e2fd400ef64cf11a4538fb9c4c88c3f74293642fcc26fc12bc25026ae7cb9480

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
Size

1.6MB
MD5

c703be897d388065a0be6ca5e7f37627
SHA1

33191a9a25d61f7654a50b2d19e5aa876c211bd0
SHA256

e2fd400ef64cf11a4538fb9c4c88c3f74293642fcc26fc12bc25026ae7cb9480
SHA512

4ce22eca565372e24e8f4a395add45ef3151f7e8d55a8efa3f89d2a3c5b8caaa6057d26baa7a84ddeeb2fb1a1a0ec3e85227493ac88f5571b120b3c47dacb3bf
SSDEEP

24576:B5t2sjXfHEOtqZpp0YYtwlGhNsof2e7A+ebC:B5t2sTHmpSK8hWomh

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exeehRecvr.exeelevation_service.exeGROOVE.EXEmscorsvw.exemaintenanceservice.exeOSE.EXEmscorsvw.exeOSPPSVC.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehsched.exeIEEtwCollector.exemsdtc.exemsiexec.exeperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
2792	alg.exe
3048	aspnet_state.exe
2628	mscorsvw.exe
576	mscorsvw.exe
1064	mscorsvw.exe
1144	mscorsvw.exe
1932	dllhost.exe
1536	ehRecvr.exe
3000	elevation_service.exe
1880	GROOVE.EXE
776	mscorsvw.exe
1624	maintenanceservice.exe
1540	OSE.EXE
2664	mscorsvw.exe
2288	OSPPSVC.EXE
1668	mscorsvw.exe
1300	mscorsvw.exe
2020	mscorsvw.exe
2268	mscorsvw.exe
2928	mscorsvw.exe
1096	mscorsvw.exe
2556	mscorsvw.exe
1640	mscorsvw.exe
2552	mscorsvw.exe
904	mscorsvw.exe
2216	mscorsvw.exe
2712	mscorsvw.exe
1120	mscorsvw.exe
2976	mscorsvw.exe
2364	mscorsvw.exe
1896	mscorsvw.exe
2172	mscorsvw.exe
396	mscorsvw.exe
1532	mscorsvw.exe
2612	mscorsvw.exe
2676	mscorsvw.exe
1496	mscorsvw.exe
860	mscorsvw.exe
812	ehsched.exe
2888	IEEtwCollector.exe
1936	msdtc.exe
2716	msiexec.exe
1768	perfhost.exe
1616	locator.exe
948	snmptrap.exe
2616	vds.exe
1488	vssvc.exe
2444	wbengine.exe
1216	WmiApSrv.exe
1948	wmpnetwk.exe
1652	SearchIndexer.exe
1420	mscorsvw.exe
952	mscorsvw.exe
388	mscorsvw.exe
1532	mscorsvw.exe
1464	mscorsvw.exe
2868	mscorsvw.exe
2512	mscorsvw.exe
1440	mscorsvw.exe
1748	mscorsvw.exe
112	mscorsvw.exe
1600	mscorsvw.exe
2192	mscorsvw.exe

Loads dropped DLL 43 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
468
468
468
468
468
468
468
2716	msiexec.exe
468
468
468
468
468
760
1464	mscorsvw.exe
1464	mscorsvw.exe
2512	mscorsvw.exe
2512	mscorsvw.exe
1748	mscorsvw.exe
1748	mscorsvw.exe
1600	mscorsvw.exe
1600	mscorsvw.exe
1548	mscorsvw.exe
1548	mscorsvw.exe
1744	mscorsvw.exe
1744	mscorsvw.exe
2084	mscorsvw.exe
2084	mscorsvw.exe
784	mscorsvw.exe
784	mscorsvw.exe
1532	mscorsvw.exe
1532	mscorsvw.exe
2760	mscorsvw.exe
2760	mscorsvw.exe
1980	mscorsvw.exe
1980	mscorsvw.exe
1744	mscorsvw.exe
1744	mscorsvw.exe
1912	mscorsvw.exe
1912	mscorsvw.exe
2132	mscorsvw.exe
2132	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 18 IoCs

