200ff25858c1c07894889407b1dc59e0c2284ac07d3d7653427ef1bb625703be

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/01/2024, 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-29_e76de4fb7ac92bd40370b074a94bc815_ryuk.exe
Size

1.1MB
MD5

e76de4fb7ac92bd40370b074a94bc815
SHA1

5f0b6c3a475103300a081de498f3187c2f229656
SHA256

200ff25858c1c07894889407b1dc59e0c2284ac07d3d7653427ef1bb625703be
SHA512

7f6a6ea9ce2f2facf256233118ccee8b6bb5636543a8f0eec861bba5026b5f1ea4c2169e11f25ca8fc820c29de9331c826c94203b1fca25a27193794423db84e
SSDEEP

24576:6Si1SoCU5qJSr1eWPSCsP0MugC6eTrVqIi2lObXobHAEW9INFJY0au:CS7PLjeTrw7x03jY0a

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 46 IoCs

pid	Process
468	Process not Found
2716	alg.exe
2696	aspnet_state.exe
2676	mscorsvw.exe
2296	mscorsvw.exe
540	mscorsvw.exe
2740	mscorsvw.exe
1492	ehRecvr.exe
2164	ehsched.exe
1752	elevation_service.exe
2276	dllhost.exe
1676	IEEtwCollector.exe
2056	mscorsvw.exe
932	GROOVE.EXE
2540	maintenanceservice.exe
1576	msdtc.exe
2856	msiexec.exe
2636	OSE.EXE
2800	OSPPSVC.EXE
1420	perfhost.exe
1740	mscorsvw.exe
1256	locator.exe
2340	snmptrap.exe
2044	vds.exe
2336	vssvc.exe
2372	wbengine.exe
2188	WmiApSrv.exe
2092	wmpnetwk.exe
2600	SearchIndexer.exe
948	mscorsvw.exe
2152	mscorsvw.exe
1520	mscorsvw.exe
1120	mscorsvw.exe
2528	mscorsvw.exe
1076	mscorsvw.exe
1152	mscorsvw.exe
1672	mscorsvw.exe
2272	mscorsvw.exe
2344	mscorsvw.exe
892	mscorsvw.exe
1220	mscorsvw.exe
2088	mscorsvw.exe
1712	mscorsvw.exe
1824	mscorsvw.exe
2592	mscorsvw.exe
2248	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2856	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
772	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-29_e76de4fb7ac92bd40370b074a94bc815_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\daa53f973db14c9a.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-29_e76de4fb7ac92bd40370b074a94bc815_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-29_e76de4fb7ac92bd40370b074a94bc815_ryuk.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{457A3A65-A1DA-4079-AD34-F52C28F93A8D}\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	mscorsvw.exe

