca6313f5255

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
256KB

MD5
b550c6971c4dbba6e455c903846761bc

SHA1
52cfff09503a701e4129a3fad13a0d670cafe9a3

SHA256
e81978a347cfb532a584fc42be9ba3766b75dcc24e0ed043a79f38a728a8ea63

SHA512
759b62f40ef9722e9153212d7d14b056c38c831e164832cd53e381c35d6eb3f617fe5a3085a4fda0431977f3d2e255b5a5b6267a75743e6ed1fd4f9f70dcf941

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
704KB

MD5
20ec66e69c577a57bbca28a6702117a2

SHA1
d1b447231c420f5d95a7d2dfa11fbe63f7d2909c

SHA256
a0be229a7e03df2b7ba81991ffa4bb4d388f8946cad282e33535b1d6b2b0ae4e

SHA512
81a13ea639af4f5c715c7f2b4739751bc964a34b5281eb6ac9c585897cff7356054c2b148c3f90b4f35a3e2254bdd93dfd7886547abfa94f2ffee71dbaf00a53

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
576KB

MD5
102de983db014ec5090f6470bacd7a13

SHA1
cf1231d9ce110e3edbce5d7fd43817a69760baa5

SHA256
025f9cf696dfc9f1ae80fc87f7e8b4c602135e96b0d5e0fc87b3b837c313a134

SHA512
9a8739a00bbbdc2919bb4d5480a4c8e3e0bb2a3631aaf08dfe55cb9bc92408ca44e38e66bcdcb0ffcb5c9efed6f2da6170ce5f8cf7c57cc196096e18486c9843

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
320KB

MD5
6e53635fca9bc99115c7bed90f51446f

SHA1
be5a77154899f5b04cbf01bd0c2e28f183099410

SHA256
4e4d7559cdc1fa4bf4c4261b8d19a2a60256176b4c80c7a7e6b73c36b0e25f21

SHA512
ca8d458542589b59d3b2e31ebb3913232d2c4b203c4bdcc115530857df9c7bfd57aa9f0b2cd6b6253829045dae409bba5a213bfaa462ea6d8fffe05af7cc4e81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
979d89068adee5481ec09d298ccd7719

SHA1
ee6b11dedd04657b9961b81dd71dfedcdece98de

SHA256
72d8cc05facd3b97fcedf4db35e73218428ce33d4c934f25ca82154cb3876ff1

SHA512
f49510241c9af143967cd99f8aa0fd3d6fc95db023c824b149fe50c5935f7329eec95b41c5233181859967d57fd4abd6490b1da03aa8d75ca493b355a09314a8

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
00e01049bf5eb15a077a31b1b3201fe4

SHA1
3b544841e1b298080250faec162e006dd25d60db

SHA256
1dd5dc11739dca634c21ef842af9f2b7879b5227c4e0a10e6c11bd3db1002f45

SHA512
ccfec518fbcfb9aff20e3868849bea2fabfaf4a23cbde41b94967f3d61e07f62a09a2c4b9235a65336e4f12119d3ca5a02fffa4760dc0a8529e28f338876522f

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
3c44533e567abbbf791c4bce102e6786

SHA1
c22b1c64fdb3fb589529681b2a50ea349008acca

SHA256
81d3ce5b84abbf4b3f3eba683862315cec083b6ba0a70f7af5c1a18ecb7e29b0

SHA512
ee6bc1a5388a4faadbba1824364d72b3dc794d30cfe8967039c11ffd54b9646466379ef8c4e0dbb3ae6411b239fef0e786e5433876eb85feff2a778ae1c4e5b3

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
59b40cc707ed4813c3d0950fb9110399

SHA1
8c7f45f61f8cdc547ed6fc956f9461354412d1cb

SHA256
e19bad938b72a7ec1ba70e69deb0f02a81fb285c26305c69a9c9cf4880333f80

SHA512
dba1c09ec611522f329e771b46cc40ec10fea88a2788cc135776157e3ded7750dc519e06eea7b9b77cda9bdf8c8fb4e38c2637c85fef89d5ea9f42457440cda6

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
12a5ee2c28317391db7dfec917fec4f4

SHA1
cbeb118680d550599f7262ef58a88ce1d05a69ab

SHA256
afbc572af231b208663889a0964c4eadb866cab36c9c7750d2de9e2e42e2a417

SHA512
c527cfc04e0e08d0b8430dd1b34d00c2069a7c4e069723daff4b567d1c6cff8b7403dce1b25da91f344fa280619603c0d0bbc6f29dd7922bcb8250fdb3d909f4