Processes:

aspnet_state.exeGROOVE.EXEmsdtc.exe2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exealg.exeSearchProtocolHost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c9792f803db14c9a.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe

Drops file in Program Files directory 64 IoCs

Processes:

aspnet_state.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{457A3A65-A1DA-4079-AD34-F52C28F93A8D}\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exe2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeaspnet_state.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exealg.exe

description	ioc	process
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8DDE.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPAB6C.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP86EB.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP628A.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B6E86480-A3C8-4385-9E7D-37DBC2F28AB0}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9398.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7697.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9EAF.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9905.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP69CB.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA525.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeehRec.exeSearchIndexer.exeSearchFilterHost.exewmpnetwk.exeehRecvr.exeGROOVE.EXEOSPPSVC.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ehRec.exeaspnet_state.exe

pid process

112 ehRec.exe
3048 aspnet_state.exe
3048 aspnet_state.exe
3048 aspnet_state.exe
3048 aspnet_state.exe
3048 aspnet_state.exe

pid	process
112	ehRec.exe
3048	aspnet_state.exe
3048	aspnet_state.exe
3048	aspnet_state.exe
3048	aspnet_state.exe
3048	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exemscorsvw.exemscorsvw.exealg.exeaspnet_state.exeEhTray.exemsiexec.exeehRec.exevssvc.exewbengine.exewmpnetwk.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2908	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
Token: SeShutdownPrivilege	1064	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeShutdownPrivilege	1064	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeShutdownPrivilege	1064	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeShutdownPrivilege	1064	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeDebugPrivilege	2792	alg.exe
Token: SeShutdownPrivilege	1064	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	3048	aspnet_state.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: 33	1096	EhTray.exe
Token: SeIncBasePriorityPrivilege	1096	EhTray.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeRestorePrivilege	2716	msiexec.exe
Token: SeTakeOwnershipPrivilege	2716	msiexec.exe
Token: SeSecurityPrivilege	2716	msiexec.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeDebugPrivilege	112	ehRec.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeBackupPrivilege	1488	vssvc.exe
Token: SeRestorePrivilege	1488	vssvc.exe
Token: SeAuditPrivilege	1488	vssvc.exe
Token: SeBackupPrivilege	2444	wbengine.exe
Token: SeRestorePrivilege	2444	wbengine.exe
Token: SeSecurityPrivilege	2444	wbengine.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: 33	1096	EhTray.exe
Token: SeIncBasePriorityPrivilege	1096	EhTray.exe
Token: SeDebugPrivilege	3048	aspnet_state.exe
Token: 33	1948	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1948	wmpnetwk.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeManageVolumePrivilege	1652	SearchIndexer.exe
Token: 33	1652	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1652	SearchIndexer.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeShutdownPrivilege	1064	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe
Token: SeShutdownPrivilege	1144	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

1096 EhTray.exe
1096 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

1096 EhTray.exe
1096 EhTray.exe

pid	process
1096	EhTray.exe
1096	EhTray.exe

pid	process
1096	EhTray.exe
1096	EhTray.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

SearchProtocolHost.exeSearchProtocolHost.exe

pid	process
1636	SearchProtocolHost.exe
1636	SearchProtocolHost.exe
1636	SearchProtocolHost.exe
1636	SearchProtocolHost.exe
1636	SearchProtocolHost.exe
1588	SearchProtocolHost.exe
1588	SearchProtocolHost.exe
1588	SearchProtocolHost.exe
1588	SearchProtocolHost.exe
1588	SearchProtocolHost.exe
1588	SearchProtocolHost.exe
1588	SearchProtocolHost.exe
1588	SearchProtocolHost.exe
1588	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exe

