fccf7408d9b1d2b8aacaa889af7ce752b9b9976db00dfffad4df2b860f3de564

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
Size

4.1MB
MD5

99d05dd1a6bddae90b6862c4029a73d1
SHA1

07127ed0631b4ffe9aec8c57b665aa33cb8af87b
SHA256

fccf7408d9b1d2b8aacaa889af7ce752b9b9976db00dfffad4df2b860f3de564
SHA512

20969ef7bf2f882bc49e3e6f15d1c94035dbcebf73e8c10c5403d126cbfccbe87ec23ec46e0e2a632b7d9c9324a49d0d4d1a2733015477308f704f12fc535200
SSDEEP

49152:u5Viqwo4KxghcyJLBaSbvviqMjfBVrTFZ1bBzP7n1Y8/17MVfw1QSXm+RFvTCr9Y:uBfrrTFFqRlw6a+rEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
472	Process not Found
2612	alg.exe
1760	aspnet_state.exe
2572	mscorsvw.exe
556	mscorsvw.exe
3016	mscorsvw.exe
956	mscorsvw.exe
1336	dllhost.exe
2012	ehRecvr.exe
2376	ehsched.exe
1048	elevation_service.exe
1528	IEEtwCollector.exe
3004	GROOVE.EXE
2828	mscorsvw.exe
2724	maintenanceservice.exe
532	msdtc.exe
1880	msiexec.exe
1144	OSE.EXE
2576	OSPPSVC.EXE
2192	perfhost.exe
1560	locator.exe
1524	snmptrap.exe
3068	mscorsvw.exe
2312	vds.exe
3040	vssvc.exe
960	mscorsvw.exe
1656	wbengine.exe
1340	WmiApSrv.exe
2644	wmpnetwk.exe
2572	SearchIndexer.exe
1396	mscorsvw.exe
2264	mscorsvw.exe
2124	mscorsvw.exe
1312	mscorsvw.exe
2536	mscorsvw.exe
1184	mscorsvw.exe
1516	mscorsvw.exe
2116	mscorsvw.exe
968	mscorsvw.exe
2080	mscorsvw.exe
852	mscorsvw.exe
2620	mscorsvw.exe
2344	mscorsvw.exe
1728	mscorsvw.exe
2032	mscorsvw.exe
1576	mscorsvw.exe
2700	mscorsvw.exe
2740	mscorsvw.exe
1516	mscorsvw.exe
492	mscorsvw.exe
2036	mscorsvw.exe
2356	mscorsvw.exe
2024	mscorsvw.exe
2124	mscorsvw.exe
3056	mscorsvw.exe
1672	mscorsvw.exe
2100	mscorsvw.exe
444	mscorsvw.exe
2668	mscorsvw.exe
1736	mscorsvw.exe
1184	mscorsvw.exe
2636	mscorsvw.exe
768	mscorsvw.exe
1476	mscorsvw.exe

