Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
81s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/04/2024, 13:46
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe
-
Size
3.2MB
-
MD5
e74c470f0d96f676c6c4ec5050c572a5
-
SHA1
be451a9c79e750f8153b0023315a3247065b6057
-
SHA256
72f9381794449071c705d08a8ba6de38922ab4322215f18310ebfdc0f2a573b0
-
SHA512
4042575dcf47e4ffd63e74a335112823875340a5c53c171aae9761637b9b6127c1b62a6c78629431aea8b0c1cdf58946814d4345f23dacb25e251f286ef4d50a
-
SSDEEP
49152:Y5k1YCdptya507NUUWn043oHS3fTIYwVq1/xT3DDbw0TUqy8kQ/qoLEw:+NhSMYw8yEqo4w
Malware Config
Signatures
-
Executes dropped EXE 32 IoCs
pid Process 468 Process not Found 2852 alg.exe 2664 aspnet_state.exe 2188 mscorsvw.exe 2416 mscorsvw.exe 2240 mscorsvw.exe 2608 mscorsvw.exe 1964 dllhost.exe 1508 ehRecvr.exe 2276 ehsched.exe 2124 elevation_service.exe 2028 IEEtwCollector.exe 1512 GROOVE.EXE 1612 maintenanceservice.exe 2068 msdtc.exe 2516 mscorsvw.exe 1760 msiexec.exe 2576 OSE.EXE 1376 OSPPSVC.EXE 1360 perfhost.exe 1564 locator.exe 1816 snmptrap.exe 2092 vds.exe 2928 mscorsvw.exe 332 vssvc.exe 2168 wbengine.exe 1264 WmiApSrv.exe 864 mscorsvw.exe 1464 wmpnetwk.exe 2688 SearchIndexer.exe 2456 mscorsvw.exe 1424 mscorsvw.exe -
Loads dropped DLL 15 IoCs
pid Process 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 1760 msiexec.exe 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 752 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\c43700584501ed38.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\System32\msdtc.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{A460FDBD-01C6-4800-8EDB-C87720E1D9B6}\chrome_installer.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe -
Drops file in Windows directory 28 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E4CBDA95-F18B-41AD-B134-BE14F379BB37}.crmlog dllhost.exe File opened for modification C:\Windows\ehome\ehsched.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E4CBDA95-F18B-41AD-B134-BE14F379BB37}.crmlog dllhost.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe -
Modifies data under HKEY_USERS 38 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft ehRecvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{9A3AF2AB-6FE1-4901-8FF2-84F073FBAC52} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 1088 ehRec.exe 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe Token: SeShutdownPrivilege 2608 mscorsvw.exe Token: SeShutdownPrivilege 2240 mscorsvw.exe Token: 33 2880 EhTray.exe Token: SeIncBasePriorityPrivilege 2880 EhTray.exe Token: SeShutdownPrivilege 2240 mscorsvw.exe Token: SeShutdownPrivilege 2608 mscorsvw.exe Token: SeShutdownPrivilege 2240 mscorsvw.exe Token: SeShutdownPrivilege 2240 mscorsvw.exe Token: SeShutdownPrivilege 2608 mscorsvw.exe Token: SeShutdownPrivilege 2608 mscorsvw.exe Token: SeDebugPrivilege 1088 ehRec.exe Token: SeRestorePrivilege 1760 msiexec.exe Token: SeTakeOwnershipPrivilege 1760 msiexec.exe Token: SeSecurityPrivilege 1760 msiexec.exe Token: 33 2880 EhTray.exe Token: SeIncBasePriorityPrivilege 2880 EhTray.exe Token: SeBackupPrivilege 332 vssvc.exe Token: SeRestorePrivilege 332 vssvc.exe Token: SeAuditPrivilege 332 vssvc.exe Token: SeBackupPrivilege 2168 wbengine.exe Token: SeRestorePrivilege 2168 wbengine.exe Token: SeSecurityPrivilege 2168 