description	pid	process	target process
PID 1144 wrote to memory of 776	1144	mscorsvw.exe	mscorsvw.exe
PID 1144 wrote to memory of 776	1144	mscorsvw.exe	mscorsvw.exe
PID 1144 wrote to memory of 776	1144	mscorsvw.exe	mscorsvw.exe
PID 1144 wrote to memory of 2664	1144	mscorsvw.exe	mscorsvw.exe
PID 1144 wrote to memory of 2664	1144	mscorsvw.exe	mscorsvw.exe
PID 1144 wrote to memory of 2664	1144	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 1668	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 1668	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 1668	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 1668	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 1300	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 1300	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 1300	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 1300	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2020	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2020	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2020	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2020	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2268	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2268	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2268	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2268	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2928	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2928	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2928	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2928	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 1096	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 1096	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 1096	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 1096	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2556	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2556	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2556	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2556	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 1640	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 1640	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 1640	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 1640	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2552	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2552	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2552	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2552	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 904	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 904	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 904	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 904	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2216	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2216	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2216	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2216	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2712	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2712	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2712	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2712	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 1120	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 1120	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 1120	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 1120	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2976	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2976	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2976	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2976	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2364	1064	mscorsvw.exe	mscorsvw.exe
PID 1064 wrote to memory of 2364	1064	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2628

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 23c -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1d8 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1d8 -NGENProcess 264 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 250 -NGENProcess 268 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1f0 -NGENProcess 274 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d8 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 26c -NGENProcess 274 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 24c -NGENProcess 280 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1f0 -NGENProcess 284 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 258 -NGENProcess 280 -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 28c -NGENProcess 24c -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 26c -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 290 -NGENProcess 28c -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 28c -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 28c -NGENProcess 290 -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 268 -NGENProcess 298 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2a8 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 284 -NGENProcess 264 -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 284 -NGENProcess 2a8 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 28c -NGENProcess 2b0 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:860

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:776

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2664

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 104 -NGENProcess 204 -Pipe 1fc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1420

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 250 -NGENProcess 244 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:952

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 250 -NGENProcess 104 -Pipe 228 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:388

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 108 -NGENProcess 25c -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1532

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 108 -InterruptEvent 1d8 -NGENProcess 244 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1464

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 244 -NGENProcess 104 -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2868

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 248 -NGENProcess 26c -Pipe 22c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2512

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 1d8 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1440

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 104 -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1748

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 248 -NGENProcess 278 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:112

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 27c -Pipe 1ac -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1600

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 27c -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2192

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 27c -NGENProcess 1d8 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1548

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 25c -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"
2⤵
PID:932

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 274 -NGENProcess 28c -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1744

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 284 -NGENProcess 28c -Pipe 104 -Comment "NGen Worker Process"
2⤵
PID:1660

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 244 -NGENProcess 290 -Pipe 204 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2084

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 288 -NGENProcess 298 -Pipe 284 -Comment "NGen Worker Process"
2⤵
PID:2296

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 288 -NGENProcess 294 -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:784

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 294 -NGENProcess 1d8 -Pipe 298 -Comment "NGen Worker Process"
2⤵
PID:2820

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a4 -NGENProcess 274 -Pipe 2a0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1532

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 2a8 -Pipe 294 -Comment "NGen Worker Process"
2⤵
PID:2004

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2ac -NGENProcess 274 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2760

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 244 -NGENProcess 274 -Pipe 29c -Comment "NGen Worker Process"
2⤵
PID:1340

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2b4 -NGENProcess 2b0 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1980

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 27c -NGENProcess 2b8 -Pipe 244 -Comment "NGen Worker Process"
2⤵
PID:2796

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 25c -NGENProcess 2bc -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1744

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b0 -NGENProcess 2c0 -Pipe 2ac -Comment "NGen Worker Process"
2⤵
PID:1012

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2b8 -NGENProcess 2c4 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1912

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2bc -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
2⤵
PID:2944

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2132

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 1a8 -NGENProcess 2d4 -Pipe 2cc -Comment "NGen Worker Process"
2⤵
PID:2296

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1a8 -NGENProcess 2c8 -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
PID:1736

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1932

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1536

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3000

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1880

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1624

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1540

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2288

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:812

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2888

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1096

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1936

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1768

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1616

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:948

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1216

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3427588347-1492276948-3422228430-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3427588347-1492276948-3422228430-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1636

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
2⤵
- Modifies data under HKEY_USERS
PID:1740

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.5MB

MD5
180085021e79ef28eb1f02e7b79ed778

SHA1
85b30d0f071244aaf4ec7f44650fc8a03eb0c6a9

SHA256
61004b65edb87eb33cac1d0125eea58ea0999d8fa5afff3fa1d301f2df89b6c0

SHA512
2abe070e7e9869412951ef300e2c560894b65da3bf7973e7dd283976a9284894c08b4e92fc5c86531b69e9421674b4db73ed0ec6b94147804bb8f3fcbeae29a5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
3.1MB

