Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 16:57
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
Resource
win7-20231215-en
General
-
Target
2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
-
Size
1.6MB
-
MD5
c703be897d388065a0be6ca5e7f37627
-
SHA1
33191a9a25d61f7654a50b2d19e5aa876c211bd0
-
SHA256
e2fd400ef64cf11a4538fb9c4c88c3f74293642fcc26fc12bc25026ae7cb9480
-
SHA512
4ce22eca565372e24e8f4a395add45ef3151f7e8d55a8efa3f89d2a3c5b8caaa6057d26baa7a84ddeeb2fb1a1a0ec3e85227493ac88f5571b120b3c47dacb3bf
-
SSDEEP
24576:B5t2sjXfHEOtqZpp0YYtwlGhNsof2e7A+ebC:B5t2sTHmpSK8hWomh
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
Processes:
alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exeehRecvr.exeelevation_service.exeGROOVE.EXEmscorsvw.exemaintenanceservice.exeOSE.EXEmscorsvw.exeOSPPSVC.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehsched.exeIEEtwCollector.exemsdtc.exemsiexec.exeperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 468 2792 alg.exe 3048 aspnet_state.exe 2628 mscorsvw.exe 576 mscorsvw.exe 1064 mscorsvw.exe 1144 mscorsvw.exe 1932 dllhost.exe 1536 ehRecvr.exe 3000 elevation_service.exe 1880 GROOVE.EXE 776 mscorsvw.exe 1624 maintenanceservice.exe 1540 OSE.EXE 2664 mscorsvw.exe 2288 OSPPSVC.EXE 1668 mscorsvw.exe 1300 mscorsvw.exe 2020 mscorsvw.exe 2268 mscorsvw.exe 2928 mscorsvw.exe 1096 mscorsvw.exe 2556 mscorsvw.exe 1640 mscorsvw.exe 2552 mscorsvw.exe 904 mscorsvw.exe 2216 mscorsvw.exe 2712 mscorsvw.exe 1120 mscorsvw.exe 2976 mscorsvw.exe 2364 mscorsvw.exe 1896 mscorsvw.exe 2172 mscorsvw.exe 396 mscorsvw.exe 1532 mscorsvw.exe 2612 mscorsvw.exe 2676 mscorsvw.exe 1496 mscorsvw.exe 860 mscorsvw.exe 812 ehsched.exe 2888 IEEtwCollector.exe 1936 msdtc.exe 2716 msiexec.exe 1768 perfhost.exe 1616 locator.exe 948 snmptrap.exe 2616 vds.exe 1488 vssvc.exe 2444 wbengine.exe 1216 WmiApSrv.exe 1948 wmpnetwk.exe 1652 SearchIndexer.exe 1420 mscorsvw.exe 952 mscorsvw.exe 388 mscorsvw.exe 1532 mscorsvw.exe 1464 mscorsvw.exe 2868 mscorsvw.exe 2512 mscorsvw.exe 1440 mscorsvw.exe 1748 mscorsvw.exe 112 mscorsvw.exe 1600 mscorsvw.exe 2192 mscorsvw.exe -
Loads dropped DLL 43 IoCs
Processes:
msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 468 468 468 468 468 468 468 468 2716 msiexec.exe 468 468 468 468 468 760 1464 mscorsvw.exe 1464 mscorsvw.exe 2512 mscorsvw.exe 2512 mscorsvw.exe 1748 mscorsvw.exe 1748 mscorsvw.exe 1600 mscorsvw.exe 1600 mscorsvw.exe 1548 mscorsvw.exe 1548 mscorsvw.exe 1744 mscorsvw.exe 1744 mscorsvw.exe 2084 mscorsvw.exe 2084 mscorsvw.exe 784 mscorsvw.exe 784 mscorsvw.exe 1532 mscorsvw.exe 1532 mscorsvw.exe 2760 mscorsvw.exe 2760 mscorsvw.exe 1980 mscorsvw.exe 1980 mscorsvw.exe 1744 mscorsvw.exe 1744 mscorsvw.exe 1912 mscorsvw.exe 1912 mscorsvw.exe 2132 mscorsvw.exe 2132 mscorsvw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 18 IoCs
Processes:
aspnet_state.exeGROOVE.EXEmsdtc.exe2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exealg.exeSearchProtocolHost.exedescription ioc process File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe File opened for modification C:\Windows\system32\locator.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe aspnet_state.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\vssvc.exe aspnet_state.exe File opened for modification C:\Windows\System32\snmptrap.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbengine.exe aspnet_state.exe File opened for modification C:\Windows\SysWow64\perfhost.exe aspnet_state.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\vds.exe aspnet_state.exe File opened for modification C:\Windows\System32\alg.exe 2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\c9792f803db14c9a.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe aspnet_state.exe File opened for modification C:\Windows\system32\msiexec.exe aspnet_state.exe File opened for modification C:\Windows\system32\SearchIndexer.exe aspnet_state.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
aspnet_state.exealg.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{457A3A65-A1DA-4079-AD34-F52C28F93A8D}\chrome_installer.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe aspnet_state.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe aspnet_state.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe alg.exe -
