ad341beb8863440dc98271bddfb07153b725e37b7e1292bc0769e904e3f8f31e

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_f9cfdb5cf822607150650037629ded37_ryuk.exe
Size

1.1MB
MD5

f9cfdb5cf822607150650037629ded37
SHA1

c8e906acf8b902a2da9a7d889106ee43aa11b0e1
SHA256

ad341beb8863440dc98271bddfb07153b725e37b7e1292bc0769e904e3f8f31e
SHA512

f197521b47c2a862daceecf31906f81ed6617e29991493a6b5a6bc4ea3a060e09587918b6cb9f62dd9ab1e58033a409e67df7a83e82d2b93045f926f5cb38a61
SSDEEP

24576:fSi1SoCU5qJSr1eWPSCsP0MugC6eT3Cks7WE9F5pwg8zmdqQjC60jiHkU:XS7PLjeT3Cks7R9L58UqFJjskU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2656	alg.exe
2708	aspnet_state.exe
2900	mscorsvw.exe
2568	mscorsvw.exe
2496	mscorsvw.exe
2796	mscorsvw.exe
1976	ehRecvr.exe
1648	ehsched.exe
2344	dllhost.exe
2044	elevation_service.exe
1220	GROOVE.EXE
3064	maintenanceservice.exe
2232	mscorsvw.exe
2736	mscorsvw.exe
2032	OSE.EXE
2692	OSPPSVC.EXE
2864	mscorsvw.exe
1500	mscorsvw.exe
2596	mscorsvw.exe
2512	mscorsvw.exe
2688	mscorsvw.exe
1960	mscorsvw.exe
2724	mscorsvw.exe
1768	mscorsvw.exe
2616	mscorsvw.exe
1488	mscorsvw.exe
1292	mscorsvw.exe
1912	mscorsvw.exe
1612	mscorsvw.exe
3020	mscorsvw.exe
436	mscorsvw.exe
2228	mscorsvw.exe
2320	mscorsvw.exe
1768	mscorsvw.exe
2940	mscorsvw.exe
2516	mscorsvw.exe
2808	mscorsvw.exe
2944	mscorsvw.exe
2248	mscorsvw.exe
1944	mscorsvw.exe
2772	mscorsvw.exe
2616	mscorsvw.exe
2560	mscorsvw.exe
2752	mscorsvw.exe
1272	mscorsvw.exe
2164	mscorsvw.exe
1124	mscorsvw.exe
2468	mscorsvw.exe
776	mscorsvw.exe
700	mscorsvw.exe
2612	mscorsvw.exe
1096	mscorsvw.exe
1752	mscorsvw.exe
2436	mscorsvw.exe
684	mscorsvw.exe
1628	mscorsvw.exe
472	mscorsvw.exe
1992	mscorsvw.exe
2516	mscorsvw.exe
2256	mscorsvw.exe
1280	mscorsvw.exe
2112	mscorsvw.exe
2080	mscorsvw.exe