MD5
26e235d53c59035f701540f5a823f5c5

SHA1
ab4c8a7ed6cf211367a2642608c576b133f07a13

SHA256
0470f435a555ea4bbc72c3503cbdeb8acf3a868940d4c46bdfbd3e09e8340c6d

SHA512
a29e96ad7322bccf3a036dbba770410e5de5d18b81db31cd7d4434bc5794c725e28ac991363bc02807b7c8f112924e7fccf96c508b95db0b57ae1b6c8346753f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.6MB

MD5
e27d7767f496df322d0301cbe597d802

SHA1
1db8256314220481ea1292feac6566f3c8e949f9

SHA256
81c34c981eb85f2e207d8350ac19e5e03fa2a266d200e3df6b369eea9630e7d5

SHA512
299343ba0021c65e05f1f8a29df426d378479ba50a1b1d8524e39d49b333e73c9e19e32cab49324a07d6db7a2f2352fd37f5b504acd715391f27e3a05269b084

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
f5a9200a2e25a493529e30fd962f7afd

SHA1
70aca53d9012ef8393feaec34ddf54e68036f94f

SHA256
3b84610342edeff8095df097138dc6f5a5ebe6ea147a9ce9324476b7d57ce905

SHA512
d1d78875dacdcd8ba7248b80326f6041ec0e147f59965181edf5296dbde5fa8351aca3d37cecc9b03993bc779f07e0b5b6c197f4a44a0d38cc4c462f0bff7938

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
64KB

MD5
77d0a5e9a748ddc819f1194cb32cc9be

SHA1
6cc73127b2f8b94470daa64287b5220a6b011747

SHA256
b8e0a31d256bf7876e258b00b532bdba1f3dd221012b0223a71c8b9b608f565e

SHA512
dc88cb5ea6ac88bc5b5709580af9dbdffa82cde8212fa74441c5f2705e413928fddd78aebae09fa6657dd3b228a75efa2f1d4fb551ac15fe4254c08c9439224d

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
070825070fe2ad27fe6916a1c85fbc1f

SHA1
e61dd571327cf256c865ece3432c2a1fee79dfe4

SHA256
f2ff3aff3c345eba047e4b2e31d96196685bf2a995201a3e0cee34aaab645f73

SHA512
31b60aa98cf509997edfc1c09ee86893e73769889390bc68d08e6dbf97bdac7be8ccffbf6d9421c7d6d8a71fdfd336adc7274a8ca0ceee947d29752d8077893a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
512KB

MD5
026396a4d40d932852100f0e1c2d76b0

SHA1
5237c0cd4b879b1ee2311b3f082ea8f2470a445b

SHA256
17db132651647b061063861136dc2e44522de4a2d8d46b59994ff367e1143dce

SHA512
cf264023f0b37f2e169d46b2ef9bd45a059ac08a228261d8ae32f03c6ed3aeb6316f76d7dea325cc1fda2c7dbab7706bcbcec5f529a036204c0af1e8e90f9360

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
1.5MB

MD5
8d5060feb92735d4b49b06e30a48726d

SHA1
f40e5389436b08f4700791954d6192faf0498cf7

SHA256
ef8b22b803c2664baf7c9059633d259e663ac184541f4e072afc6bd10b6d2fa5

SHA512
8ad177efecbaff8808bc1ed9a2238de864447197409c3766e54bb8384281c96f799b57e21926714c1854bd9d153cbc6866f343115dee6ee2332ef2028d06481d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
4c04601e7298c705bd6af194d14cab2c

SHA1
17a007453cc32086f4455427c1108b268da785ef

SHA256
6919a86cc8f4c355ebe9955f2004733829db8249044b7bd08fc20e02529d3779

SHA512
9a20b5f816085eb08d035a812e67626e5ef693213c384a4cf23fb300381e5d21f2e1b5fee559604995a5d6b416ca50366968552cfe5ba83c8855471e2ddd5b6b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
1.4MB