Loads dropped DLL 31 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
1880	msiexec.exe
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
756	Process not Found
2100	mscorsvw.exe
2100	mscorsvw.exe
2668	mscorsvw.exe
2668	mscorsvw.exe
1184	mscorsvw.exe
1184	mscorsvw.exe
768	mscorsvw.exe
768	mscorsvw.exe
1748	mscorsvw.exe
1748	mscorsvw.exe
2796	mscorsvw.exe
2796	mscorsvw.exe
1800	mscorsvw.exe
1800	mscorsvw.exe
2012	mscorsvw.exe
2012	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e1baf6d23db14c9a.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{309A70B8-EFBF-41F0-8328-B826E5DD78F2}.crmlog	dllhost.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB0A9.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA515.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9EDE.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBCAB.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB442.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC207.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB886.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Msinfo32.exe,-130 = "Display detailed information about your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\Explorer.exe,-312 = "Play and manage games on your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\syswow64\unregmp2.exe,-155 = "Play digital media including music, videos, CDs, and DVDs."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Journal\Journal.exe,-3075 = "Create notes in your own handwriting. You can leave your notes in ink and search your handwriting or convert your notes to typed text."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310 = "Data Sources (ODBC)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Sidebar\sidebar.exe,-1012 = "Add Desktop Gadgets that display personalized slideshows, news feeds, and other customized information."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201 = "Task Scheduler"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10308 = "Mahjong Titans is a form of solitaire played with tiles instead of cards. Match pairs of tiles until all have been removed from the board in this classic game."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\recdisc.exe,-2001 = "Creates a disc you can use to access system recovery options."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\msra.exe,-635 = "Invite a friend or technical support person to connect to your computer and help you, or offer to help someone else."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\authFWGP.dll,-21 = "Configure policies that provide enhanced network security for Windows computers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10300 = "Play the classic strategy game of Checkers against online opponents. Be the first to capture all your opponent’s pieces, or leave them with no more moves, to win the game."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0ead2705644da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SoundRecorder.exe,-32790 = "Record sound and save it on your computer."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mycomput.dll,-300 = "Computer Management"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10310 = "The aim of the game in Spider Solitaire is to remove cards from play in the fewest moves possible. Line up runs of cards from king through ace, in the same suit, to remove them."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 010000000000000010c6bb6a5644da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000 = "Create a System Repair Disc"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\ehome\ehres.dll,-116 = "Opens your home entertainment option for digital and on-demand media, including TV, movies, music and pictures."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0007d725644da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\SnippingTool.exe,-15052 = "Capture a portion of your screen so you can save, annotate, or share the image."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501 = "Connect to a Network Projector"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\pmcsnap.dll,-710 = "Manages local printers and remote print servers."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2556	ehRec.exe
2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1280	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
Token: SeShutdownPrivilege	3016	mscorsvw.exe
Token: SeShutdownPrivilege	956	mscorsvw.exe
Token: 33	1796	EhTray.exe
Token: SeIncBasePriorityPrivilege	1796	EhTray.exe
Token: SeShutdownPrivilege	3016	mscorsvw.exe
Token: SeShutdownPrivilege	956	mscorsvw.exe
Token: SeShutdownPrivilege	3016	mscorsvw.exe
Token: SeShutdownPrivilege	3016	mscorsvw.exe
Token: SeDebugPrivilege	2556	ehRec.exe
Token: SeShutdownPrivilege	956	mscorsvw.exe
Token: SeShutdownPrivilege	956	mscorsvw.exe
Token: SeRestorePrivilege	1880	msiexec.exe
Token: SeTakeOwnershipPrivilege	1880	msiexec.exe
Token: SeSecurityPrivilege	1880	msiexec.exe
Token: 33	1796	EhTray.exe
Token: SeIncBasePriorityPrivilege	1796	EhTray.exe
Token: SeBackupPrivilege	3040	vssvc.exe
Token: SeRestorePrivilege	3040	vssvc.exe
Token: SeAuditPrivilege	3040	vssvc.exe
Token: SeBackupPrivilege	1656	wbengine.exe
Token: SeRestorePrivilege	1656	wbengine.exe
Token: SeSecurityPrivilege	1656	wbengine.exe
Token: 33	2644	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2644	wmpnetwk.exe
Token: SeManageVolumePrivilege	2572	SearchIndexer.exe
Token: 33	2572	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2572	SearchIndexer.exe
Token: SeDebugPrivilege	2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
Token: SeDebugPrivilege	2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
Token: SeDebugPrivilege	2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
Token: SeDebugPrivilege	2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
Token: SeDebugPrivilege	2800	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
Token: SeShutdownPrivilege	3016	mscorsvw.exe
Token: SeShutdownPrivilege	956	mscorsvw.exe
Token: SeDebugPrivilege	2612	alg.exe