Loads dropped DLL 43 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2752	mscorsvw.exe
2752	mscorsvw.exe
2164	mscorsvw.exe
2164	mscorsvw.exe
2468	mscorsvw.exe
2468	mscorsvw.exe
700	mscorsvw.exe
700	mscorsvw.exe
1096	mscorsvw.exe
1096	mscorsvw.exe
2436	mscorsvw.exe
2436	mscorsvw.exe
1628	mscorsvw.exe
1628	mscorsvw.exe
1992	mscorsvw.exe
1992	mscorsvw.exe
2256	mscorsvw.exe
2256	mscorsvw.exe
2112	mscorsvw.exe
2112	mscorsvw.exe
832	mscorsvw.exe
832	mscorsvw.exe
1564	mscorsvw.exe
1564	mscorsvw.exe
2368	mscorsvw.exe
2368	mscorsvw.exe
1636	mscorsvw.exe
1636	mscorsvw.exe
2120	mscorsvw.exe
2120	mscorsvw.exe
1676	mscorsvw.exe
1676	mscorsvw.exe
3064	mscorsvw.exe
3064	mscorsvw.exe
2364	mscorsvw.exe
2364	mscorsvw.exe
1928	mscorsvw.exe
1928	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-28_f9cfdb5cf822607150650037629ded37_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-28_f9cfdb5cf822607150650037629ded37_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-28_f9cfdb5cf822607150650037629ded37_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\27bfb76a3db14c9a.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4A3A.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP209B.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP646E.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA7A5.tmp\ehiActivScp.dll	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2D86.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-01-28_f9cfdb5cf822607150650037629ded37_ryuk.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2626.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3EB5.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2248	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2040	2024-01-28_f9cfdb5cf822607150650037629ded37_ryuk.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: 33	1400	EhTray.exe
Token: SeIncBasePriorityPrivilege	1400	EhTray.exe
Token: SeDebugPrivilege	2248	ehRec.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: 33	1400	EhTray.exe
Token: SeIncBasePriorityPrivilege	1400	EhTray.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeDebugPrivilege	2656	alg.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeDebugPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1400	EhTray.exe
1400	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1400	EhTray.exe
1400	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2232	2796	mscorsvw.exe	42
PID 2796 wrote to memory of 2232	2796	mscorsvw.exe	42
PID 2796 wrote to memory of 2232	2796	mscorsvw.exe	42
PID 2796 wrote to memory of 2736	2796	mscorsvw.exe	43
PID 2796 wrote to memory of 2736	2796	mscorsvw.exe	43
PID 2796 wrote to memory of 2736	2796	mscorsvw.exe	43
PID 2496 wrote to memory of 2864	2496	mscorsvw.exe	45
PID 2496 wrote to memory of 2864	2496	mscorsvw.exe	45
PID 2496 wrote to memory of 2864	2496	mscorsvw.exe	45
PID 2496 wrote to memory of 2864	2496	mscorsvw.exe	45
PID 2496 wrote to memory of 1500	2496	mscorsvw.exe	47
PID 2496 wrote to memory of 1500	2496	mscorsvw.exe	47
PID 2496 wrote to memory of 1500	2496	mscorsvw.exe	47
PID 2496 wrote to memory of 1500	2496	mscorsvw.exe	47
PID 2496 wrote to memory of 2596	2496	mscorsvw.exe	48
PID 2496 wrote to memory of 2596	2496	mscorsvw.exe	48
PID 2496 wrote to memory of 2596	2496	mscorsvw.exe	48
PID 2496 wrote to memory of 2596	2496	mscorsvw.exe	48
PID 2496 wrote to memory of 2512	2496	mscorsvw.exe	49
PID 2496 wrote to memory of 2512	2496	mscorsvw.exe	49
PID 2496 wrote to memory of 2512	2496	mscorsvw.exe	49
PID 2496 wrote to memory of 2512	2496	mscorsvw.exe	49
PID 2496 wrote to memory of 2688	2496	mscorsvw.exe	50
PID 2496 wrote to memory of 2688	2496	mscorsvw.exe	50
PID 2496 wrote to memory of 2688	2496	mscorsvw.exe	50
PID 2496 wrote to memory of 2688	2496	mscorsvw.exe	50
PID 2496 wrote to memory of 1960	2496	mscorsvw.exe	53
PID 2496 wrote to memory of 1960	2496	mscorsvw.exe	53
PID 2496 wrote to memory of 1960	2496	mscorsvw.exe	53
PID 2496 wrote to memory of 1960	2496	mscorsvw.exe	53
PID 2496 wrote to memory of 2724	2496	mscorsvw.exe	54
PID 2496 wrote to memory of 2724	2496	mscorsvw.exe	54
PID 2496 wrote to memory of 2724	2496	mscorsvw.exe	54
PID 2496 wrote to memory of 2724	2496	mscorsvw.exe	54
PID 2496 wrote to memory of 1768	2496	mscorsvw.exe	55
PID 2496 wrote to memory of 1768	2496	mscorsvw.exe	55
PID 2496 wrote to memory of 1768	2496	mscorsvw.exe	55
PID 2496 wrote to memory of 1768	2496	mscorsvw.exe	55
PID 2496 wrote to memory of 2616	2496	mscorsvw.exe	56
PID 2496 wrote to memory of 2616	2496	mscorsvw.exe	56
PID 2496 wrote to memory of 2616	2496	mscorsvw.exe	56
PID 2496 wrote to memory of 2616	2496	mscorsvw.exe	56
PID 2496 wrote to memory of 1488	2496	mscorsvw.exe	57
PID 2496 wrote to memory of 1488	2496	mscorsvw.exe	57
PID 2496 wrote to memory of 1488	2496	mscorsvw.exe	57
PID 2496 wrote to memory of 1488	2496	mscorsvw.exe	57
PID 2496 wrote to memory of 1292	2496	mscorsvw.exe	58
PID 2496 wrote to memory of 1292	2496	mscorsvw.exe	58
PID 2496 wrote to memory of 1292	2496	mscorsvw.exe	58
PID 2496 wrote to memory of 1292	2496	mscorsvw.exe	58
PID 2496 wrote to memory of 1912	2496	mscorsvw.exe	59
PID 2496 wrote to memory of 1912	2496	mscorsvw.exe	59
PID 2496 wrote to memory of 1912	2496	mscorsvw.exe	59
PID 2496 wrote to memory of 1912	2496	mscorsvw.exe	59
PID 2496 wrote to memory of 1612	2496	mscorsvw.exe	60
PID 2496 wrote to memory of 1612	2496	mscorsvw.exe	60
PID 2496 wrote to memory of 1612	2496	mscorsvw.exe	60
PID 2496 wrote to memory of 1612	2496	mscorsvw.exe	60
PID 2496 wrote to memory of 3020	2496	mscorsvw.exe	61
PID 2496 wrote to memory of 3020	2496	mscorsvw.exe	61
PID 2496 wrote to memory of 3020	2496	mscorsvw.exe	61
PID 2496 wrote to memory of 3020	2496	mscorsvw.exe	61
PID 2496 wrote to memory of 436	2496	mscorsvw.exe	62
PID 2496 wrote to memory of 436	2496	mscorsvw.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-28_f9cfdb5cf822607150650037629ded37_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_f9cfdb5cf822607150650037629ded37_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2708