Drops file in Windows directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-01-29_e76de4fb7ac92bd40370b074a94bc815_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-01-29_e76de4fb7ac92bd40370b074a94bc815_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-01-29_e76de4fb7ac92bd40370b074a94bc815_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-01-29_e76de4fb7ac92bd40370b074a94bc815_ryuk.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-01-29_e76de4fb7ac92bd40370b074a94bc815_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{453D3852-84D6-42F1-8DA4-9914CF553311}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-01-29_e76de4fb7ac92bd40370b074a94bc815_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-01-29_e76de4fb7ac92bd40370b074a94bc815_ryuk.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-01-29_e76de4fb7ac92bd40370b074a94bc815_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{453D3852-84D6-42F1-8DA4-9914CF553311}.crmlog	dllhost.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Modifies data under HKEY_USERS 55 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{D0EAED81-A85E-45EC-9725-5F7694931BED}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{D0EAED81-A85E-45EC-9725-5F7694931BED}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2972	ehRec.exe
2696	aspnet_state.exe
2696	aspnet_state.exe
2696	aspnet_state.exe
2696	aspnet_state.exe
2696	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2312	2024-01-29_e76de4fb7ac92bd40370b074a94bc815_ryuk.exe
Token: SeShutdownPrivilege	540	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	540	mscorsvw.exe
Token: 33	2960	EhTray.exe
Token: SeIncBasePriorityPrivilege	2960	EhTray.exe
Token: SeTakeOwnershipPrivilege	2696	aspnet_state.exe
Token: SeShutdownPrivilege	540	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	540	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeRestorePrivilege	2856	msiexec.exe
Token: SeTakeOwnershipPrivilege	2856	msiexec.exe
Token: SeSecurityPrivilege	2856	msiexec.exe
Token: SeDebugPrivilege	2972	ehRec.exe
Token: SeBackupPrivilege	2336	vssvc.exe
Token: SeRestorePrivilege	2336	vssvc.exe
Token: SeAuditPrivilege	2336	vssvc.exe
Token: SeBackupPrivilege	2372	wbengine.exe
Token: SeRestorePrivilege	2372	wbengine.exe
Token: SeSecurityPrivilege	2372	wbengine.exe
Token: 33	2092	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2092	wmpnetwk.exe
Token: SeManageVolumePrivilege	2600	SearchIndexer.exe
Token: 33	2600	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2600	SearchIndexer.exe
Token: 33	2960	EhTray.exe
Token: SeIncBasePriorityPrivilege	2960	EhTray.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeDebugPrivilege	2696	aspnet_state.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeDebugPrivilege	540	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2960	EhTray.exe
2960	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2960	EhTray.exe
2960	EhTray.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1664	SearchProtocolHost.exe
1664	SearchProtocolHost.exe
1664	SearchProtocolHost.exe
1664	SearchProtocolHost.exe
1664	SearchProtocolHost.exe
704	SearchProtocolHost.exe
704	SearchProtocolHost.exe
704	SearchProtocolHost.exe
704	SearchProtocolHost.exe
704	SearchProtocolHost.exe
704	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2056	2740	mscorsvw.exe	40
PID 2740 wrote to memory of 2056	2740	mscorsvw.exe	40
PID 2740 wrote to memory of 2056	2740	mscorsvw.exe	40
PID 2740 wrote to memory of 1740	2740	mscorsvw.exe	49
PID 2740 wrote to memory of 1740	2740	mscorsvw.exe	49
PID 2740 wrote to memory of 1740	2740	mscorsvw.exe	49
PID 2600 wrote to memory of 1664	2600	SearchIndexer.exe	60
PID 2600 wrote to memory of 1664	2600	SearchIndexer.exe	60
PID 2600 wrote to memory of 1664	2600	SearchIndexer.exe	60
PID 2600 wrote to memory of 3060	2600	SearchIndexer.exe	61
PID 2600 wrote to memory of 3060	2600	SearchIndexer.exe	61
PID 2600 wrote to memory of 3060	2600	SearchIndexer.exe	61
PID 540 wrote to memory of 948	540	mscorsvw.exe	62
PID 540 wrote to memory of 948	540	mscorsvw.exe	62
PID 540 wrote to memory of 948	540	mscorsvw.exe	62
PID 540 wrote to memory of 948	540	mscorsvw.exe	62
PID 540 wrote to memory of 2152	540	mscorsvw.exe	63
PID 540 wrote to memory of 2152	540	mscorsvw.exe	63
PID 540 wrote to memory of 2152	540	mscorsvw.exe	63
PID 540 wrote to memory of 2152	540	mscorsvw.exe	63
PID 540 wrote to memory of 1520	540	mscorsvw.exe	64
PID 540 wrote to memory of 1520	540	mscorsvw.exe	64
PID 540 wrote to memory of 1520	540	mscorsvw.exe	64
PID 540 wrote to memory of 1520	540	mscorsvw.exe	64
PID 2600 wrote to memory of 704	2600	SearchIndexer.exe	65
PID 2600 wrote to memory of 704	2600	SearchIndexer.exe	65
PID 2600 wrote to memory of 704	2600	SearchIndexer.exe	65
PID 540 wrote to memory of 1120	540	mscorsvw.exe	66
PID 540 wrote to memory of 1120	540	mscorsvw.exe	66
PID 540 wrote to memory of 1120	540	mscorsvw.exe	66
PID 540 wrote to memory of 1120	540	mscorsvw.exe	66
PID 540 wrote to memory of 2528	540	mscorsvw.exe	67
PID 540 wrote to memory of 2528	540	mscorsvw.exe	67
PID 540 wrote to memory of 2528	540	mscorsvw.exe	67
PID 540 wrote to memory of 2528	540	mscorsvw.exe	67
PID 540 wrote to memory of 1076	540	mscorsvw.exe	68
PID 540 wrote to memory of 1076	540	mscorsvw.exe	68
PID 540 wrote to memory of 1076	540	mscorsvw.exe	68
PID 540 wrote to memory of 1076	540	mscorsvw.exe	68
PID 540 wrote to memory of 1152	540	mscorsvw.exe	69
PID 540 wrote to memory of 1152	540	mscorsvw.exe	69
PID 540 wrote to memory of 1152	540	mscorsvw.exe	69
PID 540 wrote to memory of 1152	540	mscorsvw.exe	69
PID 540 wrote to memory of 1672	540	mscorsvw.exe	70
PID 540 wrote to memory of 1672	540	mscorsvw.exe	70
PID 540 wrote to memory of 1672	540	mscorsvw.exe	70
PID 540 wrote to memory of 1672	540	mscorsvw.exe	70
PID 540 wrote to memory of 2272	540	mscorsvw.exe	71
PID 540 wrote to memory of 2272	540	mscorsvw.exe	71
PID 540 wrote to memory of 2272	540	mscorsvw.exe	71
PID 540 wrote to memory of 2272	540	mscorsvw.exe	71
PID 540 wrote to memory of 2344	540	mscorsvw.exe	72
PID 540 wrote to memory of 2344	540	mscorsvw.exe	72
PID 540 wrote to memory of 2344	540	mscorsvw.exe	72
PID 540 wrote to memory of 2344	540	mscorsvw.exe	72
PID 540 wrote to memory of 892	540	mscorsvw.exe	73
PID 540 wrote to memory of 892	540	mscorsvw.exe	73
PID 540 wrote to memory of 892	540	mscorsvw.exe	73
PID 540 wrote to memory of 892	540	mscorsvw.exe	73
PID 540 wrote to memory of 1220	540	mscorsvw.exe	74
PID 540 wrote to memory of 1220	540	mscorsvw.exe	74
PID 540 wrote to memory of 1220	540	mscorsvw.exe	74
PID 540 wrote to memory of 1220	540	mscorsvw.exe	74
PID 540 wrote to memory of 2088	540	mscorsvw.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-29_e76de4fb7ac92bd40370b074a94bc815_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-29_e76de4fb7ac92bd40370b074a94bc815_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2716

