635bbbe254e983f1181094d011d33b3961c53e99493ea65ebfcbcc3f1c52cd3c

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
Size

1.5MB
MD5

de27529b17db2e2656778f67876900b6
SHA1

aa3107ae1ccd629c57dd70298c1482a9edf858c4
SHA256

635bbbe254e983f1181094d011d33b3961c53e99493ea65ebfcbcc3f1c52cd3c
SHA512

5b1fa47ab30fafc431ffe33d26f4c69921d65421d6b347ba163461ac636d7dd67e98b4debfe22919d1e1e4e0ee599d1d7f6d95a7f5569ad9073dfaa52786ca2d
SSDEEP

24576:kZ7+quEOtqZpp0YYtwlGhNsof2e7A+ebC:kZ7+xHmpSK8hWomh

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemsiexec.exeOSE.EXEOSPPSVC.EXEperfhost.exelocator.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
480
2076	alg.exe
2808	aspnet_state.exe
2700	mscorsvw.exe
2580	mscorsvw.exe
2900	mscorsvw.exe
1664	mscorsvw.exe
2876	ehRecvr.exe
1952	ehsched.exe
780	elevation_service.exe
840	IEEtwCollector.exe
772	GROOVE.EXE
1992	maintenanceservice.exe
2980	msdtc.exe
2376	msiexec.exe
2632	OSE.EXE
2956	OSPPSVC.EXE
2752	perfhost.exe
2152	locator.exe
1984	dllhost.exe
1556	mscorsvw.exe
1884	mscorsvw.exe
2180	mscorsvw.exe
3036	mscorsvw.exe
2252	mscorsvw.exe
700	mscorsvw.exe
2108	mscorsvw.exe
1504	mscorsvw.exe
2692	mscorsvw.exe
2396	mscorsvw.exe
2264	mscorsvw.exe
1968	mscorsvw.exe
1064	mscorsvw.exe
2308	mscorsvw.exe
1496	mscorsvw.exe
2668	mscorsvw.exe
2136	mscorsvw.exe
2448	mscorsvw.exe
448	mscorsvw.exe
2424	mscorsvw.exe
2072	mscorsvw.exe
1556	mscorsvw.exe
2624	mscorsvw.exe
2960	mscorsvw.exe
2748	mscorsvw.exe
1992	snmptrap.exe
1576	vds.exe
1872	vssvc.exe
2768	wbengine.exe
2960	WmiApSrv.exe
1564	wmpnetwk.exe
1752	SearchIndexer.exe
1668	mscorsvw.exe
2012	mscorsvw.exe
2004	mscorsvw.exe
3040	mscorsvw.exe
540	mscorsvw.exe
2992	mscorsvw.exe
2084	mscorsvw.exe
1916	mscorsvw.exe
1464	mscorsvw.exe
2728	mscorsvw.exe
2976	mscorsvw.exe
1932	mscorsvw.exe

Loads dropped DLL 35 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
480
480
480
480
480
480
480
2376	msiexec.exe
480
480
480
480
480
480
760
540	mscorsvw.exe
540	mscorsvw.exe
2084	mscorsvw.exe
2084	mscorsvw.exe
1464	mscorsvw.exe
1464	mscorsvw.exe
2976	mscorsvw.exe
2976	mscorsvw.exe
2536	mscorsvw.exe
2536	mscorsvw.exe
1540	mscorsvw.exe
1540	mscorsvw.exe
1528	mscorsvw.exe
1528	mscorsvw.exe
1460	mscorsvw.exe
1460	mscorsvw.exe
1932	mscorsvw.exe
1932	mscorsvw.exe
1572	mscorsvw.exe
1572	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

aspnet_state.exeSearchProtocolHost.exemscorsvw.exe2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exeGROOVE.EXEmsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\locator.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5be422d48a0c1054.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exealg.exeaspnet_state.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exemscorsvw.exemscorsvw.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7272.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8DA63582-AFD1-409D-AAFF-71CBB8098A5E}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP88EE.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7BB5.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7EFF.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8BFA.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP757E.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP821B.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

ehRec.exeSearchFilterHost.exeSearchProtocolHost.exeehRecvr.exeSearchIndexer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\ShapeCollector.exe,-299 = "Provide writing samples to help improve the recognition of your handwriting."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005 = "Desktop Gadget Gallery"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10302 = "Compete with - and against - online opponents at the classic trick-taking, partnership card game of Spades. Score the most points to win."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\msra.exe,-635 = "Invite a friend or technical support person to connect to your computer and help you, or offer to help someone else."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\authFWGP.dll,-21 = "Configure policies that provide enhanced network security for Windows computers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008 = "Windows Mobility Center"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114 = "Windows Fax and Scan"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\syswow64\unregmp2.exe,-155 = "Play digital media including music, videos, CDs, and DVDs."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\NetProjW.dll,-511 = "Display your desktop on a network projector."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000803fe984b04fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehres.dll,-100 = "Windows Media Center"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\odbcint.dll,-1312 = "Maintains ODBC data sources and drivers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sdcpl.dll,-100 = "Backup and restore your files and system. Monitor latest backup status and configuration."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100 = "System Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Sidebar\sidebar.exe,-1012 = "Add Desktop Gadgets that display personalized slideshows, news feeds, and other customized information."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\Explorer.exe,-312 = "Play and manage games on your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\syncCenter.dll,-3001 = "Sync files between your computer and network folders"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msconfig.exe,-126 = "System Configuration"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000 = "Sync Center"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051 = "Snipping Tool"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ehRec.exeaspnet_state.exe

pid process

1692 ehRec.exe
2808 aspnet_state.exe
2808 aspnet_state.exe
2808 aspnet_state.exe
2808 aspnet_state.exe
2808 aspnet_state.exe