Drops file in Windows directory 64 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exe2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeaspnet_state.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exealg.exedescription ioc process File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8DDE.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPAB6C.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP86EB.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP628A.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe aspnet_state.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat mscorsvw.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B6E86480-A3C8-4385-9E7D-37DBC2F28AB0}.crmlog dllhost.exe File opened for modification C:\Windows\ehome\ehRecvr.exe aspnet_state.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe aspnet_state.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9398.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7697.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9EAF.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9905.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP69CB.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA525.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeehRec.exeSearchIndexer.exeSearchFilterHost.exewmpnetwk.exeehRecvr.exeGROOVE.EXEOSPPSVC.EXEdescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft ehRecvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
ehRec.exeaspnet_state.exepid process 112 ehRec.exe 3048 aspnet_state.exe 3048 aspnet_state.exe 3048 aspnet_state.exe 3048 aspnet_state.exe 3048 aspnet_state.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exemscorsvw.exemscorsvw.exealg.exeaspnet_state.exeEhTray.exemsiexec.exeehRec.exevssvc.exewbengine.exewmpnetwk.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 2908 2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe Token: SeShutdownPrivilege 1064 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1064 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1064 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1064 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeDebugPrivilege 2792 alg.exe Token: SeShutdownPrivilege 1064 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeTakeOwnershipPrivilege 3048 aspnet_state.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: 33 1096 EhTray.exe Token: SeIncBasePriorityPrivilege 1096 EhTray.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeRestorePrivilege 2716 msiexec.exe Token: SeTakeOwnershipPrivilege 2716 msiexec.exe Token: SeSecurityPrivilege 2716 msiexec.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeDebugPrivilege 112 ehRec.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeBackupPrivilege 1488 vssvc.exe Token: SeRestorePrivilege 1488 vssvc.exe Token: SeAuditPrivilege 1488 vssvc.exe Token: SeBackupPrivilege 2444 wbengine.exe Token: SeRestorePrivilege 2444 wbengine.exe Token: SeSecurityPrivilege 2444 wbengine.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: 33 1096 EhTray.exe Token: SeIncBasePriorityPrivilege 1096 EhTray.exe Token: SeDebugPrivilege 3048 aspnet_state.exe Token: 33 1948 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 1948 wmpnetwk.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeManageVolumePrivilege 1652 SearchIndexer.exe Token: 33 1652 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1652 SearchIndexer.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1064 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EhTray.exepid process 1096 EhTray.exe 1096 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
EhTray.exepid process 1096 EhTray.exe 1096 EhTray.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
SearchProtocolHost.exeSearchProtocolHost.exepid process 1636 SearchProtocolHost.exe 1636 SearchProtocolHost.exe 1636 SearchProtocolHost.exe 1636 SearchProtocolHost.exe 1636 SearchProtocolHost.exe 1588 SearchProtocolHost.exe 1588 SearchProtocolHost.exe 1588 SearchProtocolHost.exe 1588 SearchProtocolHost.exe 1588 SearchProtocolHost.exe 1588 SearchProtocolHost.exe 1588 SearchProtocolHost.exe 1588 SearchProtocolHost.exe 1588 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mscorsvw.exemscorsvw.exedescription pid process target process PID 1144 wrote to memory of 776 1144 mscorsvw.exe mscorsvw.exe PID 1144 wrote to memory of 776 1144 mscorsvw.exe mscorsvw.exe PID 1144 wrote to memory of 776 1144 mscorsvw.exe mscorsvw.exe PID 1144 wrote to memory of 2664 1144 mscorsvw.exe mscorsvw.exe PID 1144 wrote to memory of 2664 1144 mscorsvw.exe mscorsvw.exe PID 1144 wrote to memory of 2664 1144 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 1668 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 1668 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 1668 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 1668 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 1300 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 1300 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 1300 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 1300 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2020 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2020 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2020 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2020 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2268 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2268 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2268 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2268 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2928 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2928 