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2676

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 1e4 -NGENProcess 1e8 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1e4 -NGENProcess 1e8 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1e4 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 254 -NGENProcess 1e8 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 270 -NGENProcess 258 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 24c -NGENProcess 1e8 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 260 -NGENProcess 27c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 200 -NGENProcess 1e8 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 280 -NGENProcess 24c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 258 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 1e8 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 290 -NGENProcess 1b0 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 184 -NGENProcess 1e4 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 24c -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d8 -NGENProcess 2dc -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 1c8 -NGENProcess 308 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2248

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1740

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1492

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2164

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1752

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2960

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2276

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1676

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:932

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2540

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1576

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2636

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2800

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1420

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1256

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2044

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2188

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3427588347-1492276948-3422228430-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3427588347-1492276948-3422228430-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1664
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:3060
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
bdb006abf84dd4795881afed7019b4e2

SHA1
4ded713ed54a2148031d27c48c96880e967a0718

SHA256
2a0189c3a41844816636759748409907366e5e1f323540cfc0b2d72f2f23d912

SHA512
73d2d95ed147fd22f5e657c63e868d53de58ac77f329fe49a01aa4939a7cbd6d4b6d55516e1d0e86bda78342c230dcf03fc4cfffee2e9192f1e1f87ce780c0d5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
7.2MB

MD5
227a9883785c5d80fe664a325fd325b6

SHA1
97957bb11ffc7f771b26d7152b5f2d6a4e10c968

SHA256
f5ef68505803b40c405b6d3a5f27e17c9409f4c761212df93828089957e35cd4

SHA512
73bf13830a5c2714dcd6138e814e468258c098139f9394bb347ad75fc39b48363a716ef494371c752f0917285264ca75f6ebfc7211c17f2c1d5923d6137c7a09

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
18c145402e206512b3a946098fc16a3c

SHA1
f5bd68c7617fc47eb3bad7ec4b2b32db01f069fb

SHA256
5d2ce9570d6e25bc86e2399e1c2fb16361f3ef458be3a3d0a705773b39e3b345

SHA512
465bf4b3739467e056e95380bbf464327837f6a5d98171be1bd7867b6219c5209777d8ea255768aad55f7f3578b0af19a6eb03ac7dbaefe75fc26ef6863b86bd

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
ddb4072bf05e2640bb65b3c8875c2e62