pid	process
1692	ehRec.exe
2808	aspnet_state.exe
2808	aspnet_state.exe
2808	aspnet_state.exe
2808	aspnet_state.exe
2808	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exealg.exeaspnet_state.exevssvc.exewbengine.exewmpnetwk.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3032	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: 33	2248	EhTray.exe
Token: SeIncBasePriorityPrivilege	2248	EhTray.exe
Token: SeDebugPrivilege	1692	ehRec.exe
Token: 33	2248	EhTray.exe
Token: SeIncBasePriorityPrivilege	2248	EhTray.exe
Token: SeRestorePrivilege	2376	msiexec.exe
Token: SeTakeOwnershipPrivilege	2376	msiexec.exe
Token: SeSecurityPrivilege	2376	msiexec.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeDebugPrivilege	2076	alg.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2808	aspnet_state.exe
Token: SeBackupPrivilege	1872	vssvc.exe
Token: SeRestorePrivilege	1872	vssvc.exe
Token: SeAuditPrivilege	1872	vssvc.exe
Token: SeBackupPrivilege	2768	wbengine.exe
Token: SeRestorePrivilege	2768	wbengine.exe
Token: SeSecurityPrivilege	2768	wbengine.exe
Token: SeDebugPrivilege	2808	aspnet_state.exe
Token: 33	1564	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1564	wmpnetwk.exe
Token: SeManageVolumePrivilege	1752	SearchIndexer.exe
Token: 33	1752	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1752	SearchIndexer.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

2248 EhTray.exe
2248 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

2248 EhTray.exe
2248 EhTray.exe

pid	process
2248	EhTray.exe
2248	EhTray.exe

pid	process
2248	EhTray.exe
2248	EhTray.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

SearchProtocolHost.exe

pid	process
1956	SearchProtocolHost.exe
1956	SearchProtocolHost.exe
1956	SearchProtocolHost.exe
1956	SearchProtocolHost.exe
1956	SearchProtocolHost.exe
1956	SearchProtocolHost.exe
1956	SearchProtocolHost.exe
1956	SearchProtocolHost.exe
1956	SearchProtocolHost.exe
1956	SearchProtocolHost.exe
1956	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exe

description	pid	process	target process
PID 1664 wrote to memory of 1556	1664	mscorsvw.exe	mscorsvw.exe
PID 1664 wrote to memory of 1556	1664	mscorsvw.exe	mscorsvw.exe
PID 1664 wrote to memory of 1556	1664	mscorsvw.exe	mscorsvw.exe
PID 1664 wrote to memory of 1884	1664	mscorsvw.exe	mscorsvw.exe
PID 1664 wrote to memory of 1884	1664	mscorsvw.exe	mscorsvw.exe
PID 1664 wrote to memory of 1884	1664	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2180	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2180	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2180	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2180	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 3036	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 3036	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 3036	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 3036	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2252	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2252	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2252	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2252	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 700	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 700	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 700	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 700	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2108	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2108	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2108	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2108	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1504	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1504	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1504	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1504	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2692	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2692	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2692	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2692	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2396	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2396	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2396	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2396	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2264	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2264	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2264	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2264	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1968	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1968	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1968	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1968	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1064	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1064	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1064	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1064	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2308	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2308	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2308	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2308	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1496	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1496	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1496	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1496	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2668	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2668	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2668	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2668	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2136	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2136	2900	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2700

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 250 -NGENProcess 248 -Pipe 1e0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 23c -NGENProcess 254 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 260 -NGENProcess 24c -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 240 -NGENProcess 1e8 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 268 -NGENProcess 1f0 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 254 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 274 -NGENProcess 1e8 -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 24c -NGENProcess 244 -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 268 -NGENProcess 26c -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 23c -NGENProcess 24c -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1e8 -NGENProcess 254 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 280 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 24c -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1e8 -NGENProcess 28c -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 23c -NGENProcess 24c -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 294 -NGENProcess 274 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 29c -NGENProcess 294 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 23c -NGENProcess 26c -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1e8 -NGENProcess 2a0 -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 294 -NGENProcess 2a4 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 240 -NGENProcess 2a0 -Pipe 298 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2748

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
2⤵
PID:1556

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 230 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1884

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b4 -InterruptEvent 204 -NGENProcess 1dc -Pipe 1a8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1668

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 24c -NGENProcess 1c4 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2012

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 220 -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2004

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 204 -NGENProcess 258 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3040

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 240 -NGENProcess 25c -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:540

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 220 -NGENProcess 204 -Pipe 1bc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2992

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 254 -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2084

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 260 -NGENProcess 270 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1916

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 274 -NGENProcess 26c -Pipe 208 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1464

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 264 -NGENProcess 278 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2728

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 220 -NGENProcess 27c -Pipe 1c4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2976

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 26c -NGENProcess 280 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1932

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 27c -Pipe 1b4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2536

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 240 -NGENProcess 288 -Pipe 26c -Comment "NGen Worker Process"
2⤵
PID:2464

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 274 -NGENProcess 27c -Pipe 204 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1540

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 220 -NGENProcess 27c -Pipe 28c -Comment "NGen Worker Process"
2⤵
PID:2100

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 294 -NGENProcess 290 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1528

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 290 -NGENProcess 270 -Pipe 288 -Comment "NGen Worker Process"
2⤵
PID:2496

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 278 -NGENProcess 2a0 -Pipe 294 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1460

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a0 -NGENProcess 27c -Pipe 270 -Comment "NGen Worker Process"
2⤵
PID:700

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 220 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1932

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 278 -NGENProcess 2a8 -Pipe 280 -Comment "NGen Worker Process"
2⤵
PID:1856

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 240 -NGENProcess 220 -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1572

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 220 -NGENProcess 298 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
PID:2652

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 2b4 -NGENProcess 29c -Pipe 27c -Comment "NGen Worker Process"
2⤵
PID:2356

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 240 -Pipe 2b0 -Comment "NGen Worker Process"
2⤵
PID:1916

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 290 -NGENProcess 298 -Pipe 278 -Comment "NGen Worker Process"
2⤵
PID:1252