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2900

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1d8 -NGENProcess 250 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 250 -NGENProcess 24c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 264 -NGENProcess 244 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 264 -NGENProcess 250 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 254 -NGENProcess 26c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1f0 -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 270 -NGENProcess 268 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 254 -NGENProcess 250 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 244 -NGENProcess 278 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 274 -NGENProcess 284 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1d8 -NGENProcess 278 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 280 -NGENProcess 28c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 268 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 244 -NGENProcess 1d8 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 250 -NGENProcess 280 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 250 -NGENProcess 288 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2a0 -NGENProcess 26c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 28c -NGENProcess 288 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 29c -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2ac -NGENProcess 2a4 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2248

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 1e0 -NGENProcess 1ac -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 254 -NGENProcess 234 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 22c -NGENProcess 1e0 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 258 -NGENProcess 268 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1ac -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 26c -NGENProcess 1e0 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 258 -NGENProcess 278 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2164
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1ac -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1e0 -NGENProcess 280 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2468
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 280 -NGENProcess 278 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 248 -NGENProcess 288 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 258 -NGENProcess 28c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 290 -NGENProcess 288 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1ac -NGENProcess 294 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 280 -NGENProcess 298 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 298 -NGENProcess 288 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2a4 -NGENProcess 298 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 298 -NGENProcess 280 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a8 -NGENProcess 2a0 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2a0 -NGENProcess 2a4 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 288 -NGENProcess 2b0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2b0 -NGENProcess 280 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 290 -NGENProcess 2b8 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2112
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2b8 -NGENProcess 29c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2a0 -NGENProcess 2c0 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 298 -NGENProcess 2c4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:1948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2c8 -NGENProcess 29c -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2c0 -NGENProcess 248 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 2bc -NGENProcess 2d0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d4 -NGENProcess 29c -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  PID:1048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 248 -NGENProcess 2d8 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2d0 -NGENProcess 2dc -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:2196
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 29c -NGENProcess 2e0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2e0 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2ec -NGENProcess 248 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2cc -NGENProcess 29c -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f4 -NGENProcess 2cc -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2d8 -NGENProcess 29c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2ec -NGENProcess 2d0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:2780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f8 -NGENProcess 29c -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:3052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 2fc -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 1a4 -NGENProcess 300 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 29c -NGENProcess 304 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:1204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 308 -NGENProcess 300 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2fc -NGENProcess 304 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 314 -NGENProcess 2e0 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:1528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 2f8 -Pipe 1a4 -Comment "NGen Worker Process"
  2⤵
  PID:1364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 304 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:1732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 314 -NGENProcess 324 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2e0 -NGENProcess 328 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:1180
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 32c -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:816