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2928 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2928 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 1096 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 1096 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 1096 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 1096 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2556 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2556 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2556 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2556 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 1640 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 1640 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 1640 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 1640 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2552 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2552 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2552 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2552 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 904 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 904 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 904 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 904 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2216 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2216 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2216 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2216 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2712 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2712 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2712 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2712 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 1120 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 1120 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 1120 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 1120 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2976 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2976 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2976 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2976 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2364 1064 mscorsvw.exe mscorsvw.exe PID 1064 wrote to memory of 2364 1064 mscorsvw.exe mscorsvw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
PID:2628
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:576
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 23c -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1d8 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1d8 -NGENProcess 264 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 250 -NGENProcess 268 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1f0 -NGENProcess 274 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d8 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 26c -NGENProcess 274 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:904 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 24c -NGENProcess 280 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1f0 -NGENProcess 284 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 258 -NGENProcess 280 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 28c -NGENProcess 24c -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 26c -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 290 -NGENProcess 28c -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 28c -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 28c -NGENProcess 290 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:396 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 268 -NGENProcess 298 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2a8 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 284 -NGENProcess 264 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 284 -NGENProcess 2a8 -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 28c -NGENProcess 2b0 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:860
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:776 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 104 -NGENProcess 204 -Pipe 1fc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 250 -NGENProcess 244 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:952 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 250 -NGENProcess 104 -Pipe 228 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:388 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 108 -NGENProcess 25c -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 108 -InterruptEvent 1d8 -NGENProcess 244 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1464 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 244 -NGENProcess 104 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 248 -NGENProcess 26c -Pipe 22c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2512 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 1d8 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 104 -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1748 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 248 -NGENProcess 278 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:112 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 27c -Pipe 1ac -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1600 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 27c -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 27c -NGENProcess 1d8 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1548 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 25c -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"2⤵PID:932