Token: SeShutdownPrivilege	3016	mscorsvw.exe
Token: SeShutdownPrivilege	956	mscorsvw.exe
Token: SeShutdownPrivilege	3016	mscorsvw.exe
Token: SeShutdownPrivilege	3016	mscorsvw.exe
Token: SeShutdownPrivilege	3016	mscorsvw.exe
Token: SeShutdownPrivilege	3016	mscorsvw.exe
Token: SeShutdownPrivilege	3016	mscorsvw.exe
Token: SeShutdownPrivilege	956	mscorsvw.exe
Token: SeShutdownPrivilege	956	mscorsvw.exe
Token: SeShutdownPrivilege	956	mscorsvw.exe
Token: SeShutdownPrivilege	3016	mscorsvw.exe
Token: SeShutdownPrivilege	956	mscorsvw.exe
Token: SeShutdownPrivilege	3016	mscorsvw.exe
Token: SeShutdownPrivilege	956	mscorsvw.exe
Token: SeShutdownPrivilege	3016	mscorsvw.exe
Token: SeShutdownPrivilege	956	mscorsvw.exe
Token: SeShutdownPrivilege	3016	mscorsvw.exe
Token: SeShutdownPrivilege	956	mscorsvw.exe
Token: SeShutdownPrivilege	3016	mscorsvw.exe
Token: SeShutdownPrivilege	956	mscorsvw.exe
Token: SeShutdownPrivilege	3016	mscorsvw.exe
Token: SeShutdownPrivilege	956	mscorsvw.exe
Token: SeShutdownPrivilege	3016	mscorsvw.exe
Token: SeShutdownPrivilege	956	mscorsvw.exe
Token: SeShutdownPrivilege	3016	mscorsvw.exe
Token: SeShutdownPrivilege	956	mscorsvw.exe
Token: SeShutdownPrivilege	3016	mscorsvw.exe
Token: SeShutdownPrivilege	956	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1796	EhTray.exe
1796	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1796	EhTray.exe
1796	EhTray.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2236	SearchProtocolHost.exe
2236	SearchProtocolHost.exe
2236	SearchProtocolHost.exe
2236	SearchProtocolHost.exe
2236	SearchProtocolHost.exe
2776	SearchProtocolHost.exe
2776	SearchProtocolHost.exe
2776	SearchProtocolHost.exe
2776	SearchProtocolHost.exe
2776	SearchProtocolHost.exe
2776	SearchProtocolHost.exe
2236	SearchProtocolHost.exe
2776	SearchProtocolHost.exe
2776	SearchProtocolHost.exe
2776	SearchProtocolHost.exe
2776	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 2800	1280	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe	28
PID 1280 wrote to memory of 2800	1280	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe	28
PID 1280 wrote to memory of 2800	1280	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe	28
PID 1280 wrote to memory of 2624	1280	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe	29
PID 1280 wrote to memory of 2624	1280	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe	29
PID 1280 wrote to memory of 2624	1280	2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe	29
PID 3016 wrote to memory of 2828	3016	mscorsvw.exe	44
PID 3016 wrote to memory of 2828	3016	mscorsvw.exe	44
PID 3016 wrote to memory of 2828	3016	mscorsvw.exe	44
PID 3016 wrote to memory of 2828	3016	mscorsvw.exe	44
PID 3016 wrote to memory of 3068	3016	mscorsvw.exe	55
PID 3016 wrote to memory of 3068	3016	mscorsvw.exe	55
PID 3016 wrote to memory of 3068	3016	mscorsvw.exe	55
PID 3016 wrote to memory of 3068	3016	mscorsvw.exe	55
PID 3016 wrote to memory of 960	3016	mscorsvw.exe	58
PID 3016 wrote to memory of 960	3016	mscorsvw.exe	58
PID 3016 wrote to memory of 960	3016	mscorsvw.exe	58
PID 3016 wrote to memory of 960	3016	mscorsvw.exe	58
PID 2572 wrote to memory of 2236	2572	SearchIndexer.exe	63
PID 2572 wrote to memory of 2236	2572	SearchIndexer.exe	63
PID 2572 wrote to memory of 2236	2572	SearchIndexer.exe	63
PID 2572 wrote to memory of 1992	2572	SearchIndexer.exe	64
PID 2572 wrote to memory of 1992	2572	SearchIndexer.exe	64
PID 2572 wrote to memory of 1992	2572	SearchIndexer.exe	64
PID 3016 wrote to memory of 1396	3016	mscorsvw.exe	65
PID 3016 wrote to memory of 1396	3016	mscorsvw.exe	65
PID 3016 wrote to memory of 1396	3016	mscorsvw.exe	65
PID 3016 wrote to memory of 1396	3016	mscorsvw.exe	65
PID 3016 wrote to memory of 2264	3016	mscorsvw.exe	66
PID 3016 wrote to memory of 2264	3016	mscorsvw.exe	66
PID 3016 wrote to memory of 2264	3016	mscorsvw.exe	66
PID 3016 wrote to memory of 2264	3016	mscorsvw.exe	66
PID 2572 wrote to memory of 2776	2572	SearchIndexer.exe	67
PID 2572 wrote to memory of 2776	2572	SearchIndexer.exe	67
PID 2572 wrote to memory of 2776	2572	SearchIndexer.exe	67
PID 3016 wrote to memory of 2124	3016	mscorsvw.exe	68
PID 3016 wrote to memory of 2124	3016	mscorsvw.exe	68
PID 3016 wrote to memory of 2124	3016	mscorsvw.exe	68
PID 3016 wrote to memory of 2124	3016	mscorsvw.exe	68
PID 3016 wrote to memory of 1312	3016	mscorsvw.exe	69
PID 3016 wrote to memory of 1312	3016	mscorsvw.exe	69
PID 3016 wrote to memory of 1312	3016	mscorsvw.exe	69
PID 3016 wrote to memory of 1312	3016	mscorsvw.exe	69
PID 3016 wrote to memory of 2536	3016	mscorsvw.exe	70
PID 3016 wrote to memory of 2536	3016	mscorsvw.exe	70
PID 3016 wrote to memory of 2536	3016	mscorsvw.exe	70
PID 3016 wrote to memory of 2536	3016	mscorsvw.exe	70
PID 3016 wrote to memory of 1184	3016	mscorsvw.exe	71
PID 3016 wrote to memory of 1184	3016	mscorsvw.exe	71
PID 3016 wrote to memory of 1184	3016	mscorsvw.exe	71
PID 3016 wrote to memory of 1184	3016	mscorsvw.exe	71
PID 3016 wrote to memory of 1516	3016	mscorsvw.exe	72
PID 3016 wrote to memory of 1516	3016	mscorsvw.exe	72
PID 3016 wrote to memory of 1516	3016	mscorsvw.exe	72
PID 3016 wrote to memory of 1516	3016	mscorsvw.exe	72
PID 3016 wrote to memory of 2116	3016	mscorsvw.exe	73
PID 3016 wrote to memory of 2116	3016	mscorsvw.exe	73
PID 3016 wrote to memory of 2116	3016	mscorsvw.exe	73
PID 3016 wrote to memory of 2116	3016	mscorsvw.exe	73
PID 3016 wrote to memory of 968	3016	mscorsvw.exe	74
PID 3016 wrote to memory of 968	3016	mscorsvw.exe	74
PID 3016 wrote to memory of 968	3016	mscorsvw.exe	74
PID 3016 wrote to memory of 968	3016	mscorsvw.exe	74
PID 3016 wrote to memory of 2080	3016	mscorsvw.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Local\Temp\2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 --annotation=exe=C:\Users\Admin\AppData\Local\Temp\2024-01-10_99d05dd1a6bddae90b6862c4029a73d1_ryuk.exe --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.73 --initial-client-data=0x15c,0x160,0x164,0x134,0x168,0x140315460,0x140315470,0x140315480
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "1280" "448"
  2⤵
  PID:2624