SHA1
4a7b16b636548dae704caf719e850137c9e2ac57

SHA256
5edc8d7f2f6bd0189755a4c39f6f61685b3c049dd5f41a15a27606ae8a041740

SHA512
2126fe3b0ec0b913748ee3dbbc6bea91161e1c20a96d915be3860e9bc91afc26ac5471bd51cdb21e3177f1838589621b50140a10b0390d731ed087c0ddce7319

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.5MB

MD5
8baec2f245a04e98746078e7c3a81bf1

SHA1
672a1d4e8304b70b623d7f3a0a6bcc1bf6b6df61

SHA256
74b0cd3660574963d0846dcecf625a3ac2b4056dc6c665cc06b6cc8510e260fa

SHA512
f38ba621fe787a3115e5e6501e170672f18c1328bb29ce4c42ab7e247446ede3126b05ad190c57b5016075fc4fe1aaf359a6d94b6b1ad077e58e4a18e8c7c4e9

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
576KB

MD5
ce359b4814cb2b1ed23f0e7dd210fe5d

SHA1
e6a2e089f60900136e336624f7181b5ec832cc0e

SHA256
3c4a2f4395559614ccbc105649f4a1f39fc5b46966a91ca0db90e63fdae5f478

SHA512
e208b1827b02a3cc82b9239655666c6d36d744b017353785398c8dfb9fbacc326fed44dd7df0c3d94b0c0c37b34baf5c2ba9d496a54825c827a062f7e16e2cc5

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
070825070fe2ad27fe6916a1c85fbc1f

SHA1
e61dd571327cf256c865ece3432c2a1fee79dfe4

SHA256
f2ff3aff3c345eba047e4b2e31d96196685bf2a995201a3e0cee34aaab645f73

SHA512
31b60aa98cf509997edfc1c09ee86893e73769889390bc68d08e6dbf97bdac7be8ccffbf6d9421c7d6d8a71fdfd336adc7274a8ca0ceee947d29752d8077893a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
88be8de1077fe6d4e84099c26733c9be

SHA1
7e189d972d57fa820894380ba7c1fa056abe9ad4

SHA256
176857141229280f01135b2c75847cbe11757444c10a19538ecfd8122de948cb

SHA512
1f505b3b327e738c5dd049d20cd74c9ad537a029d92bc40d3d2cd731ba7cf5518b4995ffa739b68bb3923d0d8027ea97684adbda6935e8ba0e33cf726f397f51

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
60114a91d9361fbde83eedfcb277e60a

SHA1
094bf729a807722c8beb8a5fb41da7373218d9e5

SHA256
d197f6d730c99c07e356a5bae38c227b0527ef2ad86bc0bc4ea3893e63a64948

SHA512
d48e62e62bd846ee0c8aad2f0fa5441654939f3ccc6b301396bbf74bc5bed2372aca0bd46c1de579e297f3064728dfaa15610c55768315bef11bf23c5eac5f92

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
6e25b25c729688abe1f406c79c27e4fb

SHA1
d9872ac5fc2b0ee5e115d637b5fc39c3dd4df3dd

SHA256
0ad24aa882103e77445b2227146a424c7c5d5e16ff2f33869503edb8c4e31b08

SHA512
14dc994587db632c60cb126f9b4df6396ab23c005a3f0d11cfc80bb8df71127c08b6d6aa9d13037116d3af05ede62946072a9e6de1635750177e63e97790a739

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
467db8b82a7ddf834894e581b352bea3

SHA1
a6e48c9de6e51cd318966ec0e0b58d459f9d9768

SHA256
7364d319a0dff9e5bded7ca1ad02c29d8851a16abf138b3e5cd9e09b27fda998

SHA512
db253f5b4b433745769ae42f2d3d6ba093f9291658a8bbd29af3d8f38c4787a106b45911228ce1cb2b92bf26a3584c8f760be9e2283ca9a11546624b0ca69158

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
c327668b90d53a46f3d086f3b494b465

SHA1
d0b5149aeb7cf8bc4fe36c63068f37c4af70de9c

SHA256
3133dbe5de12771ee9dd4d25563c4b83d76ec678d5740bd2e6b8673b926077b3

SHA512
cc1dbf64a41ababae4c5d9a69850badd090b0c3bf867a30ff6abb8c8e9110e1996863824c823564a2bbc943420aa311545871f9c8769e3630b44f38c7075eb30