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 274 -NGENProcess 28c -Pipe 270 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1744 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 284 -NGENProcess 28c -Pipe 104 -Comment "NGen Worker Process"2⤵PID:1660
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 244 -NGENProcess 290 -Pipe 204 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2084 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 288 -NGENProcess 298 -Pipe 284 -Comment "NGen Worker Process"2⤵PID:2296
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 288 -NGENProcess 294 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:784 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 294 -NGENProcess 1d8 -Pipe 298 -Comment "NGen Worker Process"2⤵PID:2820
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a4 -NGENProcess 274 -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1532 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 2a8 -Pipe 294 -Comment "NGen Worker Process"2⤵PID:2004
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2ac -NGENProcess 274 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2760 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 244 -NGENProcess 274 -Pipe 29c -Comment "NGen Worker Process"2⤵PID:1340
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2b4 -NGENProcess 2b0 -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1980 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 27c -NGENProcess 2b8 -Pipe 244 -Comment "NGen Worker Process"2⤵PID:2796
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 25c -NGENProcess 2bc -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1744 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b0 -NGENProcess 2c0 -Pipe 2ac -Comment "NGen Worker Process"2⤵PID:1012
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2b8 -NGENProcess 2c4 -Pipe 2a8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1912 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2bc -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"2⤵PID:2944
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2132 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 1a8 -NGENProcess 2d4 -Pipe 2cc -Comment "NGen Worker Process"2⤵PID:2296
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1a8 -NGENProcess 2c8 -Pipe 2d0 -Comment "NGen Worker Process"2⤵PID:1736
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1932
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1536
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3000
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1880
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1624
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1540
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2288
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:812
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:2888
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1096
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1936
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:112
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1768
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1616
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:948
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2616
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1216
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1652 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3427588347-1492276948-3422228430-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3427588347-1492276948-3422228430-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:1636 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵
- Modifies data under HKEY_USERS
PID:1740 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXEFilesize
1.5MB
MD5180085021e79ef28eb1f02e7b79ed778
SHA185b30d0f071244aaf4ec7f44650fc8a03eb0c6a9
SHA25661004b65edb87eb33cac1d0125eea58ea0999d8fa5afff3fa1d301f2df89b6c0
SHA5122abe070e7e9869412951ef300e2c560894b65da3bf7973e7dd283976a9284894c08b4e92fc5c86531b69e9421674b4db73ed0ec6b94147804bb8f3fcbeae29a5
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXEFilesize
3.1MB
MD526e235d53c59035f701540f5a823f5c5
SHA1ab4c8a7ed6cf211367a2642608c576b133f07a13
SHA2560470f435a555ea4bbc72c3503cbdeb8acf3a868940d4c46bdfbd3e09e8340c6d