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2572

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 258 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1f0 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 244 -NGENProcess 23c -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 264 -NGENProcess 1d4 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 264 -NGENProcess 244 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1e0 -NGENProcess 270 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1e0 -NGENProcess 1d8 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1e0 -NGENProcess 1f0 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 274 -NGENProcess 27c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 280 -NGENProcess 1f0 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1d8 -NGENProcess 26c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1d8 -NGENProcess 274 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 27c -NGENProcess 280 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 26c -NGENProcess 264 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 26c -NGENProcess 1d8 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 274 -NGENProcess 264 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 288 -NGENProcess 298 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 290 -NGENProcess 29c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2a0 -NGENProcess 298 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a8 -NGENProcess 274 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 290 -NGENProcess 2b0 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1d8 -NGENProcess 2b4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 22c -NGENProcess 2a0 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 240 -NGENProcess 1f0 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1e8 -NGENProcess 24c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 254 -NGENProcess 1e8 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 244 -NGENProcess 22c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 270 -NGENProcess 1c4 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 24c -NGENProcess 1d0 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 21c -NGENProcess 2b8 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c4 -NGENProcess 2b0 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d0 -NGENProcess 28c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2b8 -NGENProcess 29c -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 254 -NGENProcess 28c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d8 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 270 -NGENProcess 2a8 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 28c -NGENProcess 290 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 2b4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 288 -NGENProcess 270 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 28c -NGENProcess 1c4 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 254 -NGENProcess 270 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2c0 -NGENProcess 2c4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2c8 -NGENProcess 270 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:2100

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2356

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1336

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2012

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2376

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1796

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1048

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1528

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3004

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2724

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:532

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1144

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2576

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2192

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1560

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1524

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2312

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1340

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3427588347-1492276948-3422228430-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3427588347-1492276948-3422228430-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2236
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:1992
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
52d0436eeb1862b174adcf3aa11b32af

SHA1
8f44a3829ed6d70e80fe946b69d8e4f2bb7c64bd

SHA256
c8be4d63ddd3cffe8bda469b493b0f61b09a0593bfe7683d787c912cd07654ab

SHA512
3408afb4cd49375bf696b54c734d9367d91ab17b762c50909401199dc6ce78d54b65d920e929a181ecfb908e9ef5c4fda4b421c94741ecc1281987674756f7dd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
704KB

MD5
621d94dad6396c1189b2a4d66f3ca6c9

SHA1
0879026b7c401625b03955ff6ec965ee76e3ccbe

SHA256
8fde9fe7edec62bddfa3addcce3039b4827af72085f885d79b2e7ab2af69f0d6

SHA512
f614f76d5a0e3ea74f214953867fb7497f7f7f7288d0f813fe998e6f022626da459eb2e873c8929ce5001cb842d1ae7ff6b550134b01a8378e2b5033ec7452ce