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1976

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1648

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1400

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:2344

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2044

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1220

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3064

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2032

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.6MB

MD5
7ff8417092f5c0312a67988838653eeb

SHA1
f978af991d6bf02268926bd9f5ca4d19144c4054

SHA256
e6e3d2b89e3f1f392ff8b6977efecceafbf68c1206ef3fc9b630228bf0a76c83

SHA512
4042e60fd5acfc30b4e457287f70ebd45330b3e6898cbe75856614064e1e51752bb3c2d454da59cefa7b65a1d61b14118213194f526e070d25652c87a77ce37d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
8edbdee560cb702a3c7a1042be6d5f7f

SHA1
93080d59b617050728733a1ebf9519e6b432687a

SHA256
774e2d3a360268195170ca166fbdc2ea12f310a9693c783019b5c4803104a925

SHA512
d9d921d7b8cbaa56f83374fe742136e0e75686149f4fcbd75b81f3529a6907681e47eaae5adb514e3e4833de2002c48ce3c41227cc15d20f98c583cb8270fa93

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
e488c85320b9e5f0ebbf1aab65c741c3

SHA1
5fc52ee6cff741523eb53c93bf84651c3dc0118c

SHA256
f7ecafc5c8deb41c778722af817f5796882c47aeabadd057aa4a930aaadc8fde

SHA512
7f613ec3e77a48a1cbbe5c57adefe3e09b4c778a983532ac28d59bfc418c691cc747b5749a9b59478fbc87e2d9f2c3a2cd87cdad3127113cb7cc624751d029b4

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.9MB

MD5
ff8b1ca8ec412748a63162667023e48d

SHA1
f38016df3c0f7a5eef785496b568d1dbba97134d

SHA256
516cba7b0a13a338e7d130de503cf49a4763e064de9835c577f01515f5a88db5

SHA512
f439d2cd725a35ff4cb3b852b054a4c06a184e04a42a0741eda0832093c11b5332a1e6eb148d651ef7346db4db2553015373446ab3f257326389b835bc97a32e

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
3cb5531b41e61bf5600a5fe8a7bfc099

SHA1
9c37bb94b3bdfb7c4ed1152d8dfe68d6dc74f76b

SHA256
82a0d1c7a37aa2d60c11bdad3b9fcf2d51a05a46649b03d5299177432d72b8b2

SHA512
a16bd69785a52eec059fba39754692f7bf44f8308e1869b098b53c8d6676f97dfed0e4232edda78288ae0b47f389833ae0ddc4ae88b63b33a4e8c338a2222697

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
11.4MB

MD5
58af25f34d6bdb7a402f28cd7aa525b8

SHA1
ec68e2c3c5561fad7652a320034d78b7f5a2f73b

SHA256
39a2f16dc454ca039dd737aa5d8b3fcc8821327002af53ac0df327d769c40cf8

SHA512
533e29b92631e58c21d096acce28c132f7926f960311b3404fe74529911a28bda7a648721e753c0004d40d28c55087455929ec45c50dc2535cd963db7153dfc7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
ca60f007ddf57a0c0191fd1da7075b8b

SHA1
7674b7925c15642d677a56a17bfc2eb4a7b02f22

SHA256
410f16dd4e72c663791e9a6ad422ca0bcb7003357a5b7b44c3451485abdbe8e1

SHA512
86a2464e6b4180380d4e86898d76e38574005233baa5abc753e4e3ff9181699475734269f69d029c09c7b07681fb5844a9123b147129878de18fbad985680e89

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
cd1487553a995fa23ef2da99aa34a3bc

SHA1
8b485dbf0c4be4f25fb5fc2894f59236f3303462

SHA256
9f511fc98ca0316df5245dfdf5be2f7aba48d2ca18236ad21c6fd7738f6c6877

SHA512
f879001112ddbed249ff8e787e4c5617c3a2f86e42dd03cf442b1b707eb84551e18f6c4c81f92a4aa8906bfaf2c420500cc4998aa53e4ca5948b552410462cf7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
130e3e32292a94f8dc8d67f8e7997ef7