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2876

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1952

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2248

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:780

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:840

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:772

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1992

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2980

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2632

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2956

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2752

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2152

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1984

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1992

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2960

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1956

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
2⤵
- Modifies data under HKEY_USERS
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
22KB

MD5
9dd4ec2a7ffc621e2d347417f6e966bb

SHA1
22ab216dd5b4d06193aecfa8e0a9920648481614

SHA256
1b53bc07c05b9cee613b657edef4e6f17a4a038c6451c54647cb2c7193d49065

SHA512
de94cbb75431684580aad657210e7d63b19b66114a441ef31e8b94a2f806fb06442fdfb5d4d3a5a3f517f831991c55c77c8b5622cf311f42d83867ac32b4fed6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
813KB

MD5
93d5908377bda4b29ce9148e06664341

SHA1
51e81fa9ea7039b63ca2e9567a904465f0e54445

SHA256
cb2a41d409c7d4884575d2718fa71c8911aac60072436b2c54c37c8e5dbeecd5

SHA512
148e68f765b70689c99680221a5301c98c06bdf15eaf3d2228d62b3aeca2e61f291db07c73c5a2039a8939cc7cd87d1b3f1ca104cdc37f515aba8487b6b0a8ab

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
314KB

MD5
52b91cf2dfc0b92f22a82cf3571130e3

SHA1
09240cef51c2445122d6054a5e38751cf1c3e7ed

SHA256
c84efb37ec2d5f41110b5715611fb65c6b0cad900efa2f3cd4fc90443ad2dcd2

SHA512
89130f91491a8ee8d7578de177e4a8638c4299ed0a7dc5be5cf82c032f9f87e2edc9d5fcde596d9b786c690c2e4f8b8042e77ba2ba5812437b9d8ac60b8d2bfd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
283KB

MD5
f0af3a64d5dc56ce957ff63ed325ef45

SHA1
684bdde0a38046293a92b2afa47a8dd7e43385aa

SHA256
f247c9adacbb4d496f0905a8ab8249aadcbc2dfe5b17ade23b012dd392faf93b

SHA512
0235fdff4778d4a129452e726df544a8e0ad989b76ffb8eec49ff0b98864d9b61f45487cd90de73aa0dd818e32c5b6006423b12c89940131ec35770034154a60

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
393KB

MD5
2f7f9040dca89cb20702d85c1a7532c5

SHA1
b3e3db4b2c09e89f5c195dce94e7b5aaba19800f

SHA256
1d7852b3ec722268c8bcf189a138758f3573434a9781ee7fc927360ed877cd9a

SHA512
622725e2116dfa5081e13cfe108db05f6857c65fde73a80b90504d2fd58e87ff0a56f445bc1e07b55c8c04a462eff6159d73bc658bc0f642d0fa5fb9093e2d45

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
1.3MB

MD5
5550cf0d393683cefa553f0f84068b7b

SHA1
2e3418d9d2ab1e5337a3e3b9997d5063b1b05188

SHA256
5271058bc9e6f251167b913b4d232dac8f60aa87ec94f48de116ec94c5a2c30b

SHA512
c95fa3c99e859c0e39d0632177d6865b8df51fa6b9d8e23ceee1a30dfa7aacd152dcc918d51cd1dd26ecdef05c2c74d210c91420206f90bb9c4212daaf39c9b7

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
6cc7c4e758f4ab01474e2482bfdd64fc

SHA1
8975c9e6f781ad5f4c9efcc46f88b9135bcbcfb1

SHA256
95b6c6fc6f200ad9774db8aa685640771a680ac2d93ab7339b4e941a10baa15c

SHA512
be27fd458d70e2c08b330d456320d938fc49b59376dfdbc9e3e9502e3cfe873ae79a5525734c376c27a86bef90af35b648df041005b690ccec9cc6c997b3340d

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log
Filesize
1024KB

MD5
bc89b53aa8542c5ce2a5cc917462c0fc

SHA1
0a660888856ac5a0d6eb04d67dd943d3f3c9b8a8

SHA256
e71b5302e6e0e386873f0036cff49d36ff549444ea62e8d3a1363a42bc90ded3

SHA512
74f7bd4d7266f6a39f36bf18ad967243193b1ef9f56c5f7542b35b44664f71f6c7cc0609c90762298e4bd97acff13e3075602bd2bb5bde638e24f21b87746da7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
bb2e348b51c88b06258935cca25dde7a

SHA1
78058027c102ac759fef7ae78bc62368991d1852

SHA256
1dcc2a1a51f60adc2bd6a72de93a02548a0877a6f15d8a4eadc43f6e6bb72616

SHA512
7cb086a9492b178000f8835a9f91573c3aabba1a03f96a65df3fa68846adb6d45590190f195ed4ff189b6996df2ea05b31cb716c35f67cfe21e6fbc837149c58

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
1.4MB

MD5
90fa766bc90b49030da62e2ac152e974

SHA1
51e7ca4ab8a992219a5f7927ec3c98bf9223194c

SHA256
0fa66eee902d5b271a2a480205f557e8bb2062cb57c8e9bed9722adee77cd1d0

SHA512
14d82d1dc846b3ba59e0b5ec1c8449bf8006dbcc8eaf3b82fabed6c7c3cb0bd020fa5db8aabeec26e3396f09b595adb1551529135b77981dae4c0f2d288e5b8b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
896KB

MD5
a253671d2d9f4818e2954657df12a7f1

SHA1
83ca10d51da016ca05dc3abfb56b5de176f74f77

SHA256
f5afaf3ebac7739c093cdef4b74302133229526d8736b647edffa84122fb079b

SHA512
f63fdf35fd10a16749b2dc1484b2d5fd2abeedc6df2891d46fea447865866547d803dd9f9d906ab932c724f88fea5a048d9693ce21a828f747610442878435fa