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
6de8b1af4fa164d29fb4e19904bfff3d

SHA1
b3cf4973cab1b55a7d90dc8437a92ca5a6a12c09

SHA256
8763f64efcfdd713790a182c0e24537584c1c944ae850c8aa7845c3e0f63e4bc

SHA512
037a684029f1cff5f61a2f6b0dfefd977215c9ae053f856914050f3b3b46f25a160766fa2a262aa26ddb1e797c1948cfd802067069f526934ce915c8c1e4b42c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
448KB

MD5
bc0ad90c1ea872a9db3baec8a3aa5397

SHA1
c800aa8b95923f2e46a31030145876b8b8e2b203

SHA256
66890e2971c68932ce75255dca9fcc54e0087d1d73eccee002d861b0eb9518cd

SHA512
bc0b545effd72a14d7cb2d969980e6802d91fb1c2beca823c7edcaa71f507e528f7ab01566bf6d00b514f58676c64c73fef12649b3328c8a87492fef08b2ea68

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
1d2654169d5295cae7965e3a136a05b6

SHA1
23a7a0d257d312e13474a36af32af877a2889857

SHA256
8d2c31f633f5eda20e9e3a4d132c108acc89bdb3093fa1b4fe80a42fe94f9229

SHA512
3b27e11cec2ad293d13034a3567ddf2135ecef3befe7fc5ee533065e43a772c573a165de5ee43ff40da9f6b21772e7ce74172c0c5cdf88c1582e78c90fe4b242

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
80b1904fd1271cc6935d5c84acc7da0f

SHA1
8060422660481e52b91c23485a3bc7dfe8a2fa87

SHA256
0910707a3d95bb266a49a653926b431a51823439d862305b9aab390acf75217b

SHA512
39d0a72f3320afa2b6b76d58a3a73a736a029fa5f409e788c968793cc159141342eae89d8c691cf5253df5da414916ba7fcf7b5512db39461a13f4c765b97133

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
6bd6f609d9b3aa5c86e73ca2eefb44d6

SHA1
4d4a12defeaa0d98af4574c8866d26111ea41f34

SHA256
1cab0d0511ba980a70c93dc92e0244a23df6aa6f4cabb146b6c6610471f66d87

SHA512
b206382f0fcbc2fb17695b24fc634e2065911cdb7145fba78a4eabf8f4fc37c79169443ef3f2af427b77aa240f87811717fe1f47856db02b23025d8b58525cf6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
bc9aa440a4bc180385559051cafd3b46

SHA1
0d1ec774f66d0187979cec2703c7b6dfeccfae5a

SHA256
4829019f76ee3eb35f9c790081650872ab869ac3ad3a8feb2c5efdf45d9b161d

SHA512
a637abf0d90c99c89f30011aed27ea2129b1a5fd556e57152c1c49840460f7840abc3b72458e6229065c38f1192f25f826e61e907fa916b8a519053e5dc62cc2

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
512KB

MD5
569c360c5a94db1d939ec6a6d2b3da8c

SHA1
a6a5b2932b924ccc138723110097ab8a83fe3040

SHA256
3a4d5e6970c820b752a16de99aafc12e5d8d34071a7f4c6e17402608bc66f012

SHA512
d492f5c4cea9d03c401574649a4353c0eced7fab31d5de442368724affc46b90b0c847a4513a1a5cf79cfd56df7fc7f7952e06e9f99451a8d5a9653915a1f466

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
88ce0b97a5ff4ae71de66fc4dbd35fa5

SHA1
57abf63c4f39ddb082c5a9d0c50c01f7e007630d

SHA256
9a0ae91eabdf6bbde113b78bed41af8fd5ffbd6b4b4b2bfe25b7adf77a45c749

SHA512
a8c8359d0ef7d3bf6a1d45c22dc68297f281c57c7be2f7c6012747851b6008fe69143f00644a2e51d6e018b62bafab65fb7689313dc49f1841ca6e37e0acb184

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
5013846f17ac2e8dbddd0b65a6533fe1

SHA1
462e720f13baa402ba0cb1d62383daf6bdefad74

SHA256
aa138ff2dd7ab5c71279fb1a6bb3fa9b42180d08b7015a5499ccc64b72d641cf

SHA512
36f55c81d4156744afc6a436c3c43e03f3117882f0d3bc550ea1c1e0756410165166d02162f5d183ac5ce25d4fab44b0dbf948ace49fcda3d59ed15ec05cb3b0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
e123b752012807dd46d56dec5c64ea51