SHA512a29e96ad7322bccf3a036dbba770410e5de5d18b81db31cd7d4434bc5794c725e28ac991363bc02807b7c8f112924e7fccf96c508b95db0b57ae1b6c8346753f
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFilesize
1.6MB
MD5e27d7767f496df322d0301cbe597d802
SHA11db8256314220481ea1292feac6566f3c8e949f9
SHA25681c34c981eb85f2e207d8350ac19e5e03fa2a266d200e3df6b369eea9630e7d5
SHA512299343ba0021c65e05f1f8a29df426d378479ba50a1b1d8524e39d49b333e73c9e19e32cab49324a07d6db7a2f2352fd37f5b504acd715391f27e3a05269b084
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEFilesize
5.2MB
MD5f5a9200a2e25a493529e30fd962f7afd
SHA170aca53d9012ef8393feaec34ddf54e68036f94f
SHA2563b84610342edeff8095df097138dc6f5a5ebe6ea147a9ce9324476b7d57ce905
SHA512d1d78875dacdcd8ba7248b80326f6041ec0e147f59965181edf5296dbde5fa8351aca3d37cecc9b03993bc779f07e0b5b6c197f4a44a0d38cc4c462f0bff7938
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exeFilesize
64KB
MD577d0a5e9a748ddc819f1194cb32cc9be
SHA16cc73127b2f8b94470daa64287b5220a6b011747
SHA256b8e0a31d256bf7876e258b00b532bdba1f3dd221012b0223a71c8b9b608f565e
SHA512dc88cb5ea6ac88bc5b5709580af9dbdffa82cde8212fa74441c5f2705e413928fddd78aebae09fa6657dd3b228a75efa2f1d4fb551ac15fe4254c08c9439224d
-
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.logFilesize
1024KB
MD5070825070fe2ad27fe6916a1c85fbc1f
SHA1e61dd571327cf256c865ece3432c2a1fee79dfe4
SHA256f2ff3aff3c345eba047e4b2e31d96196685bf2a995201a3e0cee34aaab645f73
SHA51231b60aa98cf509997edfc1c09ee86893e73769889390bc68d08e6dbf97bdac7be8ccffbf6d9421c7d6d8a71fdfd336adc7274a8ca0ceee947d29752d8077893a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-msFilesize
24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.logFilesize
512KB
MD5026396a4d40d932852100f0e1c2d76b0
SHA15237c0cd4b879b1ee2311b3f082ea8f2470a445b
SHA25617db132651647b061063861136dc2e44522de4a2d8d46b59994ff367e1143dce
SHA512cf264023f0b37f2e169d46b2ef9bd45a059ac08a228261d8ae32f03c6ed3aeb6316f76d7dea325cc1fda2c7dbab7706bcbcec5f529a036204c0af1e8e90f9360
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeFilesize
1.5MB
MD58d5060feb92735d4b49b06e30a48726d
SHA1f40e5389436b08f4700791954d6192faf0498cf7
SHA256ef8b22b803c2664baf7c9059633d259e663ac184541f4e072afc6bd10b6d2fa5
SHA5128ad177efecbaff8808bc1ed9a2238de864447197409c3766e54bb8384281c96f799b57e21926714c1854bd9d153cbc6866f343115dee6ee2332ef2028d06481d
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.logFilesize
8KB
MD54c04601e7298c705bd6af194d14cab2c
SHA117a007453cc32086f4455427c1108b268da785ef
SHA2566919a86cc8f4c355ebe9955f2004733829db8249044b7bd08fc20e02529d3779
SHA5129a20b5f816085eb08d035a812e67626e5ef693213c384a4cf23fb300381e5d21f2e1b5fee559604995a5d6b416ca50366968552cfe5ba83c8855471e2ddd5b6b
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeFilesize
1.4MB
MD5a92ddcfdc3f8b9db9dec04f8952d99a2
SHA1beb6d7a6a7e11607653585ea057ebc4d47aa24d1
SHA256fb55674143a6ac41a1794ecdaefb2cbebf8d00bac93c621b7c2c6bd3162ed157
SHA512476817bca9f191c37b6de6bd2cb6a24bf3036676ed16d188fc720a226cd0fdceac12b533183eecec0e3b21dd3c1147fa8dea3be8594f933f7d7a0e7b7bfec359
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.logFilesize
128KB
MD5493bf611b0d0a4ef53082ead81990df4
SHA1f5e9b8465ea959a9af7209339d7076288a3aa1f9
SHA256a049c867764a3f4322f558c2586c43bbc182c392b44eda898ef64fce6bbcbd16
SHA512a2bf5d2f142b6064dad7acf1b9adc8bf479e84381b28932aea7be88afcfd2e000da7f3e9d7bb377edf456b60c95eff7176cde5eb27e49f42c393a1c4d1238553
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
1.2MB
MD5bae1366eb493eb7246f7b8c3d25faabd
SHA1d90a10d17ec1cd378a3ff73816caccfb6b32cd6e
SHA256ef2247dc548823d11e4b3b80e3709834dc55dc87787341aa0281d8dcffb6ba1f
SHA51280a6b60dc9b1d163f64580f526431e636b8117f8012ec03f77c7c2ab8fde81fc91b772ec207224fb746ac4d8c4a5fc006a400cbd4cadca7b6bcba32af2c7d2fc
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
640KB
MD591d6a1132b19a8849d599533b96f7846
SHA1cdc4e0de67fa0e3c5da49bf7d96f6628177f240c
SHA2562f4b5e84424beb253ffb1b86502d0767abf1eae1e7b29784d7b983a319d1dc4e
SHA512441ce35b677047333c13860b6f755f5130c7cefb36ab6c98122b91523dffaef5224d9c2974de8838494c5911488f24293372c70adf302e2b82b94e11bce7371e
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
704KB
MD51a78616961d1fd963b1792ba39d66f8a
SHA1dc6807e92f627302940f2cdc40a0e11575efcf5f
SHA256fcd51d4b67687922a63db5a6094302e451bdb8df7da9b8128f679b229e531b3c
SHA512622a4446a3383a6729f8294d47d584f5cce04822c639e5ea387afc7a807c777fcb407b48fe0103316e4e9e4a12c343ceb8c2525368e856d01cd83a465b807f87
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
128KB
MD58bafa13828a1aee02b7623b26d878c18
SHA17969e96e018046b3ef5c60367ff1267ca75c4463
SHA2563c0b2729288d712cf0ff688a0c735926c4f13cc43aebe37733d00fad9c4d3ae4
SHA5121de2d06c229a75da7826631117707abd759779abdeac97951613a239fefe615961d20cf4c31324e256df808c0df1cf7d61b522764074d9d18b5fde269baf6579
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
1.5MB
MD59a1223164e78412945f0d8b214be6568
SHA157151f3c29b750770498e7504fbeb59546db0e5b
SHA2563f64fbc45e5c27454675d3466cc31825cccd8ddb748cd1135321fbdd2f5fbf0f