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
200KB

MD5
cbced0fe44c054a8b48a19d025c9080c

SHA1
c93c174d0137c91648d05a962148628d4c169ead

SHA256
6928e9220757eb59c482abe1eae0082c7f9056eb57f1cd62494d3f267d6249ae

SHA512
b0d73f2973432ea07bf6943092669c1eb4189e91647ac1df68263893279f48845702de1b9bec2d8c428cdd7c511ca0e98ed383ca97b969500f6748040be82d3c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
141KB

MD5
8e58d6305bbcf545c4333750bd462682

SHA1
b1bcec501406887e1b0b42213ef3c5181b7f9a52

SHA256
061cb8dd304751ab8aec6af2aa49b2b54e4d6d40b4996c41829d1005e07aef36

SHA512
41e48b46dfb8bc9adedfb2b128704bb386893a4e9e6c6b6d4f93f4c0757a15fb376a7f0667f95ad662d458efab207a144d92ea40ebf91de903ba858d960d67ad

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
1.5MB

MD5
65d41e855455d3ac010f4a10071a6a85

SHA1
da6820e417d9805dc1a20238eb45d8fafd3a9413

SHA256
47c585e1b6200fcd3ac16caa906520f6870f2698c2b89b90f3b613c0d9be2f2c

SHA512
b45bae430fd848dbfc51583f50ed4f875becfde6bd9c6680a97a08b2d3df06396bdae48f82073087869a2f86f55845042f0af0aac65469e847493a6ddcb2721b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
0f77a3802013f51a87fd5c557a12702f

SHA1
a65f7a364049092f3a1447959b888335c929591f

SHA256
fd93df18bfa289451c2cf5c74f88217db271c36f5e616f97f53613ab3bdb4d14

SHA512
87ac5451336a138502dfec9b585a2700722eae07ba0877c7259ae3798e2bce575c879b4f981d363b86aeab564190a5e7cdad00184f333196ba015aab82bc8375

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
1.4MB

MD5
ae2ebf4505d8d685162b28167e6a9385

SHA1
2d915047fe536aca4f4bd4de392ff1e2b044eecf

SHA256
2d218aa319e2635f6978abd7ae40c62f5da60fdd6000132f74256ad128366a99

SHA512
b2b19394eb53246875270de270c9c4b1ff9a8d2102bce21b56aaae955252aa557c6eacda68edb383f38f2d40953ab12d6c6394ba9c5a9fd92f1072323ec5368b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
deb034a7e9f23a5541b2724b7b7d17aa

SHA1
e3862eb17fcdd776f022a0e34857772c38dc3ca6

SHA256
f30302768c1f6250dd443f67088453516de447cdc3a99a15e2d36ac8069083e2

SHA512
8b01ab2a84cf5425818981d771f6824b5145291dffa2e02da19cddcb985261a7335816858ad0ecce833519b643fd6512b7b2847cd26db121694a2832ac628870

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
896KB

MD5
8053f19ddaf4f292ec9e3b8f039ce00d

SHA1
08372c3e127ea00ba25fcdd3612c20b573a3a016

SHA256
933d203d1f08a735bd28cd3d12c90aed25727d8758fb322c9da912581434440f

SHA512
bf2c9b7897c72a7e95f8a63ecac834292588ab6254a15c65f5cf6ef7113bd758163ac20e0daba6a13ca3635c62e0a998c0b8bb19f64224f97b43bb92ce5786fd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
169KB

MD5
d21084904f73faa2c4f68a7b814841c8

SHA1
4e6b511bd9228df00681ff2bfb277b6359f29d0b

SHA256
d57ed12c184cd744e576feab2bcc6cad50742b63a20341abd889b005e365c6ff

SHA512
1cc743f26027125a5252afbacc5ba07e0d49aff50b8247cadaee9e6d345b189093508feb2b34f632150b3539fde9cb70b9d0de9ea05373418a5e316f3105b4a4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
246KB

MD5
6db33d9eab076bc1e452b611374326b6

SHA1
6642516043d9fbf39c0d15a4824cd02974ea2cf9

SHA256
7843c45c9b7f02f338a2bca331699258e289b20582a75e3a439c1fd36a6a858a

SHA512
07f5c840016ba5e669459865a12461b98f8fbba0721b7bfffa4f62e7f2abed099701ac97d21b68ff6c2780f1885db0ba310a3841be54d9b61016ab14fd2b6e58

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
112KB

MD5
e2966242503bbe055730303d9ea1b240

SHA1
0703f1408647c2d9d52deef86d33e0431d4c896d

SHA256
15d457d92b686b408fca8a6db05bb19c102bc83c3ec5760abe57aa7c098c5a40

SHA512
25dc228eac077f1c34e53cdc3cf83b68ac2369eb39b676c05f8d336fada18fa4c8250ff6609cdcd46cd02f3bcc1839bd531371bfc9b2a6d18d383c8df4155a80

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
95KB

MD5
0f93244e35e68d323d4278e92739fbbb

SHA1
c8756ec81d91e06a0cf3b8f4465651aebb1dcc1b

SHA256
091fb29a5d4fc20fa5ac08e6c0ca9049d06f9aae39ee22f6ccd924fe5f24326d

SHA512
0199cfa099141ebc10e60c76f1e54ad5a29ca68bd607df205e0f72a539437bfe2f424055bb8d8999a39247c9a9dae1d74ce207d39cc6a996ff600d05a3c973dc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
72KB

MD5
368975cf43a9805960cd81885b8a12c2

SHA1
6dea1f360099652892ace11c976c91faf300141a

SHA256
03cbc46f2c631052801158f7e40a810976d5c6a24547a5a3da1e0ddb6301a14e

SHA512
1ae1effdb39fb03fd2aecadf3358f3790707672f59e4a6f4e65d2a1b81a8a0b09d8e17b73a2b11004964465f8d9b8adebbc2d41fb78b8c598ffd7bbd637262e7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
56KB