SHA1
153b736c0d6540400a99d01adcfda40469b0dad3

SHA256
aeac4503b8cd722ca0dcd7632a441cedf730030472c9fc881bb37c62aeadb759

SHA512
791a53eead4b4ba8cfc2dffccfc41a637aeec167c0fa660549b23acacb634bccb7ecfcfd87727eb55704400695bac34f0b9d413ac913daa61b9c19603cf71915

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
84b2d44af4870f2ff919ff747ad4c2fc

SHA1
f39d2123ac802b7f53022f375be4afa714eaa41d

SHA256
0a86a595af955bb2f0764619172cc6612b7e83a773123d9333efc09eddef64c4

SHA512
04e4d65357d64ecf32b49161f78cfd9976f29eacc361f3d2c4475fdbef9c11b5fe52f529d59dd6edb0560fd77a16bfa6d4b15d80ee140fb39392addb4dffdb40

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
b14161eedd53ee3ad6caf016fa1090c5

SHA1
1b6425ff0434f9a59391a64760be66b076d59103

SHA256
c6202eeae0578ab9b9ace6b0f0446cc40b3340a4a15558d37e23b6eb551065a2

SHA512
3277f4940871bd32b02bb332f24b14b2890380ad12bc2e2032d6029ede37c54180a38c2811ca4ed990241fb84c28ec6d7220c822dd2fc41a9baee31d0492b45c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
3.6MB

MD5
ad0b02ed8e4c989f1d6ec877e80f581c

SHA1
457e0851137e01b43a53f950801a0c48889718c5

SHA256
7deb1422e59a61abdd32dda5cb5bc3a08f86932cb0f50f53f600ac5ad5e9168c

SHA512
faa320c21c03764ee7014f8885833564347a49eed2593c2a0a7d1b616e782c2b75a5c81386c6e6be810baeb44199f6664388e8663c7cb7596e138d2d1427fb13

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
1.2MB

MD5
77accad2910779fb7e3f86e17f11daa1

SHA1
d931d4a61e5904df5144de54681d416ceb8df266

SHA256
c4f505c5dd0e6102b76e876d7701f33dfa6344ca00f35cb36117ae7a3a9e8261

SHA512
2133281f5c4ae47f2109626da7c154cd6e9eabb4334225c8f24bbfa15b701c58f40af90e2c85c03925d7675301c00f724079334e0fb781af0fbc79d8e0cb244f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
1.5MB

MD5
4267b6168a8fb7c783765fcb162221e0

SHA1
89acf1a1375ab8eef707f1d76f3911e11ef723db

SHA256
46d20620fa40ebda7a298e76adcd2589747fd0fe788a5daa3686a1595f4b8fc6

SHA512
540876dd8c402e482bf885a9ceaefc5be582e88cabee3ff89c45588e47bdcbfe90085b792d529c426c9cc35ddf4df79a7589c1eaebbacbde17b828b78fbc717f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
e9cc9a69959d0df53c4de755cd6cdbf4

SHA1
47a0c987e4b9e007dc8a734fcb5b872287c116b8

SHA256
9b650de9c56a55d17d25060e0e9c4b88980354ef1196d1cbddd2579a4c1885d7

SHA512
7797e25fc5b5eed48781cb17ebc99ff6ef594262264c750241a1aaba6224dec776313f8d61e061b83836cfa399580ab761bf0f7ddf5d983964bf0ff698aa66cf

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
f073d97b7abc12a13fefaaf519d49d9e

SHA1
0c69da8a5556bcc93eaf6f99891da088529171fe

SHA256
0a53b69b10ffdf0a7b3494219e17401dc59d1fe634d31346cdb4119d1f586815

SHA512
2112ecfe89f1560e9be6933c753b89e6f2af949e82931ac945275ba8877830a176826d467b3ec5ca03df5e6d51d63c467abb757ba1808eae835a4b2a8917581c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
34KB

MD5
c8e53f3decac2e36ddb6f4d9075c44b9

SHA1
e6696066b5d8b2fca0b07246c21934be93d34616

SHA256
cae765cefb47632b4a06b489391e21e8c651e5a71b548ebbd4f562aa83fbcb34

SHA512
fc1a8aac9e1b3fdf9a3f31d44ad97931cce015311872f997e33aec307a232955ec2d77707876337e33d96c29e9721ca6f4e2a0015c6fba4a385fdbf358793320