MD5
a92ddcfdc3f8b9db9dec04f8952d99a2

SHA1
beb6d7a6a7e11607653585ea057ebc4d47aa24d1

SHA256
fb55674143a6ac41a1794ecdaefb2cbebf8d00bac93c621b7c2c6bd3162ed157

SHA512
476817bca9f191c37b6de6bd2cb6a24bf3036676ed16d188fc720a226cd0fdceac12b533183eecec0e3b21dd3c1147fa8dea3be8594f933f7d7a0e7b7bfec359

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
128KB

MD5
493bf611b0d0a4ef53082ead81990df4

SHA1
f5e9b8465ea959a9af7209339d7076288a3aa1f9

SHA256
a049c867764a3f4322f558c2586c43bbc182c392b44eda898ef64fce6bbcbd16

SHA512
a2bf5d2f142b6064dad7acf1b9adc8bf479e84381b28932aea7be88afcfd2e000da7f3e9d7bb377edf456b60c95eff7176cde5eb27e49f42c393a1c4d1238553

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
1.2MB

MD5
bae1366eb493eb7246f7b8c3d25faabd

SHA1
d90a10d17ec1cd378a3ff73816caccfb6b32cd6e

SHA256
ef2247dc548823d11e4b3b80e3709834dc55dc87787341aa0281d8dcffb6ba1f

SHA512
80a6b60dc9b1d163f64580f526431e636b8117f8012ec03f77c7c2ab8fde81fc91b772ec207224fb746ac4d8c4a5fc006a400cbd4cadca7b6bcba32af2c7d2fc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
640KB

MD5
91d6a1132b19a8849d599533b96f7846

SHA1
cdc4e0de67fa0e3c5da49bf7d96f6628177f240c

SHA256
2f4b5e84424beb253ffb1b86502d0767abf1eae1e7b29784d7b983a319d1dc4e

SHA512
441ce35b677047333c13860b6f755f5130c7cefb36ab6c98122b91523dffaef5224d9c2974de8838494c5911488f24293372c70adf302e2b82b94e11bce7371e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
704KB

MD5
1a78616961d1fd963b1792ba39d66f8a

SHA1
dc6807e92f627302940f2cdc40a0e11575efcf5f

SHA256
fcd51d4b67687922a63db5a6094302e451bdb8df7da9b8128f679b229e531b3c

SHA512
622a4446a3383a6729f8294d47d584f5cce04822c639e5ea387afc7a807c777fcb407b48fe0103316e4e9e4a12c343ceb8c2525368e856d01cd83a465b807f87

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
128KB

MD5
8bafa13828a1aee02b7623b26d878c18

SHA1
7969e96e018046b3ef5c60367ff1267ca75c4463

SHA256
3c0b2729288d712cf0ff688a0c735926c4f13cc43aebe37733d00fad9c4d3ae4

SHA512
1de2d06c229a75da7826631117707abd759779abdeac97951613a239fefe615961d20cf4c31324e256df808c0df1cf7d61b522764074d9d18b5fde269baf6579

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
1.5MB

MD5
9a1223164e78412945f0d8b214be6568

SHA1
57151f3c29b750770498e7504fbeb59546db0e5b

SHA256
3f64fbc45e5c27454675d3466cc31825cccd8ddb748cd1135321fbdd2f5fbf0f

SHA512
e6e5793e85b3625b8efd293d5ce3c2534d2c1f93c674322a1cfd120a5c34994e24a5a026ba173f71238c96ad7c2bc4b2a2ea9bb390a2fce7ff0579fd9582f947

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
960KB

MD5
713aed98995f7d21ca23840511a1feed

SHA1
c5b7bc583ec05b3dbb4e3c152565152eace2adfd

SHA256
8c3414b2ab4ae366931c1628d539e4a607745ad271a5ab89e773a401c2a0fc7e

SHA512
b9f6acd6e4fb21d62a48e046dea71f04706778241f8d8a92233b9a77d5c1e5413419600946f0cce72e5d991d934c2b3c78c923a9c8bbccad2880c1c018ac0738

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
9ffb6906e08ddd568ecd0b6911d09c60