SHA1
e9d6f7c9ca0e3553ac9ca49057fbc0beea50ab51

SHA256
3c0aca6baed1bb0dc2b87b5bc139ba689f0b61164c4342c53f6414121ba453a5

SHA512
80e5400b568d6e9e753a4210a6ed391ceb8374f64aef6e4591742cdc55c4c33781d77c5d2a837241eaf2df531f968995faa06cdd0be930daa051c19bec1cd151

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
006a02804fde146e65365ab62d9b5089

SHA1
81ca7d058475267bf2410289bce957b173801904

SHA256
de513d8299b5d96bc27fb5520352afeee7bb581b7ca5a92b0cca68988169309b

SHA512
29456bdd1e5a2daf6d7d361df88df507b4012615751b453a32ccfd9c27747ea8bd35ddf0135762409a3700d793e575b6cb1646a307eabfced598a072ca37bc77

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
7e04b9ac46c0faee697597c49c7e8fc7

SHA1
188eaf791755860f1e5fbcf49c523552e5972f26

SHA256
2e1430c40a174a40a662e536357d04fb1bd374baa5f07d47808c803a412f2a6c

SHA512
60f9c2cd1709bcada530725620fd2d5b35054d865604d53fc0ed3ab4dd479f94e18c58c60ed8b37f1b32281ba106929bf9bc59282b814d8e005ae17d5fcee034

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
768KB

MD5
db2b6f4b812d6b8655634f818a38be3d

SHA1
92a38a770138e72c71eb486f3a5eb213f23274e2

SHA256
3ad59fe769dc6094b8daba5bc19677ef32d22267d094cfe79e0b3e5c9396a8e0

SHA512
1816b07f395409b93574f54c1813a20a243a4684db7f1e8ca0c838720a6ef45cb8fa824372cbc7f5d09347a0b82fc7362cc3bef8349403ce81ec214c46fc603b

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2KB

MD5
9b315f24a34f8418b9efa7cdd8070564

SHA1
1f497dc2306c1383f599eb6596bd06c73b934a90

SHA256
8bf63f63a50ef7840e480c0f9975ebae55879a1cae19dc86fc3baf25539f13ab

SHA512
7c2db9677f3573e498d7c0404a599b1186d050736724728f0fbc2aafd1d06b299277d396bd56a06e16d403e53de242f6e5a856e032fb2bd444a24ed83ee31131

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
a96d93a6428f0f721b867a6c8a2e5ee7

SHA1
d5dd255b5b866dba29f22584003275921117942d

SHA256
ed4705eb3364b02b7bb54a6609eda3f5bc5a6ca47cc867261e361b9b970f6d3d

SHA512
64918463641fe78a06905745134d8de49f5c1b8a08cd2334c3422e1daa91c06671a8696dcce58b561ae9227f64e0211daddad8efd837e60d5c40146d7a27b2a2

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
3226fe63b71c5e826855d1df45df8397

SHA1
15953d926f2398fdf66e3b64c882ea04c698b5e2

SHA256
ac882b8df32f04260821cac1bb6772a76bf47c948cedddcf5b2b901aefc1e562

SHA512
7fde4e2e7aee331ec0cbb8f29677c5f420c4908d8627a6bfeeb27a8c9964408fefd785e5f30d52e5ebda07601ef95ef00de4ffcdf47a6b35731633434654b524

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
20bbcc1217c639960f45f06d5bb5d164

SHA1
1c108704c9224d2e2280a917606d3adab77a016d

SHA256
751ddb1ea10c6fc713aa60b5d2e1937a4471632bebaa4e407063d47c82c1b021

SHA512
19a47da4562d7d21ab493c5bf30efc1a322bcc19533f1df0b1db36cbe4f1d6570158c974615f2c5723fb6c7503405b8ec0c832c213dad65f9aa8f271af335521

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
33ba9476173ac0c6f08a770dc0412bd3

SHA1
53ae4a4f2808b94143b4d57d95b8df55d6ef2fc2

SHA256
2786016293ec9d8e59d3af0e4e080e2af87cf8a035307510aecdbbf48bd73bfb

SHA512
61781c28f694dc6a6456b4302f6f36358f7d98d630d42f24c05b7b7fde749a116c5a769eb881009aaf22b47e4ae77ff80e23ee3029d7dc0f0aaa4e6479c2ff1b