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
b86812b9a13b09b4cd5ed92f64fc47cf

SHA1
26a9808e275186f980e897c4021a343bd2216cf4

SHA256
10efdb979bf3aae05eea014a322574e3da50afbd74d3f5fa910732512a2b9d60

SHA512
1ae43dc463af9236420ff7bfe265742424d9755e91a0b2802cc0c79ad603dc3474fe028bcbdf904ca095d7e16f6959eb95d0f906bfdb3d71ddb9ff384476159f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
2cf8c5b2568390a3a805d3abf604179a

SHA1
9ac4d711b9e3dfa3cb716fbd347cbcf4e9dda616

SHA256
1be40f75c12abd487e26aa8a77f2cc1e0185390e8c35676a012e54ba8bdab2c6

SHA512
5715a7adc074efbe197750d36f508721d12d7d484d3881768d82770445a7ed012744db99b40da43de85014ab5e1534791e840e2129fd48f761b68dc3abe3d060

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
87766b592c103d0482813463244ad1db

SHA1
adfcf6c2a68e28aa59c6acb673baa888a4e81a75

SHA256
295a420807f790329a8f953aaa8963c697d20bc6f6d72686cb56be173a35f04e

SHA512
812985351bf700ab01e542ee3952ecd43f87c7bf850c8141ba0d689fac966842bcd76238139c549e8da9f60dbb19c7d62305be314bef0f29b635fc04a278803d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
7dcb7041b11ef8b11a37cc03b389d7c4

SHA1
c74a6b58c5fd5a7cf6ecfbd80f7df94cd0bfcf3c

SHA256
db15209805444e652ccc96244dfb578d79812f6bbedabe9938acc1c036c38612

SHA512
0817eaccca8316a8c6c41267642718b9201445eb0eb2a9982f529e4abc2ebb3460c7cebb123590f87a34a4f80e327bbb987cfa7f286b5dc9fe87a4a611fc454d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
e48d7bd634af5dc63847a450c75c2cc2

SHA1
0dc1db6a76e264b9945425c1b8a2e0f3e7d0e9c3

SHA256
9d7126827da9fcdbe12d6d9190532392503d4639d8dafac935e81fd0126e9605

SHA512
6c86ffcbcea5693a5964ebaf190c888a2013a629cbe9e6f0bbebf7344ed523d3021f4a3e07f8db6ff0a63b094215c510ad1c6e2ffc53327b48ab68ecdd29eea2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
320KB

MD5
6eecf3a67427b082e344aeca210602e6

SHA1
517aebe7d34c5490f866146215178b3e806929ed

SHA256
a702b47f78ebd3e8a8c7d71f331acff396d2ad2ee658b185adba0460be80d731

SHA512
be3f86041209485d1409fcb6555c485531bb28b34fa9b2c00258ed5d6ef2f2a0a74bf60288b232413333ada2d112ff716abc6b84420a19b63f3190ad6f394dce

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
d5ede2278ba1444735dc37422fb9326f

SHA1
538b0d75436e23fb1eafe6f18239eb92983822c8

SHA256
50eeae0b29b0a19ee4d5b1ca9ed3fac824b07d822bfe4e0eee113c07f54fc620

SHA512
902bf26de8d571f5eecaa383fa70bfdbab7aff4089414de4a0bc9d888e9b27da3c0d3f3aea1c917f6b13ca449e79a14abc60b7a62217b05d8d144400eb689ae7

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
64KB

MD5
e789ba5fe485221dffa1c53228b8c45d

SHA1
09a21b616930824b35cf6ff3cf5e8b75cd7af3d0

SHA256
09856a8e710671af7f3c5d99abc0fd2c8d955eb852bac271df2099f272a1f889

SHA512
2484eca5317a58987d70eac535121eb5e851038630eac222ec77cf95623cb250ea13169e6467c448f7355cc7b4f1735443d16a537ba4f0366107ff08bd06c8cf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a54efe8a83677c3074783db27002bb82\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
f3c87289497501f4e518c8d615a13586