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
576KB

MD5
401ad642078e80392e1768a45218507b

SHA1
30d0b6f4e8a5a7e32bdbc0eddfc210857d7dee23

SHA256
9b46087bb6790bf25df30ab49cea47bdd19c33dac4de85ee52cc35d40088e970

SHA512
d821e1ce0e43823a90ad9cf1d7854cd60d3e348be52fce235cf21a510099477c749a5de0adb711ff40f1c588eb073e60ecc0445f5e323639e7f55b0acde5bd9f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
53f810bcd99934ebd755dc8f6c285ee4

SHA1
898b4cf03dbf037efcf9d173de51e2599055fbaf

SHA256
ef4520b7180fa48284b397eb06c45cc3137e695dd51fe63d532868ea94819cfc

SHA512
46f604e414694233db6610cf6b319ed71fdd7e1dd9fb2d2c9cd173fbe28ff6bf807d08c7019d5702a07fb4a12efee96c9de55a7e49f3a9fc2eff1dfe80175c9e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
70ebfe059c1547363b270277447e8bd6

SHA1
fad3e9bec50707d2123b541473ec7c28d3dde3f2

SHA256
002aa6e2cb087b1ddcb3b8949f3e232abfdc18282738f5b99c67e0163db69cf0

SHA512
438414dcba11ccb7d7e9297986e3d784c0732f225f9c9f23521b81661ff748fdb99541f7131bf5241efa3726bb321619b664145d11c9e870eafa10fd348b91d4

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
070825070fe2ad27fe6916a1c85fbc1f

SHA1
e61dd571327cf256c865ece3432c2a1fee79dfe4

SHA256
f2ff3aff3c345eba047e4b2e31d96196685bf2a995201a3e0cee34aaab645f73

SHA512
31b60aa98cf509997edfc1c09ee86893e73769889390bc68d08e6dbf97bdac7be8ccffbf6d9421c7d6d8a71fdfd336adc7274a8ca0ceee947d29752d8077893a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae16e8f5a381cabacbd792825ffa7f90

SHA1
eea0abe115202064efeae0a1e887d267e92dac97

SHA256
7089dab463770fa3379f496ef51fd2c84ae773cbd8a471c57da25736d8a1a12a

SHA512
304a807fe20c910f591654e99df41b3073bd72242e08fa6af5e4710c749ff8ef1c76f021cfabf2eecd5d03edfa0500eb156e50341a82a16ccaf15d22c321333c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259423107.txt

Filesize
1KB

MD5
2ad245290609a093173865d1e1ca61e4

SHA1
de1311c48c53c5c19dddf6888c67dcc4220061b0

SHA256
158497f4403e8ba913904398093be7e6295931bcfd28af6f21895d3d9e691a0a

SHA512
1c2e339be951d51475d0ceb97d2370755fb2cac9c8612c79f6f3fd89d27a6a42b146ffbcfbad1a7a1cd0ddbeaeca12ed614aed2a10ec0a07ad8a0a68929477de

Download Submit
C:\Users\Admin\AppData\Roaming\e1baf6d23db14c9a.bin

Filesize
12KB

MD5
0d76bb2851890c8d807da8df92fb9d96

SHA1
bcf77472ab2da9be31b31a1b814f81cf7d8e36a8

SHA256
1a0301ec5cf3e49f68c3a6caa2c919e73b2abd63cfa22efcc9859d3268d48935

SHA512
2a205bcf95a1b351652c12d10af41c4e5a225878f75705a956cd7eca1e046493fbaf90f81068039d634df9b2ffc0e8cf38afbd6b6ca62410ef1d6168463166e7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
ec57b2905363af399b0dd04bf727cfb4

SHA1
ad2487d758e6d503620256842505a4141aeb7df7

SHA256
e2ce656e7f4e847a219b90060f3de4ffed6209e9db04a94f97afb7bdb90ff756

SHA512
ce285535ca505c101ff4d086e1eac20f4cef91179a77aecbe9f27a5bff9d72a1d19f17c4bef84e39da11358040ee2c81b17f952b73a974c124aba5a33973858d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
53e1e5b1fe0c7f60766a3b6312043a0a

SHA1
0369880a690d6d94214f89b2e8137830935d86d1

SHA256
a8d2bbb441d82ba954d06dc7916558dd001e7677b19ba56ee4f1377b88cf8eb8

SHA512
f9ca444636a4e511c829e698b6c61b9b69c129ae86ef16a3eb8e98c0b444f800b16ca351dbb8916b9b1bed90207d0d0a003c87d52eb9a69e39ab1e67ae2d6285

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
8ea9f3fae94eb34537ced0afd893e945