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
cec6094ec0be78d91b4ce0dfe270f725

SHA1
c21437ba200087acdfbd9d6d8fb07388a40bac76

SHA256
0dd3499ad7592ddbdde21f32c6a4884e51d03f761fa46c8eb2f4ddbe3c3dc4e9

SHA512
780dd7dd6463a35fad3f9251d485a02ec69d3362bb83e49fca09e11826d98630590c26d73cd3a04ec5a27c19851665273d58caefa085fef6974ab3f5b1e74e1e

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
510a653cfaf3b92e614a5a9937474e1c

SHA1
8d2399dcd7aad3714d36132ab04e88a9a22729d1

SHA256
6a4e8deb97b7c4154acca2e9b6b95266ddf052c56e6311c1a602b31032f04a3a

SHA512
f3bd39ef1f5adfb43a6fbaa58769729bf9027f163d03eae794c18042b6504e64678c59130a68f756f26e1a26eed4d2d547731b5aae0e012df0e0debdd123cdd4

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
89eca9e2089b72b760db3c731593b286

SHA1
049017d3b805aa8ea54a435624d8b308abfc548f

SHA256
152fff71475ef270572a5b8ca9253def541954271b39d77228e5c4abb0224416

SHA512
c7854d66ca4642f99c6cb5222545353fcd2d3872dfc72584bc70769ee84437c1df56092e83bf2c1a3c12cec71520b9776a2d54e16a5902380cb1742a2e11bc66

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
a4d60eadf6089b675720b4c37247c647

SHA1
48c38d96465c2b1d5f09d517ebd1112720816c0f

SHA256
b80b4c217606f2b125e7f0e7e783bdffeb0e1f54b460403c052b160e463cbc44

SHA512
dd613b4d3408c0b5938d8b5f813c1afc5a59cfdf14e586e3fce07c66ba8b31e32b8366455d1022bdb374d9ad89f4956cad543197537d2feef40e25a76bd41356

Download Submit
memory/540-144-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/540-68-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/540-63-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/540-62-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/932-187-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/932-191-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1256-274-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1420-267-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1420-269-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1492-288-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1492-110-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1492-103-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1492-172-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1492-146-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1492-109-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1492-102-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1576-233-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1676-299-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1676-166-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1740-292-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/1740-275-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/1752-284-0x0000000000210000-0x0000000000270000-memory.dmp

Filesize
384KB

Download
memory/1752-132-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1752-271-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1752-138-0x0000000000210000-0x0000000000270000-memory.dmp

Filesize
384KB

Download
memory/2044-289-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2056-255-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/2056-182-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2056-174-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2056-281-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/2056-279-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2056-280-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2164-189-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2164-117-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2164-118-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2164-125-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2276-152-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2276-291-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2276-161-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2296-96-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2296-45-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2296-53-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2296-54-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2296-47-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2312-145-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2312-69-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2312-1-0x0000000001D50000-0x0000000001DB0000-memory.dmp

Filesize
384KB

Download
memory/2312-0-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2312-7-0x0000000001D50000-0x0000000001DB0000-memory.dmp

Filesize
384KB

Download
memory/2312-147-0x0000000001D50000-0x0000000001DB0000-memory.dmp

Filesize
384KB

Download
memory/2312-8-0x0000000001D50000-0x0000000001DB0000-memory.dmp

Filesize
384KB

Download
memory/2336-296-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2340-286-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2540-210-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2540-211-0x0000000000A30000-0x0000000000A90000-memory.dmp

Filesize
384KB

Download
memory/2636-259-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2636-258-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2676-116-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2676-31-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2676-36-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2676-30-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2696-101-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2696-18-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2696-19-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/2696-25-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/2716-89-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2716-14-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2740-81-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2740-159-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2740-88-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/2740-82-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/2800-270-0x0000000074618000-0x000000007462D000-memory.dmp

Filesize
84KB

Download
memory/2800-266-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2800-263-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/2856-272-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2856-232-0x0000000000540000-0x00000000005F2000-memory.dmp

Filesize
712KB

Download
memory/2972-231-0x000007FEF4AF0000-0x000007FEF548D000-memory.dmp

Filesize
9.6MB

Download
memory/2972-229-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/2972-228-0x000007FEF4AF0000-0x000007FEF548D000-memory.dmp

Filesize
9.6MB

Download