wbengine.exe Token: SeManageVolumePrivilege 2688 SearchIndexer.exe Token: 33 2688 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2688 SearchIndexer.exe Token: SeDebugPrivilege 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe Token: SeDebugPrivilege 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe Token: SeDebugPrivilege 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe Token: SeDebugPrivilege 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe Token: SeDebugPrivilege 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe Token: 33 1464 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 1464 wmpnetwk.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2880 EhTray.exe 2880 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2880 EhTray.exe 2880 EhTray.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1516 SearchProtocolHost.exe 1516 SearchProtocolHost.exe 1516 SearchProtocolHost.exe 1516 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2932 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 28 PID 2236 wrote to memory of 2932 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 28 PID 2236 wrote to memory of 2932 2236 2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe 28 PID 2240 wrote to memory of 2516 2240 mscorsvw.exe 45 PID 2240 wrote to memory of 2516 2240 mscorsvw.exe 45 PID 2240 wrote to memory of 2516 2240 mscorsvw.exe 45 PID 2240 wrote to memory of 2516 2240 mscorsvw.exe 45 PID 2240 wrote to memory of 2928 2240 mscorsvw.exe 53 PID 2240 wrote to memory of 2928 2240 mscorsvw.exe 53 PID 2240 wrote to memory of 2928 2240 mscorsvw.exe 53 PID 2240 wrote to memory of 2928 2240 mscorsvw.exe 53 PID 2240 wrote to memory of 864 2240 mscorsvw.exe 57 PID 2240 wrote to memory of 864 2240 mscorsvw.exe 57 PID 2240 wrote to memory of 864 2240 mscorsvw.exe 57 PID 2240 wrote to memory of 864 2240 mscorsvw.exe 57 PID 2688 wrote to memory of 1516 2688 SearchIndexer.exe 62 PID 2688 wrote to memory of 1516 2688 SearchIndexer.exe 62 PID 2688 wrote to memory of 1516 2688 SearchIndexer.exe 62 PID 2688 wrote to memory of 1612 2688 SearchIndexer.exe 63 PID 2688 wrote to memory of 1612 2688 SearchIndexer.exe 63 PID 2688 wrote to memory of 1612 2688 SearchIndexer.exe 63 PID 2240 wrote to memory of 2456 2240 mscorsvw.exe 64 PID 2240 wrote to memory of 2456 2240 mscorsvw.exe 64 PID 2240 wrote to memory of 2456 2240 mscorsvw.exe 64 PID 2240 wrote to memory of 2456 2240 mscorsvw.exe 64 PID 2240 wrote to memory of 1424 2240 mscorsvw.exe 65 PID 2240 wrote to memory of 1424 2240 mscorsvw.exe 65 PID 2240 wrote to memory of 1424 2240 mscorsvw.exe 65 PID 2240 wrote to memory of 1424 2240 mscorsvw.exe 65 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-04-05_e74c470f0d96f676c6c4ec5050c572a5_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=92.0.4515.131 --initial-client-data=0x184,0x18c,0x190,0x17c,0x194,0x140221ee0,0x140221ef0,0x140221f002⤵PID:2932
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2852
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2664
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2188
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2416
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2516
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 250 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2928