SHA512e6e5793e85b3625b8efd293d5ce3c2534d2c1f93c674322a1cfd120a5c34994e24a5a026ba173f71238c96ad7c2bc4b2a2ea9bb390a2fce7ff0579fd9582f947
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
960KB
MD5713aed98995f7d21ca23840511a1feed
SHA1c5b7bc583ec05b3dbb4e3c152565152eace2adfd
SHA2568c3414b2ab4ae366931c1628d539e4a607745ad271a5ab89e773a401c2a0fc7e
SHA512b9f6acd6e4fb21d62a48e046dea71f04706778241f8d8a92233b9a77d5c1e5413419600946f0cce72e5d991d934c2b3c78c923a9c8bbccad2880c1c018ac0738
-
C:\Windows\SysWOW64\perfhost.exeFilesize
1.4MB
MD59ffb6906e08ddd568ecd0b6911d09c60
SHA18f258736ad6c540a6e2ea00618cbf659f97171d6
SHA256f3959730c706d797f14aa40dcb6b49dddfa2cc9eb9f70da2daf58d656ffc2882
SHA512cd5e8c2d091122e63fde62b2c3b2670f8cc259d2380fdba245fb0e96203756072c85f650f2e015456d28cf18a41a7d32ac39560ea28fec283c7fdbddf89c5a7c
-
C:\Windows\System32\dllhost.exeFilesize
1.2MB
MD5dfa5da05cf46ac65564d9a633129e9c3
SHA115c8fb8b327b3a4bb1d4ea7e9b333e665444fecf
SHA2567fd79bbc6d049775646900a710d2528aa227ae850416bf2f5414ce40b1aa8d6e
SHA5129d0803ed59471439be1cd74aec96817ee3ec5abd9f9ed38c1584403114feb81a6b49d98ceceee0236e3000ec606065c630e2370c236513c3d29ddddd037ded92
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dllFilesize
248KB
MD54bbf44ea6ee52d7af8e58ea9c0caa120
SHA1f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2
SHA256c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08
SHA512c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dllFilesize
58KB
MD53d6987fc36386537669f2450761cdd9d
SHA17a35de593dce75d1cb6a50c68c96f200a93eb0c9
SHA25634c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb
SHA5121d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dllFilesize
205KB
MD50a41e63195a60814fe770be368b4992f
SHA1d826fd4e4d1c9256abd6c59ce8adb6074958a3e7
SHA2564a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1
SHA5121c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dllFilesize
43KB
MD568c51bcdc03e97a119431061273f045a
SHA16ecba97b7be73bf465adf3aa1d6798fedcc1e435
SHA2564a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf
SHA512d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dllFilesize
198KB
MD59d9305a1998234e5a8f7047e1d8c0efe
SHA1ba7e589d4943cd4fc9f26c55e83c77559e7337a8
SHA256469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268
SHA51258b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\50dfb04b75d6e4731b068bcfa4c358a9\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dllFilesize
271KB
MD5f9a403875a0f8bbbecdbccbb3b967175
SHA1763be2e2bb7f3ce9448da57f7fc83da6592e8ace
SHA256e7f1006cd8fd83407cdd1305df591e71d67f7248287a3e97cf0ca4c17d3a8a21
SHA5125e54e9eb30c6de37e2a55b2517421f16be8f11b3986aed2afc7c7ec7412e17096616c8d9a14e0f770d4e0144e52ffaff4a3f266ba2c3e6f2e0c4dcf0f6ab4780
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dllFilesize
70KB
MD557b601497b76f8cd4f0486d8c8bf918e
SHA1da797c446d4ca5a328f6322219f14efe90a5be54
SHA2561380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d
SHA5121347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dllFilesize
87KB
MD5ed5c3f3402e320a8b4c6a33245a687d1
SHA14da11c966616583a817e98f7ee6fce6cde381dae
SHA256b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88
SHA512d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\86da0adcf8c46fc41ed764f0be7209cb\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dllFilesize
221KB
MD5440e78ed54dadfaac9e7a119758d6ee6
SHA14d4782d4c0357ae0d71fdb505d0c44ad1cfa010b
SHA2564bfb47c348d0948291027c6ebab527d4ac84b5fb497f7efe741aa1fd22e0cd32
SHA512b21f38eec8b05968520ab347317c2c56cf1031ed86d37bdea55631463f26d54fe7a363f2dea6a5cac281415fe8ae0a10f18bf78f941fb639339678e4d4b2c592
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dllFilesize
82KB
MD52eeeff61d87428ae7a2e651822adfdc4
SHA166f3811045a785626e6e1ea7bab7e42262f4c4c1
SHA25637f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047
SHA512cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dllFilesize
58KB
MD5a8b651d9ae89d5e790ab8357edebbffe
SHA1500cff2ba14e4c86c25c045a51aec8aa6e62d796
SHA2561c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7
SHA512b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dllFilesize
85KB
MD55180107f98e16bdca63e67e7e3169d22
SHA1dd2e82756dcda2f5a82125c4d743b4349955068d
SHA256d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01
SHA51227d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dllFilesize
298KB
MD55fd34a21f44ccbeda1bf502aa162a96a
SHA11f3b1286c01dea47be5e65cb72956a2355e1ae5e
SHA2565d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01
SHA51258c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dllFilesize
43KB
MD5dd1dfa421035fdfb6fd96d301a8c3d96
SHA1d535030ad8d53d57f45bc14c7c7b69efd929efb3
SHA256f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c
SHA5128e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1
-
C:\Windows\ehome\ehsched.exeFilesize
1.5MB
MD55295812ca93b4e643394a0fc6a289fc9
SHA14ad5a7bf9acfd845280b61e706c9c7a03b811784
SHA256e928807d6885b1aa1bb5b9fd9614ef8624d763072a3f07b5e1b29e656d061e6e