MD5
302a40cbbd83e1c4a785203e0254908c

SHA1
09f19af8716670438e7d9dd9ebb81ecfc25fafc4

SHA256
fe7dc42bed3797c2a522acd623328676240fdb88fed01137a9cacab781342574

SHA512
3aa7d780eecc2f3e7764ed3ef11e8db546d469ad3ea3745ff6f1ae96756077b8f83792cfae5280359d9052b8037ecaa9d95d61fb6cd0975f31e7cac746cb2d57

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
90KB

MD5
0e82a9d62452820c5413b3676a01ae04

SHA1
ec5b4ddf5b625b0b684bdfbaf33077a7c8b5022f

SHA256
642d62e0f455fb791eb5b4885e798a069aeb39348f9f6f5461dec11fcf7b56b9

SHA512
ceedc99932dcc58eabf5e96082d098980f948dc515f7bb929298615677f71f0d8704c202d728718099e09ed68fb43737201a50000ddb32776a396188b61e3629

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
30KB

MD5
88ed41bc062631e1d3378f0f4adad152

SHA1
67f2b1ee8dc3edff8dce96e6532e4be395e9d934

SHA256
74695b0be8afa021588a43788657b42e6a4f9009c493244f26d1733e07624088

SHA512
72a6d19b2cd39acadbf8c579e55cfb8b72a6ad658e38233af63e3603a5625bb746c8c531f0ada3b07372ae550522f296d18df2814c9701cf6b3e706c6784e17e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
65KB

MD5
28bd3f1f2373b59dfa500148e70d734d

SHA1
d0804795dbc5535eba2b20d1e5be2cb679d950bd

SHA256
c58794ba9b26aa98001afecfcec82470300c7456e98f4dc0049af7cef47b5c7f

SHA512
85fa99078124124c47ce3b893de69c2575721309ed3ed369eef3e49100c8930f78953091ba08d34fdbd8dd8220d3b1bdbefb7c5c00f30852937f64e05bf00cc6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
59KB

MD5
e7e9911faf73a7b13a336359b66828f7

SHA1
a1cdf08a844387db818f74aeee77933f270ecdd7

SHA256
ad9c548dae4531a42f2a75a7b84166a919a08ce5b7799e71ae0402c1ec92ca9d

SHA512
3094b97f6d19c7156d28501dd1a630c7522ae24e9a361a9d60576227f472f4d2d64c42013c869cc367749f8b41517d7e794f567ae7a66931e3a2ff08cbdd5771

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
226KB

MD5
19ad6ea767e11ba1ea3b04a1665f28f3

SHA1
069cad4fa2c9a8abdb5109ecf386e06c2f1277d4

SHA256
59f87156923b69bf510473b69d8cd3e6f4bb3a0bff3bbb1cec4cbbf61c37d736

SHA512
5bf25f8aaa0a82e33a6a75d8018d5e8e9c58783ae57a771a0a81a109a00b5bd305b51e05f3fd15e5d3f87b602f8d02a23f6a00ddb2192e75ca8ea5f33779bfb2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
192KB

MD5
cb58375431b08baffcb3e22d6c781424

SHA1
c85b3b853749ee61a8e012400f4d3fd40d6ff8b8

SHA256
7719aa3d470dbed2153861a19148cdfefa399603954a398dc22355a55eb10743

SHA512
a806ee3a143eeb8df6bffcfd517aaa6428351f44ab843a7e3c7232977695b7fd43226f04f53f7ff2fd4f2f9fd5259b47d055735caeccee97af4ccbe6c6603446

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
126KB

MD5
93e66af6dcd7b3c77995bb175e9ea0fd

SHA1
cf30e9b3fda888a07d41afa118be3472ae3ad752

SHA256
13e587d6e159488331a91ad8dd5a83b13434ae47731f391dcef864d77a31222c

SHA512
9505431e1996dd6d57f1b1ff025d58393b76051e1d29ee23b16d9cede0697e46ba5f451c52b722605e171d9b500c9501492fc53da676fd14acb3434b0f33c51f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
1.5MB

MD5
4a91eaaae3997aadf96e179814a1bab7

SHA1
6cb04d457277cd6444ab4082f383959184e49b18

SHA256
5656e2f57f25abc5e7a91f2709fe51d28a6531dbc8ff909bc183f2ef6e83d8ba

SHA512
93b6305fc4b0ed41250c691f7cb9af162c21bf8c73439716eafad1ad63b8c4cde0bd921b6300205603b0f26ee1b58887bb24ddf0f3e30d74170b0840c83a8ac3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
61KB

MD5
39c138229328cbc4e8492c6f25d6505b

SHA1
da26e612e64df53d172c487ec4b02a91e504f9f0

SHA256
05b4f2e170326d6c57785b393729be85321dd3a08a7f9cd41522eb56b27e03da

SHA512
f00640f30c0b19a5808c7f70adbf62a53c844865a07993ebf4680e2d7e26cf255aa376f67b64abbc4f0c38e4b0cf0556482f69901e6d97c754de221e859d69ed

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
136KB

MD5
941a0f58c5b87f167eb3bb1ba7c9482e

SHA1
f4f44f5786e79c3c480435bd757137027fdc32b9

SHA256
016262789bd5f34ada5a34fd0a34242071a72e03edf3f9fe78bb97aa21427b56

SHA512
7e331c9344785704ba685c5e29182dc5ebef5c09ab1d737f9941c07dff29588a5f46b8844d3c44d92db87bb9832217f21c002cfe784fbcea53774c162f2aa47c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
64KB

MD5
058bf2f1d618a10b8b396c7b92e337f3

SHA1
fc83e6795f809e61d57df3cdcf95af15eb7475c3

SHA256
7ed7ecaacd43cd791e7ef295e0ddb6195e3f401ee016d4235957862002b4d9bf

SHA512
2bc5ea652081b393b39d37b4669d60947ca49f79c30a8e1b7ec51e24becfea7711336e6e543fcd440ca28a21147c0d2450b268bc988368abe55d80cabd331af8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
174KB