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 24c -NGENProcess 1f0 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:864
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 24c -NGENProcess 250 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2456
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1ac -NGENProcess 1d4 -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1424
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 24c -NGENProcess 260 -Pipe 1ac -Comment "NGen Worker Process"2⤵PID:584
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 240 -NGENProcess 1d4 -Pipe 24c -Comment "NGen Worker Process"2⤵PID:1768
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 274 -NGENProcess 284 -Pipe 260 -Comment "NGen Worker Process"2⤵PID:2600
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1e0 -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"2⤵PID:2072
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 20c -NGENProcess 208 -Pipe 1e0 -Comment "NGen Worker Process"2⤵PID:1976
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 274 -NGENProcess 284 -Pipe 240 -Comment "NGen Worker Process"2⤵PID:2388
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1964
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1508
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:2276
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2880
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2124
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:2028
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1512
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1612
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2068
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2576
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1376
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1360
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1564
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1816
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2092
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:332
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1264
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3787592910-3720486031-2929222812-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3787592910-3720486031-2929222812-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:1516
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵PID:1612
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵PID:2544
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD5efb12db9818bc82232a449aa9f626a6f
SHA1b4436e878715cce342fa9556d70fb4f174ef51be
SHA2568880d5edea659dc1bf3b2a30f7996e8e95d2aa4de56f7d3eb135f692a28389b0
SHA51254dd10ed33c6ac2367ef1151af6901d3735fb36142945783432ea38499900ee4bf255548562798222dcac4d8e608d0a6d3b4b352236b708e621ce9bb36c55bb0
-
Filesize
1.6MB
MD591b504dcd33f95ca6b1c806c112f955d
SHA12800143702cd231a0c9855508f1fa2dc3b5b8d5a
SHA25676b924a06fa82ed50504ca773a2d71ad45eeac96fd87c432a4f09b7e3e68bdba
SHA5125df60e8f9f78c79a0540dc60414b624eee85d84d77c39ee0ab680e36a14a214b5ebe5b86fe69c0f3efddc4c018e17a664f4285609e959524c7acef877b86c36a
-
Filesize
1.3MB
MD5c60df49f439b91576471617b961e8c30
SHA12c50bdd09f44618f7c0fa8b3b990a65e9a574d81