SHA1
df3538fc54b210b4aec3f8c2877408dd286209c8

SHA256
b9da6434a0fdfd01d917797649a0c6e9bfaa28f76635a3afe4818b7c5457674d

SHA512
614ac228910ed2e6c130f2aef65542125a6d95cde4b4080bb51629c16d2a9613e7b73e3363f651dc45895cee4dbae6646eacf752e37e7436d9fedff883ba242e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\ce96f8fb93c542b62c429f3b21c30358\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
775bd50827f886415ee204258f2ef3e8

SHA1
c07e8b488d08d2fa3bcec75cba676053d0ced530

SHA256
ec50c95acace786edc1c31ba943abb66ad4696139f8c039144c984b2934dabb8

SHA512
0ba8e2fc666d2d777b9719bc19381f2bb3c53875f1c964c712cf0784e1c9c109e205fa71a73f9604a21867bb7af646599c831206bea4ea59f3c7910a20d9107e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\e3b29d113725f16eb8c7bf82614069ba\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
7ab392aebfb303a525a6f7cd210bdde4

SHA1
337fb87843a7778c118bdf2b0e3c9c74cb9821fe

SHA256
ccaff7b4a79e43a69fbc48ce860a2135f464fe12929190d6305ba5f574e49999

SHA512
da88cf1fbeac90bcdd8d516f1937af7864ccfad91924f8e0a6f1365274969630a981f2241fde1a64f6be28c1d84976294b635d6a0b8f9c7121d4e6e55fc4d09b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\f3076157188ef046bff362522b058513\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
167589a98cefc6db8bebb5061916a49e

SHA1
c84a81378724f421432a4b17533cb8537a6b662d

SHA256
a86fa5c5becfc0791d123bd84c63c6e966783938d7e97b9927efaf36eec7257d

SHA512
18a3c71310eb1c98f869cf99b40ffa2e2cd9b0d10e6a5b90db1eb463aa681d301c4846c1c217cff659fd3fe2256ae6dca92c1a14ae05c053eebbfbe021667a29

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
69d7e4cc7af0b6121f7af36555f36cfd

SHA1
018dca55aa42f10e77079b97d63fc83fe6b3b19f

SHA256
c520f3a4ee2e68d77259b3357855e7317370066d87751167962a2e2408a58feb

SHA512
12dc6f0e40d1b67ab4d5b53dfc292be9e63f0a9dda6c68aec72a649d10bdd42af437c8f601cb4f98b53d22fe1818e9db5489823f9a2dec45caad8fb9df3b9eff

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
7718f5dceb67586b66ac676b325ac582

SHA1
e9a388712d153df340274f1ba28579a8ab1c9e0f

SHA256
d53785b5428a2c14b041e8de41549001600267f40a2c77cb769220aa29fc4df9

SHA512
52feb0897ea950224426e720aa3d5e34a547d8fc5bef4c01963228e0f231c496fd8f51059eaa6a8e0f28d422c0bbe56605e2ce3386efea3624faa3610d50e152

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
e24149672031b2813d9f3cdd2513f2fd

SHA1
870ecb0128d78fab082e90b7373e9ab7969f6e41

SHA256
af355cfc335ff727df68f1cea96dd88e5baf8b991870edd0237f19d566a4271c

SHA512
40e7c488635f7e93cde7a75e3646296c6a1cee131622924f71a76be63a94db82b52aef6ffb5dd9b1e3015e7bfef5f8404dc9de48500efe2f4ce494de102398ee

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
c5344e8497340defc83f89e63a413ced

SHA1
db43ec5ec358d5a7f94ef6cec5f21d04e6a84caa

SHA256
4ce20c3a71adcfd527f3d3c27d5dba835531eb1975694e9d48baf0738c4bd8ca

SHA512
a6e8149f96899641071b035f8fa5d29146cf053fc2d38b70a271c6871d091cacb3868ed25da7e2d1036dcff0be9b8ac9e6dea9ee6beddd1343a6bcc2c53ed9f9

Download Submit
\Windows\System32\dllhost.exe

Filesize
128KB

MD5
ae6aa719faf9451a5a46fb670d185a6c

SHA1
4430626913537dba4ea9697d81d085361f728ab8

SHA256
e855db1fa3c3dee2473b8bc8608fc8e13731d0801da3a194cedd03a3e27182ad

SHA512
0eef2d403470c36d6fdb148daf6de6d3d7c1caaa083e867fe1c33202601e2ce1f6cc71be94008ca839c97f50e3f724f8dc525c68d6acbd9efbf95cf220effa75