SHA1
18848938f697cfa60b2364770845d5f44d94e074

SHA256
c30b681055b57d48b99fc7d177144e20c6957575e1e992d7878cabaef040c85b

SHA512
57fd2e113760fbaa7f87397eef47e5ade1dcb1f15073db865390cf9dcb2de050fe2834b735724c78f88cb88216e6b057ae90e56402d196455db0fca75ed77603

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
014b81b53472a5d227d97a4b8cef84f2

SHA1
01b31722457356047a5ee0143606c5d085a7eab0

SHA256
bc23a1d5182b44cf2280f8a2703d28603f97ed584bfbf04be14131583211f99c

SHA512
d26d46847b159ee841fc4578e39ae7a93b3e174b1327a40480e5881711d1ca9ca0626df1559fd33bc60eb31d437387258c0d6e6ff320cf42d6cefdd933fe302e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
dee4435b1eaf59f332f236ecb6667839

SHA1
310c5b5bd79f7584bbdbc1ba5d20ef7704ea3827

SHA256
be011cd213364573b076fb197b59e747c8be7839862656e440c70bcc2b7f23aa

SHA512
1752ebf7e468ba83a7ce6b8a1ce018d9f50f7b4cd3ac5dbc30fb354009da93b2c97cf17e623d3299126f677c30cfdab8328fd670f120aa4f63ded6398165a35c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
448KB

MD5
085df38afb7f89747d73c2d7925d426a

SHA1
e307c90d48134074328c7639ba011a01c5165acc

SHA256
9d4f886852089db0ae4a31560cdf4971bf37180e8efda8269decf4ebee3cc858

SHA512
e7d2bce984f625a7363b64aae979a286bb72ea4aa62e6519db52937d8bbaef20a416264ad2e4eb1ff0c22fa37640c33ad66f6ac2117f25e3cb43db4dcc28f181

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
192KB

MD5
7a2fec4e6b5c2c7620eef1e681ba40f1

SHA1
23be14e1aee31e647f0e05831c43b6d23b860731

SHA256
5ff3fdda15d6d073cd9cd39f555444c5c74c284196d3194dcebc96185ce68b96

SHA512
bc181dda4436f34aa90d7ec26ee2ffe98f2a53617969391bd9724a83b264fee773208b567407fb0fe920106610d4f00fa66f2d553d3fec8df9919d8ead20e2aa

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
01ea2f0f5bf76da5d25cc1688167ff94

SHA1
e27a8a0fefeba0ca4db4272ee5367015af6f383d

SHA256
ecb660c906286f3cbdeb7654608f401295eebc51b1052f9d40f9c703b4897875

SHA512
1bbe70e903eb73520c5e37c74351f8badc7fe274f37add809e2ab02c8f1b3e3bb8d23d1f9454187be07a76a84a27dcf018cc741963bf0500b5f20c36eea8982d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
597f9ce2caa6ebc76aa3b3b11bed42f3

SHA1
d10fd57a1a594397bf6d0b1bfcfe1c1cae12bc74

SHA256
529507215eb84eead1eb1155c1f9f617bde03f41283e85520857c9da602320d2

SHA512
eb958441703f1fb6da9e68f7c71cbcb7f7542b726e76adfeeb12683675cc0d67514ce6151107cf1b5e6df992a770ca6baf3ff328cc090d9fa0c4199eff9fdd93

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
d0c151ebdec096bea95064053b587129

SHA1
e4f9919e6b5e98b86c4b97482a4ee5d190b8a528

SHA256
c2f24079f7116a2887f8fed0d6b7191551c3687e1347a287d46e1310e90bc959

SHA512
45dd9d4e5b54ffec35a597e689ca5dd3fc9ac10c0b691e1b01f8c5c7ea1f37dc4495d3bbef4a48660e3b17d14c59736aab23d9f9ad817aa3e0a9f7271552c6f8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
5689b9371f0b183b07845f9024437543

SHA1
bcea844da0c8cd576d41d70c6cf04e722ef9cf2b

SHA256
8841e3e1d8b0979be26e1319fd0b2324a93651e14848b1d920ac9527852a8a23

SHA512
684663c1399f6bd97c13114f6344052bb7f66d2f3db50e25e31cd229519661305cc7e77ea9883968590da8b06e762b1874f9c2d62619f6b91efa32d462bf32f0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
13b0573cb4c198f5cef2292f28dccd70

SHA1
007f740926e7ee4d3d1d7ec89248a066c362806c

SHA256
cc1be0dec3f610437a667292e26c4a5f6c9a28a2f9a1eea235110676f2df9cc1

SHA512
09fb9e1f480fab8d81feccb6fea32171c297075aa77282125ccbb8592be283634db59c4618278090a7209b8c5f0804623ff0e0344d37cb18a48a31f436f1dd28