SHA2560ee9a5774a633ca78bc8ab4cfb52ef525fc24ad20576ed019441d13ac6f0d8cd
SHA5125dff2c0b5bad516835587c071a495a7978032f8f7e773268f8b211f98ad06d0b5ee24f067f76b8c1c7acc94088a9ba6c0246f81df6f06a52eabd1e5df169a195
-
Filesize
1.0MB
MD59fcfc33222fbbc2d789ea1286bcd0e63
SHA118c440c8f2abacd8c830c1a0f48fe09cea20ee5d
SHA256e4ed35be53debf450f3add59938a84ee3ab0a6d779ad728702ab8e4bb91da108
SHA5125e7ddab0314170f52d4a73525c6c56bad62dded22ec44dc98a710db7d024880b75a17263875931c55c8082eae9a555e453a3db81dade43e722871c0d41f57c10
-
Filesize
706KB
MD525a3989b312e199015a69e0e05e4848e
SHA17778e503f95d9a67942ee8c052a594de92b7a8e6
SHA2567aba094faca5cc6559bff1c84f7c7d0963de4f33e342119047cac4540f3bf5f6
SHA512cd8715d4f27b28581d121808d2022f8d192cf722217ed1d318923b2dae3219ffa9f057df280c83095851ceb11d498656ccf5569bbfd035ab3aff392a06b595a8
-
Filesize
30.1MB
MD5536cb40577422b97fcc057ba9f436ee3
SHA12944a81257c6240cf3ed4997de2e06649a7587c1
SHA2566de193a5159909a52b4d4524f1f746c714ae5a1fd74eac056d1631aa077c84e2
SHA512c0866af63006c952a0a79dcdff00f7ba55306e61226ff6c8444c47de4cbad3a2c38e02baff60d8ddd4b57bb1cb022085cb6ed3aecd78ab4df29301ac68c27ad7
-
Filesize
781KB
MD5bd1be06716202f0febbf3ced94efe802
SHA14078f649706ac892e14dddd9d18bbfc08d8ee9d5
SHA25622d60576a459b605cfc115b2b53563abc31cae1248751ec76355248f71aa226d
SHA512d8a41bc0a24b08e48dde008825f0137526b45426e6ad28b8ced3aa3e723117aebc6518f0886d9b0580005be2485eba181c50e22606ee5e86c2616a9706226279
-
Filesize
1.1MB
MD5479086f8e95914382af5f2fe653c6870
SHA1c7aac4c89ccb2447aadb755d549805fa73da9812
SHA25600b5a62d2ed2b629ef27b7916e051219ca615a15b6cc6628ed5b964c2a02d40c
SHA5127aef6f8837e5a7db6fd6eb0b4550282b314f0370fa66abe0e2a26ff0af262a183ed6896bb7d26c4ab63b603bd4ccbded112042bc641f1b51188f6b6d25151b7a
-
Filesize
5.2MB
MD57152685a6dc22fe40512b0cfea0a0703
SHA146dc083900a73af9d426540ce71622add6ad289b
SHA25618084dc7043d26d028fb7caabda69f43d52a6757246cd5e434c5acdd4df5abf9
SHA512866d72ccb3e2f8c8c3ec4b6c30e9e1faf9a37c692ca1bdd1c66b990ecbf97f5b48164827ee46bc05c8f0dc54c62dd52e8056fe6755849e5ceca527aadb934128
-
Filesize
2.1MB
MD595c9e91b4ed5e924aef7cfcee603fb1f
SHA18199d930764453c1b9f6b5d6022f6c7d99769c28
SHA256144ff600834bc4473f1133b0b3f8e9ef2e7b41d06d2493290fa630e75f294215
SHA512abdba79f0a80952dc2777fb8e04ec22a9940a753b0e6abd692e8c878c18ab7794b43ca876eae1f59cbe7a55d05c5e92eabaab2f4b1e675abe8b4ee15a03a52ac
-
Filesize
1024KB
MD540077e58c61fad92519e140e0dc34022
SHA12cce66177530344f88e37eb84f0043be701bf444
SHA2566e3868949a3dc1443296f14a96c93c58e3b50bfc4b177f37ac0b233ed8baa1f0
SHA51220e5128d8533a27568aacd900a58a947cbbce92dbd1bac8dce44871d1f7edb57b8d303c21c1b9945e386bb42265c48ed32347b3f4b275e0dd835c30eab2f662f
-
Filesize
872KB
MD502290a1a859b861365a5a6323ecb602f
SHA1c0df70622fe2436c9009d78a443ea3e357a7e299
SHA2565a7d63c93a4c3391539c0ef5cfc1e06b66613d0b111531f7b2f09e465377b32b
SHA51218e1e6f5cd81965dc7e4fa0c85d0bbf01d04d308faaadbc3b8ac635e311615b5ca22c4f024578ef3208cc8105c7a04dfa7f790813c335f9f62389a11b7a9aaf0
-
Filesize
678KB
MD530f24491f3829d22daf1e41456ffa5ef
SHA1df354ad26fc785e32ebad8d80aaafce0cfe3b0ec
SHA25637d03907d5aeee3e5b56df044e50089e08ed9dcb45148c3490e327e34247f03c
SHA512569a47502edf1628d50a2271309ffff4923e6c139df81f7f861ffe0a4b50efc105d9c5d8a25d21efbeb97dd6612917a68203a67ec3b8665b11c401dc2e274ad7
-
Filesize
625KB
MD5151993b98cdc2fb00be3af4135d4b28e
SHA1de83e372465138d227de436ac1d0cfe0da5b220d