MD5
54c34a174add440f9edb2c100be87300

SHA1
be933e9bc7291d2d5bcc3843105423a2fbd30a13

SHA256
6576bed593c539a798c264b9d916ff2e6e2893a8b0f7c6f59b080f43e928a8cc

SHA512
d7f5b80e9ef500d30c45b1a601bb6ee4fa1e05f0dfc829c8571e993de63987e58488d60a06ee35e2c1f5feee5976c381e9a86b5fd043fd7f09573e29638c4c06

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
78KB

MD5
a4363dc13bb9081145548700844cdd5f

SHA1
d424bf6584f88dc1e856a0aaf9ebc3a9ef857c64

SHA256
c1c5a03f46b75bacf9d46cfa46daa8b0fcd8ee800a5cea7d02397986feb44c5f

SHA512
bda498702279922bed63b3222c9d1e9b900b1c33864b793d11cfc0cc964ecb9648683ef02f6c62c3abb80dc009feaf9160976f384735688e80f51083ac7c0684

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
185KB

MD5
8b0eac910470e4e9902bf711dbfefc47

SHA1
9d56ead64abca16015df2e0397d1dfe3a4ca39d8

SHA256
596961d607bd3c704e18143fccc051e98dbacca9fb2bc9756c90a7ea61c65894

SHA512
fa96b7182c0aac7e75ef497b22b8662db2c6ff7d73e696dc0c1493bce49688003d5196f3888315f5dbec239e223c977dca82ca1777414300bbe3fc77f5daa066

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
89KB

MD5
8b686923992e92d3917487c1c4b4102c

SHA1
d23b615163e9372cf0846b6abddc1ba6516638ae

SHA256
c7b5aca0dbd14b366f9a1b2b452cf9f4f6db7ec4488dade157948841a44df928

SHA512
5913245d0b56fb4db1df962773aabe8b0e4dbc2fb5b870a0610deebcff46a32691bcd19188cfa1d04fe6ef8b1a88529d9e4b74028fe5d7c8ea8b767baf468a09

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
103KB

MD5
aa162e0d05d4cc4c09281fe8df44cc73

SHA1
3a17ca3791b7230ffb9fe6a14210ca46104bc96f

SHA256
191facb9bb485fea4ae52c6f14abe41c37056f6daeffb7921f3637dfeb242b8d

SHA512
bc8be121b8a72c2b01607a1c1889eda7f5b867da7bea1182e7aab54abbc01d1f25208cd0c73fbe69c12324d81c617eba5cce122a4ecad7f7ccfd4a36e0d7fb0e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
132KB

MD5
4aba139d60d3b6f078de96383ddaaca4

SHA1
dfd5d92d743e31fd29363b0f95a55f6f27667075

SHA256
45bf0383c9b348cf01193b45ba292cb657a10376f3ca80628d6120b7fcea47ac

SHA512
db16058b3fe3341691f1bc2a058aed36ff22e21809539187fafbd6cd4fc7db73552a624f89c41017a069ec94bfd45e21df84c7b805b49a0987f515b33999666d

Download Submit
C:\Windows\System32\Locator.exe
Filesize
65KB

MD5
71052ce928a3d2b140967cd75e87e055

SHA1
59f470edfa51923dc88117b7e3df1f82e43085ad

SHA256
96ff7195ef3bcb93b568f82a8bcb880d369090991c2d31b47e954cb856ab502a

SHA512
ec78bcf3ea2ac40b4a8f26d2a63431739fa04622f505485f8efd8c636eac63946b840fc0e6c8b302ca8aa0656d83d65273b01c6989bad6706602a8abc1a3bdf3

Download Submit
C:\Windows\System32\dllhost.exe
Filesize
45KB

MD5
8872c1c3c18872c249524954d73c9d21

SHA1
49a10c7c2d170af3490834c3c1bfaacfa03eec09

SHA256
e705220681ccf51df1193c620043ca38c285299ccebe8049772e7c8438d687af

SHA512
f8c85262292f329329b611835c9f8dfd81d09aac66ad374e6fb98777b9d46f916b1ba1b68553752af0ef2c1583e9d46f2b9d1e14531904f955d50f88fd826941

Download Submit
C:\Windows\System32\ieetwcollector.exe
Filesize
791KB

MD5
34b22c02f92d5a1fb6037741b8d24345

SHA1
5b792895e3d71922fb771c11cbd14e391788a56f

SHA256
59b1e82a15f1b0a5090100bac116e3717c6dd3fed5e88bc383ab71edbb1cb815

SHA512
b315119af86ccb5161eee47136e4744401acbdf5d9e919c36ad8fe1998789900147914a45bcad2d17dd9824e42b9f0a9eb6dbe7a4b6a60176675247aac4c36b1

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
254KB

MD5
13984c67aaf4e9ba006541a450283a61

SHA1
fb8cb656d64110d7f1fcae570768393d6cb8381c

SHA256
0e6bddf8437e60af076003f97948e31c95532ae23517a35b43fcd0d7f1395a1e

SHA512
9412d772a9df6b375d3f86c2335db72265c148274cd12c4d73dc76c3abc9320b8808d33e137fd1db0a71f02db704d0ad56cf132d84e0da82b69543dfff122ecd

Download Submit
C:\Windows\System32\msiexec.exe
Filesize
209KB

MD5
4f232f3992cb7c981eccd03a2e26d3aa

SHA1
68f9a4a13c8d5ac397706feef0f7b26f3f9de92e

SHA256
ad04ba1e38cab36bd4e76a73d154d7483d0868f10bdbaf2210c691c90710ae5a

SHA512
160cdbf29eeb558de3a5fc025e5906a8fdd94582d056262056116fcc10392ca4860f9a1774d7bbc257c1c433913522600836a5486c0028f91c2cf48400a303f2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\ehome\ehsched.exe
Filesize
64KB