Download Submit
C:\Windows\System32\vds.exe

Filesize
1024KB

MD5
491d5ce98f73a8a2babc2f34d57a532c

SHA1
b96a6670218b73464b577f2a4dd2b1958e1e2552

SHA256
5bc57af9fd45d2c6f1c02a7b7ce72a6d4bec322a576442f56dfcd62abd57f188

SHA512
8085355b0e373437ddae042191691ae10232961e9ce97d979159130a35b31c60beee638700bbbf4c55d1d9105519df1b1a4d2559243dd346e7361b4e3299125d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
3c80ca7a6c50651d87cb48f76c36ac8e

SHA1
16e2d83660f84ba2b8ca21dbb35aa108c0ef86ad

SHA256
b6054d5f5dbba474ff04adb18d4b692e331bd979300210f6f68af15a5ad0b98b

SHA512
28803b1d2451d29c13b7a330739d9f2303bb6543c8afd4f803954edd23aa4ff4833dcc3e2ebaad5f03b77f1d4cd6bfec2a2467ec9af04f589748aedabdb7c709

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
f06a5206254ee3012572e6f75cfb41b7

SHA1
6d69ef9a71756f5ed0bb9f3f4703a07f96b42cdb

SHA256
c686cb8b78341ca8110ef3b44b4058632e34d81d4352feea124b29b0ab8220d7

SHA512
ac1a4568714c5e4190ddba4cbade684b80d92929bb15ad67163fa47984974174a20bd382376d4e372de95c647203a63a80c33cec7ba5bf2675714e27bb198e30

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
acde3324dc33c6a5accb017546025bd4

SHA1
e49a70538e0d618d9127ca9a81a77076ed7b21aa

SHA256
04d7d3dbaa104156e69d4088f2b1efd9d5a5f350c51b435fe28c16fbf700abe1

SHA512
9935e578a5bbc38683ade58c4d77cae5b5a3f1f8af3ffea63f76129cdbd3919ad52dcecd1a6754c35e047ab42e816972c310284c330a2c5b93ebf7ca59ddd7a8

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
590528655b4708090af713830a6d04fd

SHA1
82cd6469fd4b69dcccf0c51be663457e3dc58926

SHA256
cdb3e3a11d5b8c26ff12246c1de0ab6e2c1c1199054ba34c11ade0641d44cfd0

SHA512
4945dcddbc535baf7558bfd256e10311b7427b5bf0e5c9cf19cda05b311215ed98c0e817f7b24f994af1621df1181732a33c7728bb982ff70e43cc77a15b66ad

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
6d35967f98250cee85c9a62be90584e2

SHA1
88cafba979c8f3aa4c7afd7e0fccf74cd89e0fc8

SHA256
c0901d7928b08f119dbc98112345c428e20f78f01c624b307cb15749118337de

SHA512
27152ca4a56c49113d61d1a28a4912aab7fc894f90791501095d1bdbbe7b1e426d26cfc60155188cedd08d8296fad16164b3e105c5e2b2280321ba33fe6ea39f

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
3acf81c8321537a958134e1cbc436229

SHA1
6283a06dd4994f92294ffd9fa8a860aed0247c92

SHA256
4e03422ab5b6faabecc21b30954f9ff70c4b1e6ad965f8f028405e5eb686f7ae

SHA512
3a9d4052c97828a7457b044b9addb22ce738c5f90901e900bda481394e5680ea245c69135f73d059864b52ca4c3c29f5277884eafbfb8da44a911e9e37d1ac38

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
0bfbdcc4e1b5cf7843f8b81608759ddb

SHA1
cd29e59032d65768db0914335d2575489ef33a47

SHA256
75cd475ba2da096804162fc9f34c58f700760920a7f5ba9c2b295c61d3bc13d7

SHA512
53edc230c51f886f72b6928486cb4be74235da3a479d6c7c6fe99903756e22afad00059853cc966c228e96c5e3d564d15f7c8195e467b736a046f4715f7e8e54

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
3502b7b5ebd24d1be2112a9a247d6922

SHA1
fd6e06f8f3200b64a6a2f09b926cf3cd10027d55

SHA256
18cce9ac6b8fd69a36304aea58eb1712d0c6c1eadcbaf7a34e698c2cf229defc

SHA512
e69408f04bfc8fede5661edd52a238b4126b3885c74e060d5c17669c946bc0060dc9452edfd9af2fd065df038cdf04d554eb9e81a3d512fe52f5a76ba8c5f94a

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
7069253341f48f0a66a956ae72dd5e61