SHA512b037e41fdf38a027a7ce901bab1e698c9258ba6060bd2cdab129aaa6c5f79a5e1dc3957e177cee079a8eaf477d3b0ce0d0897fda5aa901872863b4073faf129e
-
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeFilesize
1.5MB
MD526c326aaeadc03210257090bce66d078
SHA175922ff9ed2f492e3c0ed11a74fa3d3877586ab0
SHA256d225e679ebaca5dcd6baa4208174b91b35603f315f6a0443820e2050aac833dd
SHA5120d42252bbd2a2e62e7c7d1b9c8450dca06616e183d0c5ce8e52db6238ac1b82f603a1988b72649b7ebc8d1b1305cd43a494cb8852750b52a521ce426115096dd
-
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeFilesize
1.4MB
MD52453fb133ec52fb2dcc28e5901bf0f8a
SHA11c075d8fe485c6e32bd996760acc0f385d369a59
SHA2564073613eb23bca31d25faf51cc4aa7027707a7c76bf85391a3e932322a350ad9
SHA5129949454458778fa7b6324fe7bc05d04e0ecaefc96d97babf8ee0c51cd144bd05ad54e8fa2294616131da4f74f54e1c4d62178a3aad369e3f1411124c07d76eed
-
\Windows\System32\Locator.exeFilesize
1.4MB
MD56d6c5a739cbbdd7f385e37d780f06788
SHA1bbee8e4e94bbbdb47c2141e46c3756ca11eb29be
SHA256b6f981df011af31677c6d01124ce8d7c711c0ba5e0bc18c9170c9dcc9bd4ed94
SHA512be00b94f093a9dedcd12bcee40553c7dcf068fde0d9f2fd37b85b25a10e7d042bbc676a2728e5f9c5590da55b3e3ef66c92074857d0171d59abb8664826120d9
-
\Windows\System32\alg.exeFilesize
1.5MB
MD5030b77d9aa676cf5e9631d2340692e73
SHA1df31480259ef38fe0506ec34edf3f13078a98bf3
SHA256d12d7d07e79f5c0b169690ade7710cb8878c0966d7ca775aaa39794ae2264b2c
SHA512a526f7c5f572669115c03e402f21dfd29f40fd97b4027a911ee5dd0b4aa0ea4d77359aaeb34a2ed10d8c47ea0bfc23084d06199baa97a73ea5a57c5d9bd44b95
-
\Windows\System32\dllhost.exeFilesize
1.1MB
MD5eb03563d02cfcb2879e44acb4b010e3e
SHA136ce3149b994b7a3eead1b533ee4104201af5243
SHA2565ff9ed3f7f11041494bfb538b917ff112004a6797fdc74f9e82d1b197b9bef3e
SHA5125ae705893420fdbae2c282736b784bae5ee565e6b2bc713a1da515ea55cedf00c0d7ac89f14e32eb7d1d7e3584ef13a5623032c99e359f705c3b4475b35d3f70
-
\Windows\System32\ieetwcollector.exeFilesize
1.5MB
MD5f2844a8e1e66336ba2e4fa70f0456550
SHA13b4998fb52d2a8f82bface612c969481e844a85e
SHA2563793a2b77947a3f14d794e6ece622b1345478cc301b67a41cf352e9d81b4086c
SHA5122b73df1eefa56b80374b18ea653063d3894f99d1eebb80ec1dcfab4479fb81584e9d0f5dc77381506df4a44a143990bbd52bde952c7a94c1e95f9a7d2a6812a0
-
\Windows\System32\msdtc.exeFilesize
1.5MB
MD599410b91f75b689cd8bff8d902fb6476
SHA1c196a13fcd3c1dc212fb345932b98262971417a8
SHA25691fbb50ef68a49f1d26b3e37ab99341db9945e37928c6f74236a2f6d42141fcf
SHA51232ed1797cdd83188516a3d3fe0da469b348711db042878190083fc83a748e202d54d68c02ff9db8c069b37e1e257cf721557a7bb9c533817f6c898be5ea45399
-
\Windows\System32\msiexec.exeFilesize
1.5MB
MD5586bc6b81491eeee46f606bd9082139f
SHA1990386d8f6c60b98a0e87186152599bd47cc7df3
SHA256a5b65cfd666028b9ece2eff70d86ac25d2c42177c7fdca929937aa10fd8aeca8
SHA512b80d593b557819f57e1da73b38abf36b4a7fda7431b45b39e9423509d5b9ce54f9eba803ba6fd7e52c960512fcd2f3d345d63ec23d73d184595d85b16364f678
-
\Windows\System32\snmptrap.exeFilesize
1.4MB
MD59e523a8dc252ad9e521a9e4cdc04517c
SHA197424ef2c78a7ec094c2bc05e100beaa97a880cf
SHA2569234187c28310fd60aa0cde9254a3ffb6db6673a4fa931851b49d6fbf349d3ed
SHA512487fcd4c60f8413dd82660cb97bc6d94c66ceb0c80a68a320bf6415d602b2c26ce9fee088f7166817a1469f74819217f8077a301d507dde5a336cd0eba971689
-
\Windows\ehome\ehrecvr.exeFilesize
1.2MB
MD55c1558cfbb28a71df231235ff3edf048
SHA112d3c16e7beb23ca66882f3e4a34e2e48f59b160
SHA256f450696dc613d282a7518e59dc45e002bacf9560bfffd4fc811b9add248c28a1
SHA512141f8f0b0c0f9daea87bffed284ba4ed39b628e8616fcc2fddc6be837796b06c43d49802922081c5a1aba5c490979c65c39dd75f8e33cc151ec7e104631aa403
-
\Windows\ehome\ehsched.exeFilesize
64KB
MD595fcd8f7d8939f337abee5904e26a04d
SHA16b5b38d0e052cfbf7e2b3aff71fb745272c1e887
SHA25642fea5457eac5096ae1673dcac30d43b5d03de9801c0be98fbe80cee1a193721
SHA51227dc72129d3ff4efed8b39631b97298d3a73ec1834a7fa834fd2c7f45138c24bad070ec008f75ef471b6e46df77c8c711cc875c1e207d602c42c6d732f58cda0
-
memory/576-54-0x0000000010000000-0x000000001017C000-memory.dmpFilesize
1.5MB
-
memory/576-55-0x0000000000BE0000-0x0000000000C40000-memory.dmpFilesize
384KB
-
memory/576-62-0x0000000000BE0000-0x0000000000C40000-memory.dmpFilesize
384KB
-
memory/576-92-0x0000000010000000-0x000000001017C000-memory.dmpFilesize
1.5MB
-
memory/776-182-0x00000000003E0000-0x0000000000440000-memory.dmpFilesize
384KB
-
memory/776-242-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmpFilesize
9.9MB
-
memory/776-234-0x00000000003E0000-0x0000000000440000-memory.dmpFilesize
384KB
-
memory/776-233-0x0000000140000000-0x0000000140183000-memory.dmpFilesize
1.5MB
-
memory/776-352-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmpFilesize
9.9MB
-
memory/1064-160-0x0000000000400000-0x000000000057D000-memory.dmpFilesize
1.5MB
-
memory/1064-74-0x0000000000580000-0x00000000005E7000-memory.dmpFilesize
412KB
-
memory/1064-81-0x0000000000580000-0x00000000005E7000-memory.dmpFilesize
412KB
-
memory/1064-80-0x0000000000580000-0x00000000005E7000-memory.dmpFilesize
412KB
-
memory/1064-75-0x0000000000400000-0x000000000057D000-memory.dmpFilesize
1.5MB
-