MD5
34014c2cfa4c11f1f8659e9d752d9d50

SHA1
66e4ca4c54466272908c5b98e76cb8f3e1047ba6

SHA256
c17be80086a6c82d65a4362d3b10cfbf2502f18e0a21bd8feed7a634a0802341

SHA512
b17935a26820f4a80a4ee6b49e6decac84e798311128df8742615e407e7f39eabaa10484173baf108d15e358a162687aceab7731ded0dfd4844773794c98c671

Download Submit
C:\Windows\ehome\ehsched.exe
Filesize
1.5MB

MD5
40d8486c8830c58962adf9d57587d577

SHA1
0d22e2fee26baeb3cb6054d271ae1fe5b20c8f03

SHA256
f1b2ac7d83b3ece0b120612c6f64c955de39309b74e6e07ff535ffbc3aa59597

SHA512
7115c31d8b63bf046634a4eed18a38534bd99a7d9811980f3e5eba283ebd1ca6a4d74f665a8618844a7a4a9e7bb22a3f6f211ff7b2f1265f54ce94b5b7bf9b2a

Download Submit
C:\Windows\system32\fxssvc.exe
Filesize
215KB

MD5
9b6df1e3d6df3312f9c6c0e4d642a6d4

SHA1
1c39e3eacd9c6d9835f78e7898d0040186b4c41d

SHA256
6e74e4ab1914f1b7e80ae8bd4f37d29c1b7e9d9de337e78610e15aa0b66abded

SHA512
381d49e2b5dd171df9d0b3277808a1eb047aee409460aa0a8b0db7056c17fc60b0987cdf0f9429b489856b01b67c1eb216378a4e9a608d2923c135c6bae5f014

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
165KB

MD5
3fe8b6ca6c0cc822d33bd74679228f50

SHA1
8afa27522a5d54bd3fddabb040b73da76b5b31ef

SHA256
7774b4b759de8bcfc6d807b54595088d6d2306e86be6cade0bfe507635ab13be

SHA512
a7257bd7507a97465c0a7ef7ce15f2e04f1f9f5fb2427c9961e03cbb48eafe81f47d5a7271b19afacf74b29495028334c6d6e07f6cb3cd44e721dcf4aaa38104

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
1.5MB

MD5
a50506f26d343bf4c626c44ccbcc168f

SHA1
e8e4292eba77355a323129c84d3b9ef3469f2043

SHA256
a669bab6765e489d473866d021a1dc3238a97a51b8b4b871ffd2a37fad8efb55

SHA512
fe35b3065595822a7ccdbb61befa6d2b1ea8faea7fb4517784d4dde4b69c80fd2c194c75474a5334bf723da112f16b5e0467da0497d396159833731ba7a6fcf2

Download Submit
\Windows\System32\Locator.exe
Filesize
136KB

MD5
971bef97836c2b00461dcf83b4b6ad5a

SHA1
b3f310cc9e97825984cfa3ad4f014e59cfb15d07

SHA256
4d1fa71645ddf043d74e0126bb633917fe5e12aaac7a81561fa2d316f9cecbd0

SHA512
ae1626dc4052d18e6fb4392e555be11b9fcad1b93747d1c4ede635b15e1247969a02371d8a57baedabec8a7c8d4cb191ce7783c65e6d33999922321b0be2ec41

Download Submit
\Windows\System32\alg.exe
Filesize
1.5MB

MD5
3d6de30a764b9ed9889ad09ddf67996b

SHA1
a481436a42e64e9ad32931c843015279d3b696d7

SHA256
db50e367aec38b4002a6cdc0a01fdf2279a94e826995a5175f018031e4883eda

SHA512
a71bd0b64d2a8e99cd735a724c2a6fba803d91dede2455b81b7f80e949796bd071145503b6a264c32ca5a78acd89cb0fb0d7ed8488962f713e704e3c7c88ede1

Download Submit
\Windows\System32\dllhost.exe
Filesize
1KB

MD5
dbf89feb5fb7f107d25af043b36fb330

SHA1
dcbb3e83b65c709627ad10c4f2c20158045ec797

SHA256
7aeed0b20a135bd2b9edbf2e9d68c0681cc12c749aaa060a235e3c2a12a73596

SHA512
31377d226bb4d5e2214d0f0279a6d14948eb7659ceae80109f3c0f2edf4614bd4cc1abe9d6769eda627475916f8b71946f363a44f25c25a4eddeea9c213b9580

Download Submit
\Windows\System32\ieetwcollector.exe
Filesize
974KB

MD5
540c6ca13dd376799a25816532072057

SHA1
622dd0eb7a17c0dbbf9b549a1f2be3857bc5530f

SHA256
5f6e4f06a3fc38e2ba2bd2705aadd9322b6ffbf2da79f9550a69accb632fda3b

SHA512
b50b4054385af500953d5a40048f767b87fc7520363f8570da691920dacb0798dbb435b482df5d0c75ef55297ffe64c85aa5d26db4068642d656dac797edddbd

Download Submit
\Windows\System32\msdtc.exe
Filesize
227KB

MD5
69515d633c6cdc7d6115b2289522df3f

SHA1
a0b4d81716c40556bb916d9c934231b9a19b3362

SHA256
d560ce07f4021a7e7de8be5bd904ca8f5025dd34b6e78726db605427ec77bcf3

SHA512
bc084bfd42841799f16957cfa4dadecd3be2079f1bd3ad146f4ef49170550bb48bd8b1e256e2d3810ba01c0bbbc4d7a7d29c659e709cb843678b2670fc389ea3