SHA25623a62b4750b131cf4fcde50d42f3a0d037565dd5e9f074e3659d49aad80f2b09
SHA512e1a3a07b3543bb6a7f1d276daeb2207d9fc9476276fb831b14c7d877672f21a40fe0b204102401505924444afce39202177eba7a1b666a2a4fc83da29035c8a0
-
Filesize
1003KB
MD5bb4717a8d77db0ab5edffbc48b5daede
SHA1161daf0b4d5d6f3afac31f3b75a8192c3f685726
SHA256716f7868473de80129d73a1c444fec678666a2997ca7ebc1e5f5f927443719c9
SHA5121b8adfdaa25ed5c11bfa80a220f3e0f49ce3188372bc87e1db2fcd5964d5fb5a6aa2e34c867b16122374779981ef905db046f4a7501187584b5a9b85a8dd192e
-
Filesize
656KB
MD5eb499fb46c5ea5db032c36910f0844a8
SHA1edf35e1ffa556194aa9672d9da6e69a914d6e4b4
SHA256049303036f6432b20bc8c25ad1c9f7933b6f63bc3b78d7c84d89d6aee98af5f8
SHA512e8ab2832a41a8708002b419a42740de691ae7c726d23bd6eda6cad7c35628218b6a7b1dabcb24d5448130c976420c08daa615174f1283cc850d38a8305dcabe9
-
Filesize
587KB
MD538584cbdba3c682513f3d09c5520e27d
SHA1027afd343b265d1cba2c7672dd22056c3d23e4a0
SHA256489766ff6e667f12fe7ac261dcade87c1c53b9a418eb26b9237905a13a114d9f
SHA5123db8e11d9ecaf2c631bc723c56811e1c01702037df2922f2abbadbf95baf30223f50f7a92c3903cefdaffb1ec806326f7288ca9118b1a49e4698b4693ed8d160
-
Filesize
577KB
MD5ad69fd37684dbc5e9f80bb16db3eeda2
SHA14c33f6398779ee890b41f7a50571074c87ec8472
SHA256e8c1cc5f4320cdae04c5a0f7f74c354fe5bbdb77db74d90f49f887ee26f6a0ce
SHA512a31a44f360e134ae4dcdbdc6c9cc8a6ca60384c1ef2d7e7f9d36ddb7c6200d52177f7c47f430355c3dbf651de6536dc7c71d2a21e8f69652664aefe1010bc5d9
-
Filesize
1.1MB
MD5b89e73dfa667aa3312258980f160e2cb
SHA19dc9d904044b1ae202c8058e242db032fa5a9583
SHA256910447f2e50b0b7b5bd0def0fdb6985ae996efbed567449883724d4877f22033
SHA512c03ff935e7aa89a6ec674eabb7c64d4938f152ddc5a9e3e84e0cbacfd5d2b2d2b9bbcac03df90f35a5bb161d958440dd630342f8d79bdb18b48861ca47b068a1
-
Filesize
2.1MB
MD5549b4e8cc4fcd61332eb9bb1802ea339
SHA17d485de009d8d8380f039454eb58647a25186b70
SHA256bc68c63bc6042f00b729090bf28afa5a275e775bd5c2702b13009413325edd53
SHA5126bb0216f5ace70e9930d1bef8717f51cc1a8f110fdd5309adc10bb34178f102fb89e29cb4f62cb4647fea69a8fc1ad73cd3b47cef149916b32f9ca4ecd1aec6e
-
Filesize
1.1MB
MD5e39fb6c041e531abc5e109c9eefab12f
SHA176f83217bf54dd8c8d74b77c2147c9aa4e98c9ce
SHA256140a369365d4e081de3dd9f957e08406408025f2cf115a0ae272a3ec1d5f5539
SHA51285f8a9e1e4794558db12683f9d2e30a3fbdf5c8eb1b2a4c95f7b9ab68d62d963057f05f3f8824cd6db46be733947cebec77e20d68b883b4eb4d91c0df51b040c
-
Filesize
765KB
MD5c036866dff63917362728e60d7639e14
SHA109849f4e0fc85eb95003c63d10257429eec720aa
SHA256fd6d0aafb303df5a6876cc510c70395318ace45d5304d63f5dbe44d8589d4304
SHA512d3588fea853f7f1328fb4d1e3a4241458fd97e3f217ca067a2541b199f07948453b935576385be5459679e1388585c0c25a9abed889e514751ef838eca7e8839
-
Filesize
1.2MB
MD528530ed362b1de93d77dde9a46654f32
SHA120a22bdfa042440195bcecf4a014f45d4619f85c
SHA25649ba15bcf6f7c0bfcba150987103d11fe4d821a643240a828ee1f7219ffbf897
SHA512ed6e137355f7d6376ad3ea5887a1916e6aa67e095a5ef7a7d61977d159cd75917d091bd371cd3867df406cdc07b84b5397a1817fa454200db7bec204b3d9588d
-
Filesize
1.2MB
MD51af122823c4c68786087d5e3b4316759
SHA16049ffe80a74c5861aa17f3d4b6abf61b13b1bdd
SHA2563b8ba4fb166d3dc886054754472dfa7c68189b9b699ad63431d89c1b2d92ea3b
SHA51276fdd3c6d99a9e6a20079f0ea64a2299c93ffb1593b8a92f8168574aaaea2d697950d9cefd3c2a3d8d7e0cdee5323af4c0c722114cc535aafb284a71451860b4
-
Filesize
2.0MB
MD508c28bcb03d21404e866300f3a3e1f32