SHA1
8f258736ad6c540a6e2ea00618cbf659f97171d6

SHA256
f3959730c706d797f14aa40dcb6b49dddfa2cc9eb9f70da2daf58d656ffc2882

SHA512
cd5e8c2d091122e63fde62b2c3b2670f8cc259d2380fdba245fb0e96203756072c85f650f2e015456d28cf18a41a7d32ac39560ea28fec283c7fdbddf89c5a7c

Download Submit
C:\Windows\System32\dllhost.exe
Filesize
1.2MB

MD5
dfa5da05cf46ac65564d9a633129e9c3

SHA1
15c8fb8b327b3a4bb1d4ea7e9b333e665444fecf

SHA256
7fd79bbc6d049775646900a710d2528aa227ae850416bf2f5414ce40b1aa8d6e

SHA512
9d0803ed59471439be1cd74aec96817ee3ec5abd9f9ed38c1584403114feb81a6b49d98ceceee0236e3000ec606065c630e2370c236513c3d29ddddd037ded92

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\50dfb04b75d6e4731b068bcfa4c358a9\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
271KB

MD5
f9a403875a0f8bbbecdbccbb3b967175

SHA1
763be2e2bb7f3ce9448da57f7fc83da6592e8ace

SHA256
e7f1006cd8fd83407cdd1305df591e71d67f7248287a3e97cf0ca4c17d3a8a21

SHA512
5e54e9eb30c6de37e2a55b2517421f16be8f11b3986aed2afc7c7ec7412e17096616c8d9a14e0f770d4e0144e52ffaff4a3f266ba2c3e6f2e0c4dcf0f6ab4780

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\86da0adcf8c46fc41ed764f0be7209cb\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
221KB

MD5
440e78ed54dadfaac9e7a119758d6ee6

SHA1
4d4782d4c0357ae0d71fdb505d0c44ad1cfa010b

SHA256
4bfb47c348d0948291027c6ebab527d4ac84b5fb497f7efe741aa1fd22e0cd32

SHA512
b21f38eec8b05968520ab347317c2c56cf1031ed86d37bdea55631463f26d54fe7a363f2dea6a5cac281415fe8ae0a10f18bf78f941fb639339678e4d4b2c592

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\ehome\ehsched.exe
Filesize
1.5MB

MD5
5295812ca93b4e643394a0fc6a289fc9

SHA1
4ad5a7bf9acfd845280b61e706c9c7a03b811784

SHA256
e928807d6885b1aa1bb5b9fd9614ef8624d763072a3f07b5e1b29e656d061e6e

SHA512
b037e41fdf38a027a7ce901bab1e698c9258ba6060bd2cdab129aaa6c5f79a5e1dc3957e177cee079a8eaf477d3b0ce0d0897fda5aa901872863b4073faf129e

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
1.5MB

MD5
26c326aaeadc03210257090bce66d078

SHA1
75922ff9ed2f492e3c0ed11a74fa3d3877586ab0

SHA256
d225e679ebaca5dcd6baa4208174b91b35603f315f6a0443820e2050aac833dd

SHA512
0d42252bbd2a2e62e7c7d1b9c8450dca06616e183d0c5ce8e52db6238ac1b82f603a1988b72649b7ebc8d1b1305cd43a494cb8852750b52a521ce426115096dd

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
1.4MB

MD5
2453fb133ec52fb2dcc28e5901bf0f8a

SHA1
1c075d8fe485c6e32bd996760acc0f385d369a59

SHA256
4073613eb23bca31d25faf51cc4aa7027707a7c76bf85391a3e932322a350ad9

SHA512
9949454458778fa7b6324fe7bc05d04e0ecaefc96d97babf8ee0c51cd144bd05ad54e8fa2294616131da4f74f54e1c4d62178a3aad369e3f1411124c07d76eed

Download Submit
\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
6d6c5a739cbbdd7f385e37d780f06788

SHA1
bbee8e4e94bbbdb47c2141e46c3756ca11eb29be

SHA256
b6f981df011af31677c6d01124ce8d7c711c0ba5e0bc18c9170c9dcc9bd4ed94

SHA512
be00b94f093a9dedcd12bcee40553c7dcf068fde0d9f2fd37b85b25a10e7d042bbc676a2728e5f9c5590da55b3e3ef66c92074857d0171d59abb8664826120d9