memory/1144-96-0x0000000140000000-0x0000000140183000-memory.dmpFilesize
1.5MB
-
memory/1144-95-0x0000000000520000-0x0000000000580000-memory.dmpFilesize
384KB
-
memory/1144-175-0x0000000140000000-0x0000000140183000-memory.dmpFilesize
1.5MB
-
memory/1144-103-0x0000000000520000-0x0000000000580000-memory.dmpFilesize
384KB
-
memory/1300-343-0x0000000000230000-0x0000000000297000-memory.dmpFilesize
412KB
-
memory/1300-337-0x0000000000400000-0x000000000057D000-memory.dmpFilesize
1.5MB
-
memory/1536-143-0x0000000000390000-0x00000000003F0000-memory.dmpFilesize
384KB
-
memory/1536-204-0x0000000140000000-0x000000014013C000-memory.dmpFilesize
1.2MB
-
memory/1536-157-0x0000000001430000-0x0000000001431000-memory.dmpFilesize
4KB
-
memory/1536-134-0x0000000140000000-0x000000014013C000-memory.dmpFilesize
1.2MB
-
memory/1536-264-0x0000000001430000-0x0000000001431000-memory.dmpFilesize
4KB
-
memory/1540-248-0x000000002E000000-0x000000002E18A000-memory.dmpFilesize
1.5MB
-
memory/1540-250-0x0000000000310000-0x0000000000377000-memory.dmpFilesize
412KB
-
memory/1624-195-0x0000000000FE0000-0x0000000001040000-memory.dmpFilesize
384KB
-
memory/1624-188-0x0000000140000000-0x000000014019F000-memory.dmpFilesize
1.6MB
-
memory/1624-201-0x0000000140000000-0x000000014019F000-memory.dmpFilesize
1.6MB
-
memory/1624-202-0x0000000000FE0000-0x0000000001040000-memory.dmpFilesize
384KB
-
memory/1668-291-0x0000000000400000-0x000000000057D000-memory.dmpFilesize
1.5MB
-
memory/1668-341-0x0000000072780000-0x0000000072E6E000-memory.dmpFilesize
6.9MB
-
memory/1668-340-0x0000000000400000-0x000000000057D000-memory.dmpFilesize
1.5MB
-
memory/1668-327-0x0000000072780000-0x0000000072E6E000-memory.dmpFilesize
6.9MB
-
memory/1668-303-0x0000000000310000-0x0000000000377000-memory.dmpFilesize
412KB
-
memory/1880-166-0x000000002E000000-0x000000002FE1E000-memory.dmpFilesize
30.1MB
-
memory/1880-168-0x0000000000240000-0x00000000002A7000-memory.dmpFilesize
412KB
-
memory/1880-267-0x000000002E000000-0x000000002FE1E000-memory.dmpFilesize
30.1MB
-
memory/1932-185-0x0000000100000000-0x000000010016A000-memory.dmpFilesize
1.4MB
-
memory/1932-193-0x00000000001D0000-0x0000000000230000-memory.dmpFilesize
384KB
-
memory/1932-122-0x00000000001D0000-0x0000000000230000-memory.dmpFilesize
384KB
-
memory/1932-114-0x00000000001D0000-0x0000000000230000-memory.dmpFilesize
384KB
-
memory/1932-117-0x0000000100000000-0x000000010016A000-memory.dmpFilesize
1.4MB
-
memory/2288-245-0x0000000100000000-0x0000000100542000-memory.dmpFilesize
5.3MB
-
memory/2288-249-0x0000000073E28000-0x0000000073E3D000-memory.dmpFilesize
84KB
-
memory/2288-246-0x00000000001B0000-0x0000000000210000-memory.dmpFilesize
384KB
-
memory/2628-40-0x0000000000610000-0x0000000000677000-memory.dmpFilesize
412KB
-
memory/2628-46-0x0000000000610000-0x0000000000677000-memory.dmpFilesize
412KB
-
memory/2628-111-0x0000000010000000-0x0000000010174000-memory.dmpFilesize
1.5MB
-
memory/2628-39-0x0000000010000000-0x0000000010174000-memory.dmpFilesize
1.5MB
-
memory/2664-252-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmpFilesize
9.9MB
-
memory/2664-279-0x00000000001E0000-0x0000000000240000-memory.dmpFilesize
384KB
-
memory/2664-278-0x0000000140000000-0x0000000140183000-memory.dmpFilesize
1.5MB
-
memory/2664-280-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmpFilesize
9.9MB
-
memory/2664-247-0x00000000001E0000-0x0000000000240000-memory.dmpFilesize
384KB
-
memory/2664-243-0x0000000140000000-0x0000000140183000-memory.dmpFilesize
1.5MB
-
memory/2792-15-0x0000000100000000-0x0000000100179000-memory.dmpFilesize
1.5MB
-
memory/2792-14-0x0000000000780000-0x00000000007E0000-memory.dmpFilesize
384KB
-
memory/2792-21-0x0000000000780000-0x00000000007E0000-memory.dmpFilesize
384KB
-
memory/2792-22-0x0000000000780000-0x00000000007E0000-memory.dmpFilesize
384KB
-
memory/2792-94-0x0000000100000000-0x0000000100179000-memory.dmpFilesize
1.5MB
-
memory/2908-132-0x0000000000590000-0x00000000005F0000-memory.dmpFilesize
384KB
-
memory/2908-0-0x0000000140000000-0x0000000140192000-memory.dmpFilesize
1.6MB
-
memory/2908-1-0x0000000000590000-0x00000000005F0000-memory.dmpFilesize
384KB
-
memory/2908-7-0x0000000000590000-0x00000000005F0000-memory.dmpFilesize
384KB
-
memory/2908-8-0x0000000000590000-0x00000000005F0000-memory.dmpFilesize
384KB
-
memory/2908-73-0x0000000140000000-0x0000000140192000-memory.dmpFilesize
1.6MB
-
memory/2908-129-0x0000000140000000-0x0000000140192000-memory.dmpFilesize
1.6MB
-
memory/3000-156-0x00000000008D0000-0x0000000000930000-memory.dmpFilesize
384KB
-
memory/3000-146-0x0000000140000000-0x0000000140237000-memory.dmpFilesize
2.2MB
-
memory/3000-251-0x0000000140000000-0x0000000140237000-memory.dmpFilesize
2.2MB
-
memory/3048-28-0x0000000140000000-0x0000000140172000-memory.dmpFilesize
1.4MB
-
memory/3048-29-0x00000000004C0000-0x0000000000520000-memory.dmpFilesize
384KB
-
memory/3048-35-0x00000000004C0000-0x0000000000520000-memory.dmpFilesize
384KB
-
memory/3048-115-0x0000000140000000-0x0000000140172000-memory.dmpFilesize
1.4MB