SHA1e75d37805253d09abf04a24e726f040479c8efec
SHA25673b3c724e5701cf8b8e6a09ee9b40095ebac786ea3e8bdfa838a8984f6384e20
SHA512b2f227f1daf86944ff19505e6e27442885b7820de45b03cce82f05a54e7ac2904d5029f16ce5885caaca2d5a5f58142bafe3e8a81e6dc6ddac459c1214d2c5d2
-
Filesize
648KB
MD50e27607ebd4b84a5cd5594adab1d1aa2
SHA15c1047f36a8a64b1083550ad01f99153ad27ebe8
SHA256778471687ee61d9d3c034a7f4bef97073d2d46b9eba8a63d87fa961fecf8cbf7
SHA5127379064eec72f7dbaddbc11c558e923ba61a2e965a2936465a60f3ee5c46ee50989330f8f57ad8b926d11be824ddd5776f709e67463b7a263610105f0e49c5c1
-
Filesize
603KB
MD5142798d81c18c1ee304c516003ab1495
SHA1685c309f4c7a49e4c06dae9440f767aeafd036e0
SHA2560bebc39fd207b981fb40233e6d318687f218120990ca066a53b82ef161dc6dcc
SHA512168d0ae36efd60a7a9880111d82b70480cc415f294f224c762d5fa2881fe590937dc860be6d63151078e748d13097346973fbf744ccc406a24c9feaeabb7e6bd
-
Filesize
644KB
MD5020340cc1a79890f82e6ffa5f316e22d
SHA19f7232f2376c582280017258e5b8965a1d61ca2c
SHA25652c1c3020c84924c42007ed2cc1f600630c673a0a7a93fc9576aaa3d6dcc7a19
SHA512e5b223fd4d6a98b4559bc8d569e7d1faa84311f45b15ae04f1bb40fd35a1396520de7e0ed28d69482203d18496ce077cfee9d18a58e9d78553f88523d069f94a
-
Filesize
577KB
MD5ca1d9ef0406cf43938c008851c19e1f6
SHA158575a05ab82a8456417bb9652c82376c84a93d2
SHA256d95eb52eeaa2e389d3f069ccfc24da9cef570b203856cdfc6424ad220e399f9b
SHA5128a3e40b07680a83668d0a3118b4eee7aad844198f034d2fe845520d47fa02c93c3639872f9fa93442f4881495b223f9024aedaa6c7139d12818eaa7867011c1c
-
Filesize
674KB
MD5545eb59279cd7a510f182a89a58ac19d
SHA12c43d3965fb338b1b164679471f059f85042b585
SHA256f5127e42d082c8dfbb69fa6338c6fae483ab4a0a8a3c58272d3e4d7623a4d0df
SHA512bc6b599be09c207592392d94b73ced0ad0a42288a77a32885904652ea6a870f18cd534c45a86ad7a522e04b812d1680dae87dd7946048210b6f9abd6c42bb0f9
-
Filesize
705KB
MD5573ad10d826fbe6f22ba82c2d211d8e7
SHA1ae4c0c5873a8d9329400242aaa1e0c3496646a3a
SHA2563d937207877df8917a015b4a37fc21c738e8dfd88c9f64fdf3a4c32109b8dfc0
SHA512a592b3443e6fdac6f4b66cf11da9a6c3712671dd5d272c32fc445e7d4b0647997a22943357ca24e849dd6e47305986a9f4a714fffbbc371cd3527005af2df15f
-
Filesize
691KB
MD51d0823fbb73ed8629779643697d1f7e0
SHA15f0b857df9ebe28db98186b14a5c8342ab2a9082
SHA25696db69f09832e69b319d9877d4a1119f336a2bd28170ed8de7aeb276c733211c
SHA51294fd2e0d75ca7c3557bc41ccb709b5b34336e27d60bc1eceddb93fa8ee8c026fbad471509660328921cb0ea90e813856635a42c3206cab2df5c02a189947dfdc
-
Filesize
581KB
MD569dd0355ff2afd3301ae9b88f4610ac6
SHA12b09d24e3374a1fbd7eb7f718a000217e7b7395e
SHA2561cc5a27cc9a5af51e17f90b359b5f4f4f1c06725996f2d7e2dc84b71048c68f4
SHA51262109eb329110947d20c5b3e1be240cf2864b8df09b490e2b17f0cd261e23ff75a1d2d1efef664c459694a3bb0ac5dc1dbb28beb18d87ae0c537b18f482fe533
-
Filesize
2.0MB
MD588816718983f2bd7a9c608c852feb301
SHA17215fa8ac8e997457b7f67f864c87cc141a1dad3
SHA256ddc25806a6beaf3227b86479d60b8e4d6ed4a1e78bba717526eb443bc9c39fa1
SHA512dd63fad819c6ea668fe3901a950dc41c49452aca967ffd14e62d01489a35ed00bf9793cc9f83ed8ee410816265a7d8551c5499ac0cf415b3ec3a6e3f33a76b21
-
Filesize
691KB
MD5d04cd2641680ce5032a2a59199d3bb71
SHA12d62c1347c0a46699d300429a9e3388f69bdf08d
SHA256c431e858f73e4c0fecdb532f995c3ef1e485c124e0bf6faff687f06abf95c582
SHA512f4fcca129374b118fa30decbbd61039a2931629e59ffa5f69337c4a2013e149e214f88715e7d7674c7193bb185c53fccdca23a6c746de1d160f13c4215314b1e