SHA1
11ee7d5980635b9d4f7ade4e7fc004bff8a6a622

SHA256
eb1f36be5e8367cfbb0e02dacd3b9a356d0a2ce572ec194a20747e571798fb77

SHA512
244ae28ab83492244e0c5d61ce377a55267fc76b1a61e4013ba9c4e6accbdfd52902e181bf69a5b816a1f564c0b3b3a4f65c317667dce262c38198bfba140786

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
4ef94479dfb923cff0e32daf92676d0c

SHA1
2093691351d9e54ed9d96c33e38e8a629a6c9951

SHA256
7c469cbc88879a86c309420076d141061b54009909fc1f131d631907e2d34016

SHA512
b697903bb46fc636b677161fa9e003f83bf34af4d624b8572cee2db0d12ebb5b52fff1c1fbceb3018c21ac511f42921e810384e5c63af4c676b0148b54c88ca4

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
2928a8e41c10ea1679944837526a743d

SHA1
bbc802c9d5e229334a75fbc4a38f813560b8000b

SHA256
e1d40d59ace6c9162f0d681c109942c9d2b708c459720be1ac1ddaf39315ba93

SHA512
abf08c7fc4dffcfe18293131077f647bc873c5a5a44c50c7500f052a89b457c1dd6a6386fc1d25a9aba9d0e9b6b1e128f86063a7e12e3a56c1ee0940ad94b894

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
cad179f21c44440700b4ea3f9c02d951

SHA1
2b371c3ab2ff2278971a977773ff3b64a7506830

SHA256
880e2616012539c6fedfbfb012b117ece677a7e3efbc13158740f0957536fa92

SHA512
1f3fc6b44b66ec70461033df7a8ec4d29054403d1cf89d694561d1866e324ecd9d17e7d1bf94e2d02c003f9ea12cc05ffe03d6a1e1caa98a731230660aa048d2

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
d2c47d72d91c939bc19f745b78e8cbb8

SHA1
b2f04b753c72b8410fe21d00b2142165151ebceb

SHA256
938479dda80b7bcdb2de6d1dd410e56b2ddf74c02f215e86efa60a7307bfaff2

SHA512
fc7fc60d49d4bf5587fc4aaffb4715608ab0341706b5bc40c115ec4455e911b9b5616cb30849d3a3a491fab5e2fff0db49c01708a60d6bb332aeda0703983bc8

Download Submit
memory/532-250-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/532-240-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/556-97-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/556-74-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/956-172-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/956-102-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/956-105-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/956-110-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/1048-174-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1048-248-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1048-167-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1144-283-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/1144-278-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1280-0-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/1280-32-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/1280-6-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/1280-8-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/1280-41-0x0000000002680000-0x0000000002683000-memory.dmp

Filesize
12KB

Download
memory/1280-14-0x0000000002680000-0x0000000002AB1000-memory.dmp

Filesize
4.2MB

Download
memory/1280-38-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/1336-120-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1336-187-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1336-121-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1336-128-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1528-280-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1528-189-0x00000000001B0000-0x0000000000210000-memory.dmp

Filesize
384KB

Download
memory/1528-180-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1760-134-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1760-54-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1880-272-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1880-274-0x0000000000570000-0x0000000000622000-memory.dmp

Filesize
712KB

Download
memory/1880-276-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2012-163-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2012-202-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2012-135-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2012-215-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2012-142-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2012-136-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2376-225-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2376-156-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2376-148-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2556-198-0x0000000000CD0000-0x0000000000D50000-memory.dmp

Filesize
512KB

Download
memory/2556-295-0x0000000000CD0000-0x0000000000D50000-memory.dmp

Filesize
512KB

Download
memory/2556-195-0x000007FEF4340000-0x000007FEF4CDD000-memory.dmp

Filesize
9.6MB

Download
memory/2556-201-0x000007FEF4340000-0x000007FEF4CDD000-memory.dmp

Filesize
9.6MB

Download
memory/2556-297-0x000007FEF4340000-0x000007FEF4CDD000-memory.dmp

Filesize
9.6MB

Download
memory/2556-294-0x000007FEF4340000-0x000007FEF4CDD000-memory.dmp

Filesize
9.6MB

Download
memory/2556-282-0x0000000000CD0000-0x0000000000D50000-memory.dmp

Filesize
512KB

Download
memory/2572-64-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2572-85-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2572-57-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2572-58-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2572-63-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2576-296-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2612-40-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2612-49-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2612-119-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2612-35-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2612-48-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2724-236-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2724-237-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2724-230-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2724-221-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2800-21-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/2800-103-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/2800-15-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/2828-223-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/2828-213-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2828-271-0x0000000073BC0000-0x00000000742AE000-memory.dmp

Filesize
6.9MB

Download
memory/3004-211-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/3004-210-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/3016-88-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/3016-94-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/3016-87-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3016-162-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download