Download Submit
\Windows\System32\alg.exe
Filesize
1.5MB

MD5
030b77d9aa676cf5e9631d2340692e73

SHA1
df31480259ef38fe0506ec34edf3f13078a98bf3

SHA256
d12d7d07e79f5c0b169690ade7710cb8878c0966d7ca775aaa39794ae2264b2c

SHA512
a526f7c5f572669115c03e402f21dfd29f40fd97b4027a911ee5dd0b4aa0ea4d77359aaeb34a2ed10d8c47ea0bfc23084d06199baa97a73ea5a57c5d9bd44b95

Download Submit
\Windows\System32\dllhost.exe
Filesize
1.1MB

MD5
eb03563d02cfcb2879e44acb4b010e3e

SHA1
36ce3149b994b7a3eead1b533ee4104201af5243

SHA256
5ff9ed3f7f11041494bfb538b917ff112004a6797fdc74f9e82d1b197b9bef3e

SHA512
5ae705893420fdbae2c282736b784bae5ee565e6b2bc713a1da515ea55cedf00c0d7ac89f14e32eb7d1d7e3584ef13a5623032c99e359f705c3b4475b35d3f70

Download Submit
\Windows\System32\ieetwcollector.exe
Filesize
1.5MB

MD5
f2844a8e1e66336ba2e4fa70f0456550

SHA1
3b4998fb52d2a8f82bface612c969481e844a85e

SHA256
3793a2b77947a3f14d794e6ece622b1345478cc301b67a41cf352e9d81b4086c

SHA512
2b73df1eefa56b80374b18ea653063d3894f99d1eebb80ec1dcfab4479fb81584e9d0f5dc77381506df4a44a143990bbd52bde952c7a94c1e95f9a7d2a6812a0

Download Submit
\Windows\System32\msdtc.exe
Filesize
1.5MB

MD5
99410b91f75b689cd8bff8d902fb6476

SHA1
c196a13fcd3c1dc212fb345932b98262971417a8

SHA256
91fbb50ef68a49f1d26b3e37ab99341db9945e37928c6f74236a2f6d42141fcf

SHA512
32ed1797cdd83188516a3d3fe0da469b348711db042878190083fc83a748e202d54d68c02ff9db8c069b37e1e257cf721557a7bb9c533817f6c898be5ea45399

Download Submit
\Windows\System32\msiexec.exe
Filesize
1.5MB

MD5
586bc6b81491eeee46f606bd9082139f

SHA1
990386d8f6c60b98a0e87186152599bd47cc7df3

SHA256
a5b65cfd666028b9ece2eff70d86ac25d2c42177c7fdca929937aa10fd8aeca8

SHA512
b80d593b557819f57e1da73b38abf36b4a7fda7431b45b39e9423509d5b9ce54f9eba803ba6fd7e52c960512fcd2f3d345d63ec23d73d184595d85b16364f678

Download Submit
\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
9e523a8dc252ad9e521a9e4cdc04517c

SHA1
97424ef2c78a7ec094c2bc05e100beaa97a880cf

SHA256
9234187c28310fd60aa0cde9254a3ffb6db6673a4fa931851b49d6fbf349d3ed

SHA512
487fcd4c60f8413dd82660cb97bc6d94c66ceb0c80a68a320bf6415d602b2c26ce9fee088f7166817a1469f74819217f8077a301d507dde5a336cd0eba971689

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
5c1558cfbb28a71df231235ff3edf048

SHA1
12d3c16e7beb23ca66882f3e4a34e2e48f59b160

SHA256
f450696dc613d282a7518e59dc45e002bacf9560bfffd4fc811b9add248c28a1

SHA512
141f8f0b0c0f9daea87bffed284ba4ed39b628e8616fcc2fddc6be837796b06c43d49802922081c5a1aba5c490979c65c39dd75f8e33cc151ec7e104631aa403