Download Submit
\Windows\System32\msiexec.exe
Filesize
152KB

MD5
26199efbf2dd0dda201fa548824fb277

SHA1
f63d202e72f8343f6468330990eb85130bb3faff

SHA256
2cca8bf3a52ae87bf29ac08db1f63eb843a550934a4ab0b54d2ec6e56030d7c3

SHA512
4e95dc9c22ac358f20c5b92d8c135e8140a40217474ee10abba05ae87be5d0caf54c95d4558f88401a733b3d1cd0ea1e517b6c94b67cbff2387fe8165c4b2d34

Download Submit
\Windows\System32\msiexec.exe
Filesize
156KB

MD5
e17edf4c3df4d67dcea0c95e1b6dea04

SHA1
aa676741c5089df11eedf82ca8c774d5947fa8ab

SHA256
41bb0ed01c1083a1b18755807d77527f80cfded7c8358deffb5d6c7341b33cb4

SHA512
8792004961904483df4265a2b914a693b8485f6d9f850c4ef7a47cbced5c84de14e8ec4dc0d67774dde04053981764ee7a77df938e92ebabd970fc22f3f87a26

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
f1e2df3b0c1806a571ac649f458e40f5

SHA1
1821c97ddd890162de292bc65a57e16a91d50519

SHA256
2142ba2df5854f8ae47b687cfdd3a9a0921f6ef6b8e0726cc1cdca2fd9264d2a

SHA512
b2c3eb23621a298360f73a392809d8341e54983c2a683bedcd5f3c5f3b131274bc3c2fadb9deada3d8b8d394ace01a6de947954dfe160ed42f2f2b489db6d156

Download Submit
memory/772-183-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/772-260-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/772-194-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/780-148-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/780-241-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/780-153-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/840-178-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/840-174-0x0000000000360000-0x00000000003C0000-memory.dmp

Filesize
384KB

Download
memory/1664-97-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/1664-104-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/1664-96-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/1664-177-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/1692-171-0x000007FEF3ED0000-0x000007FEF486D000-memory.dmp

Filesize
9.6MB

Download
memory/1692-167-0x000007FEF3ED0000-0x000007FEF486D000-memory.dmp

Filesize
9.6MB

Download
memory/1692-250-0x000007FEF3ED0000-0x000007FEF486D000-memory.dmp

Filesize
9.6MB

Download
memory/1692-187-0x0000000001080000-0x0000000001100000-memory.dmp

Filesize
512KB

Download
memory/1692-257-0x0000000001080000-0x0000000001100000-memory.dmp

Filesize
512KB

Download
memory/1692-168-0x0000000001080000-0x0000000001100000-memory.dmp

Filesize
512KB

Download
memory/1692-265-0x0000000001080000-0x0000000001100000-memory.dmp

Filesize
512KB

Download
memory/1952-222-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download
memory/1952-138-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/1952-128-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download
memory/1992-201-0x0000000001000000-0x0000000001060000-memory.dmp

Filesize
384KB

Download
memory/1992-193-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/1992-196-0x0000000001000000-0x0000000001060000-memory.dmp

Filesize
384KB

Download
memory/1992-202-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2076-21-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2076-22-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2076-95-0x0000000100000000-0x0000000100179000-memory.dmp

Filesize
1.5MB

Download
memory/2076-15-0x0000000100000000-0x0000000100179000-memory.dmp

Filesize
1.5MB

Download
memory/2076-14-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2152-287-0x0000000100000000-0x000000010016A000-memory.dmp

Filesize
1.4MB

Download
memory/2376-285-0x0000000100000000-0x0000000100187000-memory.dmp

Filesize
1.5MB

Download
memory/2376-235-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/2376-223-0x0000000100000000-0x0000000100187000-memory.dmp

Filesize
1.5MB

Download
memory/2376-225-0x0000000000530000-0x00000000006B7000-memory.dmp

Filesize
1.5MB

Download
memory/2580-56-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/2580-55-0x0000000010000000-0x000000001017C000-memory.dmp

Filesize
1.5MB

Download
memory/2580-89-0x0000000010000000-0x000000001017C000-memory.dmp

Filesize
1.5MB

Download
memory/2580-63-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/2632-252-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2632-244-0x000000002E000000-0x000000002E18A000-memory.dmp

Filesize
1.5MB

Download
memory/2700-39-0x0000000010000000-0x0000000010174000-memory.dmp

Filesize
1.5MB

Download
memory/2700-45-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2700-40-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2700-91-0x0000000010000000-0x0000000010174000-memory.dmp

Filesize
1.5MB

Download
memory/2752-281-0x0000000000430000-0x0000000000497000-memory.dmp

Filesize
412KB

Download
memory/2752-275-0x0000000001000000-0x000000000116B000-memory.dmp

Filesize
1.4MB

Download
memory/2808-28-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/2808-35-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/2808-29-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/2808-114-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/2876-139-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2876-205-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2876-117-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2876-232-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2876-115-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2876-124-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2900-152-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2900-76-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2900-75-0x0000000000580000-0x00000000005E7000-memory.dmp

Filesize
412KB

Download
memory/2900-82-0x0000000000580000-0x00000000005E7000-memory.dmp

Filesize
412KB

Download
memory/2900-81-0x0000000000580000-0x00000000005E7000-memory.dmp

Filesize
412KB

Download
memory/2956-262-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2956-266-0x0000000000260000-0x00000000002C0000-memory.dmp

Filesize
384KB

Download
memory/2956-267-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2956-273-0x00000000739E8000-0x00000000739FD000-memory.dmp

Filesize
84KB

Download
memory/2980-271-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2980-215-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/2980-207-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3032-7-0x0000000001C00000-0x0000000001C60000-memory.dmp

Filesize
384KB

Download
memory/3032-295-0x0000000001C00000-0x0000000001C60000-memory.dmp

Filesize
384KB

Download
memory/3032-0-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/3032-74-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/3032-293-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/3032-8-0x0000000001C00000-0x0000000001C60000-memory.dmp

Filesize
384KB

Download
memory/3032-1-0x0000000001C00000-0x0000000001C60000-memory.dmp

Filesize
384KB

Download