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
6d7451d38e830e9dce7c87705640b3b4

SHA1
e18511da241e4386040aac65b32769946e854b99

SHA256
0e54bedcde4f89ed326315784419a8247251ea8f236c48f24178e7f8bb67505d

SHA512
51f128d1fcf2c9411323fa5f60ab9d8f149a0aa53ac170929e5034debd0ac8e08ebfc8e246e905b382e03d723b653ecb71ce58db24335d205ec6c610d7231357

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
a4b48e9df34b99979bec001b454f0838

SHA1
9515c3760b2bf02e7383eb8323b4ddd238e284d4

SHA256
952f769e714960b87405e8888e510a5ecf07f6581cfd0ed43d0da3ed4a377680

SHA512
5532979181e889976bbc7988b3f84ae928cf4aed54826215cd67284099f14e3cd952e52f06aca17e77539a0c8415a391a5ba8e68a3fe6bbacbae6bf6fb49a0ef

Download Submit
memory/1220-165-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1220-167-0x0000000000460000-0x00000000004C7000-memory.dmp

Filesize
412KB

Download
memory/1220-278-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1648-111-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1648-109-0x00000000002C0000-0x0000000000320000-memory.dmp

Filesize
384KB

Download
memory/1648-116-0x00000000002C0000-0x0000000000320000-memory.dmp

Filesize
384KB

Download
memory/1648-190-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1976-171-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1976-224-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1976-96-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1976-93-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1976-102-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1976-125-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1976-121-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1976-122-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2032-247-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2032-222-0x000000002E000000-0x000000002E196000-memory.dmp

Filesize
1.6MB

Download
memory/2040-74-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2040-0-0x0000000001B30000-0x0000000001B90000-memory.dmp

Filesize
384KB

Download
memory/2040-1-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2040-124-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2040-7-0x0000000001B30000-0x0000000001B90000-memory.dmp

Filesize
384KB

Download
memory/2040-8-0x0000000001B30000-0x0000000001B90000-memory.dmp

Filesize
384KB

Download
memory/2040-119-0x0000000001B30000-0x0000000001B90000-memory.dmp

Filesize
384KB

Download
memory/2044-284-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2044-154-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2044-158-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2232-218-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2232-184-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2232-220-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

Filesize
9.9MB

Download
memory/2232-219-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2232-194-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2248-174-0x0000000000C10000-0x0000000000C90000-memory.dmp

Filesize
512KB

Download
memory/2248-152-0x0000000000C10000-0x0000000000C90000-memory.dmp

Filesize
512KB

Download
memory/2248-153-0x000007FEF4AD0000-0x000007FEF546D000-memory.dmp

Filesize
9.6MB

Download
memory/2248-151-0x000007FEF4AD0000-0x000007FEF546D000-memory.dmp

Filesize
9.6MB

Download
memory/2248-249-0x000007FEF4AD0000-0x000007FEF546D000-memory.dmp

Filesize
9.6MB

Download
memory/2248-227-0x0000000000C10000-0x0000000000C90000-memory.dmp

Filesize
512KB

Download
memory/2248-254-0x0000000000C10000-0x0000000000C90000-memory.dmp

Filesize
512KB

Download
memory/2248-268-0x000007FEF4AD0000-0x000007FEF546D000-memory.dmp

Filesize
9.6MB

Download
memory/2344-138-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2344-128-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2344-226-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2344-129-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2496-62-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/2496-137-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2496-55-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2496-56-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/2568-47-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/2568-105-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/2656-94-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2656-14-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2656-22-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2656-15-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2692-292-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2692-280-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2708-108-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2708-28-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2736-225-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2736-243-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-244-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/2736-242-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2736-221-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-223-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/2796-82-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2796-76-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2796-75-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2796-156-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2864-281-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2864-282-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2900-38-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2900-32-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2900-31-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/2900-70-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/3064-199-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3064-200-0x0000000000FD0000-0x0000000001030000-memory.dmp

Filesize
384KB

Download
memory/3064-195-0x0000000000FD0000-0x0000000001030000-memory.dmp

Filesize
384KB

Download
memory/3064-179-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download