Download Submit
\Windows\ehome\ehsched.exe
Filesize
64KB

MD5
95fcd8f7d8939f337abee5904e26a04d

SHA1
6b5b38d0e052cfbf7e2b3aff71fb745272c1e887

SHA256
42fea5457eac5096ae1673dcac30d43b5d03de9801c0be98fbe80cee1a193721

SHA512
27dc72129d3ff4efed8b39631b97298d3a73ec1834a7fa834fd2c7f45138c24bad070ec008f75ef471b6e46df77c8c711cc875c1e207d602c42c6d732f58cda0

Download Submit
memory/576-54-0x0000000010000000-0x000000001017C000-memory.dmp

Filesize
1.5MB

Download
memory/576-55-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/576-62-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/576-92-0x0000000010000000-0x000000001017C000-memory.dmp

Filesize
1.5MB

Download
memory/776-182-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/776-242-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Filesize
9.9MB

Download
memory/776-234-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/776-233-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/776-352-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Filesize
9.9MB

Download
memory/1064-160-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/1064-74-0x0000000000580000-0x00000000005E7000-memory.dmp

Filesize
412KB

Download
memory/1064-81-0x0000000000580000-0x00000000005E7000-memory.dmp

Filesize
412KB

Download
memory/1064-80-0x0000000000580000-0x00000000005E7000-memory.dmp

Filesize
412KB

Download
memory/1064-75-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/1144-96-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/1144-95-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1144-175-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/1144-103-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1300-343-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1300-337-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/1536-143-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/1536-204-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1536-157-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1536-134-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1536-264-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1540-248-0x000000002E000000-0x000000002E18A000-memory.dmp

Filesize
1.5MB

Download
memory/1540-250-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/1624-195-0x0000000000FE0000-0x0000000001040000-memory.dmp

Filesize
384KB

Download
memory/1624-188-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/1624-201-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/1624-202-0x0000000000FE0000-0x0000000001040000-memory.dmp

Filesize
384KB

Download
memory/1668-291-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/1668-341-0x0000000072780000-0x0000000072E6E000-memory.dmp

Filesize
6.9MB

Download
memory/1668-340-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/1668-327-0x0000000072780000-0x0000000072E6E000-memory.dmp

Filesize
6.9MB

Download
memory/1668-303-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/1880-166-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1880-168-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1880-267-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1932-185-0x0000000100000000-0x000000010016A000-memory.dmp

Filesize
1.4MB

Download
memory/1932-193-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/1932-122-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/1932-114-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/1932-117-0x0000000100000000-0x000000010016A000-memory.dmp

Filesize
1.4MB

Download
memory/2288-245-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2288-249-0x0000000073E28000-0x0000000073E3D000-memory.dmp

Filesize
84KB

Download
memory/2288-246-0x00000000001B0000-0x0000000000210000-memory.dmp

Filesize
384KB

Download
memory/2628-40-0x0000000000610000-0x0000000000677000-memory.dmp

Filesize
412KB

Download
memory/2628-46-0x0000000000610000-0x0000000000677000-memory.dmp

Filesize
412KB

Download
memory/2628-111-0x0000000010000000-0x0000000010174000-memory.dmp

Filesize
1.5MB

Download
memory/2628-39-0x0000000010000000-0x0000000010174000-memory.dmp

Filesize
1.5MB

Download
memory/2664-252-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2664-279-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2664-278-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/2664-280-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2664-247-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2664-243-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/2792-15-0x0000000100000000-0x0000000100179000-memory.dmp

Filesize
1.5MB

Download
memory/2792-14-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2792-21-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2792-22-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2792-94-0x0000000100000000-0x0000000100179000-memory.dmp

Filesize
1.5MB

Download
memory/2908-132-0x0000000000590000-0x00000000005F0000-memory.dmp

Filesize
384KB

Download
memory/2908-0-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2908-1-0x0000000000590000-0x00000000005F0000-memory.dmp

Filesize
384KB

Download
memory/2908-7-0x0000000000590000-0x00000000005F0000-memory.dmp

Filesize
384KB

Download
memory/2908-8-0x0000000000590000-0x00000000005F0000-memory.dmp

Filesize
384KB

Download
memory/2908-73-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2908-129-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3000-156-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/3000-146-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3000-251-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3048-28-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/3048-29-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3048-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3048-115-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download