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.1MB

MD5
1b5237a177db5a1261b0134ecaa523d3

SHA1
7de00f8ae34799018a9965aad8e0d6167e8d964e

SHA256
1bfb3fb305d7a830b8614c29e92b2f698666017f9fd273a65e2dc78a86bd02e3

SHA512
01ccbd6b90763178f727e014179846745c78e3510b5e8da13fccf0ba9a398a8be2a945453ae173c3597c9134785acaeba2f2b8f1cad4b3ad664f92b9151fae0e

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
ceb2b39115854abbb6badd08c83a2a48

SHA1
6b35600fab8211457f093165ea3e77ff519b09df

SHA256
73f96798c10fc79aa60ade620abd890d65f6ef960ed1778bba8c46f90ce23f05

SHA512
ba7573375ebdce51fec39b22bfa744c9ebb6d3974b70e01ee4d5828bd92a3795ab396dff526933a2d6b4ac93510619ff00c5d969101c05e460b81bbe62afaf6a

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
f435b1d77da44ce43bd368cbcddc3670

SHA1
73947e8e92e8c4ba19092cf3077f278fcd5a7fb3

SHA256
c60e9f454ef6ea73206da309f1c4f114ced878eea6e984e3e31f1cde9bab7321

SHA512
988efbefb3d0df739d76d9e200f7c517024e8645c61b446b58c8f6f9c1126c7679fa682ee83a092f71ae9eb51ccd25fac3613169b57c3b28e904bcaf4324b227

Download Submit
memory/992-187-0x0000000000270000-0x00000000002D6000-memory.dmp

Filesize
408KB

Download
memory/992-204-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/992-190-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/992-205-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1112-74-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1112-8-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/1112-7-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/1112-0-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1112-131-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1112-127-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/1112-1-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/1228-137-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1228-186-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1228-125-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1228-124-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1504-224-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1504-223-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/1504-207-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/1504-203-0x0000000000590000-0x00000000005F6000-memory.dmp

Filesize
408KB

Download
memory/1704-261-0x00000000005B0000-0x0000000000616000-memory.dmp

Filesize
408KB

Download
memory/1708-116-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1708-115-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1708-109-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/1708-108-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1708-164-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/1756-143-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1756-75-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1756-76-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1756-83-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1812-176-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1812-120-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1812-119-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1812-101-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1812-121-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1812-96-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1812-155-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1812-94-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1820-158-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1820-189-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/1820-165-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/1820-188-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1820-162-0x0000000000290000-0x00000000002F6000-memory.dmp

Filesize
408KB

Download
memory/1988-14-0x0000000100000000-0x0000000100138000-memory.dmp

Filesize
1.2MB

Download
memory/1988-93-0x0000000100000000-0x0000000100138000-memory.dmp

Filesize
1.2MB

Download
memory/1988-21-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1988-15-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2024-148-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/2024-166-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/2024-146-0x000007FEF46A0000-0x000007FEF503D000-memory.dmp

Filesize
9.6MB

Download
memory/2024-145-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/2024-201-0x000007FEF46A0000-0x000007FEF503D000-memory.dmp

Filesize
9.6MB

Download
memory/2024-202-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/2024-144-0x000007FEF46A0000-0x000007FEF503D000-memory.dmp

Filesize
9.6MB

Download
memory/2024-209-0x000007FEF46A0000-0x000007FEF503D000-memory.dmp

Filesize
9.6MB

Download
memory/2024-206-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/2272-142-0x0000000100000000-0x0000000100129000-memory.dmp

Filesize
1.2MB

Download
memory/2296-59-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2296-138-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2296-66-0x0000000000370000-0x00000000003D6000-memory.dmp

Filesize
408KB

Download
memory/2296-60-0x0000000000370000-0x00000000003D6000-memory.dmp

Filesize
408KB

Download
memory/2568-37-0x0000000000630000-0x0000000000696000-memory.dmp

Filesize
408KB

Download
memory/2568-30-0x0000000010000000-0x0000000010134000-memory.dmp

Filesize
1.2MB

Download
memory/2568-31-0x0000000000630000-0x0000000000696000-memory.dmp

Filesize
408KB

Download
memory/2568-57-0x0000000010000000-0x0000000010134000-memory.dmp

Filesize
1.2MB

Download
memory/2576-246-0x0000000000540000-0x00000000005A6000-memory.dmp

Filesize
408KB

Download
memory/2576-250-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/2608-251-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2608-252-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/2608-234-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/2608-233-0x0000000000540000-0x00000000005A6000-memory.dmp

Filesize
408KB

Download
memory/2616-87-0x0000000010000000-0x000000001013C000-memory.dmp

Filesize
1.2MB

Download
memory/2616-46-0x0000000010000000-0x000000001013C000-memory.dmp

Filesize
1.2MB

Download
memory/2652-238-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/2652-237-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2652-221-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/2652-212-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2652-219-0x0000000000540000-0x00000000005A6000-memory.dmp

Filesize
408KB

Download
memory/2808-27-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2808-107-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download