1b7bc3e60ca79e7d5ba340ce0c2c1c7aeb3b4f5ef1fb2be6252a95ec41cbc37a

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-02-2024 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
Size

4.1MB
MD5

9cb761fcd27428b6e601887ea42ee621
SHA1

2aed57e91386239202cb93169103b9ca3e2765ea
SHA256

1b7bc3e60ca79e7d5ba340ce0c2c1c7aeb3b4f5ef1fb2be6252a95ec41cbc37a
SHA512

6278a614bb4e932a7a94f547f42c7a6915d41fb473dc9dcea2cc3d35692f032961530ff064a04b85de87d761e775b5e84fd3a3b47db21d3154e27863e35d098a
SSDEEP

49152:S5Viqwo4KxghcyJLBaSbvviqMjfBVdTFZ1bBzP7n1Y8/17MVfw1QSXm+RFvTCr9k:SBfrdTFFqRlw6a+zC17DVqFJU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 61 IoCs

pid	Process
468	Process not Found
2600	alg.exe
1984	aspnet_state.exe
1568	mscorsvw.exe
2400	mscorsvw.exe
2920	mscorsvw.exe
2908	mscorsvw.exe
580	ehRecvr.exe
1768	ehsched.exe
2432	elevation_service.exe
1056	IEEtwCollector.exe
1300	GROOVE.EXE
1188	maintenanceservice.exe
2080	msdtc.exe
1968	locator.exe
2724	snmptrap.exe
2784	mscorsvw.exe
2688	mscorsvw.exe
1484	mscorsvw.exe
2488	msiexec.exe
1496	OSE.EXE
1072	OSPPSVC.EXE
2544	mscorsvw.exe
2320	perfhost.exe
1968	locator.exe
2724	snmptrap.exe
2416	mscorsvw.exe
1160	mscorsvw.exe
2484	mscorsvw.exe
2496	vds.exe
2876	mscorsvw.exe
2672	mscorsvw.exe
2872	mscorsvw.exe
1512	vssvc.exe
2620	wbengine.exe
1808	WmiApSrv.exe
1736	wmpnetwk.exe
1692	SearchIndexer.exe
1204	mscorsvw.exe
1532	mscorsvw.exe
2772	mscorsvw.exe
1588	mscorsvw.exe
2204	mscorsvw.exe
2732	mscorsvw.exe
2976	mscorsvw.exe
320	mscorsvw.exe
2528	mscorsvw.exe
2272	mscorsvw.exe
2988	mscorsvw.exe
1080	mscorsvw.exe
300	mscorsvw.exe
824	mscorsvw.exe
2708	mscorsvw.exe
1868	mscorsvw.exe
1268	mscorsvw.exe
2632	mscorsvw.exe
1464	dllhost.exe
2884	mscorsvw.exe
1452	mscorsvw.exe
2288	mscorsvw.exe
2720	mscorsvw.exe

Loads dropped DLL 19 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2488	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
740	Process not Found
468	Process not Found
2632	mscorsvw.exe
2632	mscorsvw.exe
1452	mscorsvw.exe
1452	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f44051151b98a6ad.bin	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe

Drops file in Windows directory 50 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7983.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{381CD370-6B47-4DF2-82ED-E4770A4E4F45}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6AD4.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{381CD370-6B47-4DF2-82ED-E4770A4E4F45}.crmlog	dllhost.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100 = "System Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10300 = "Play the classic strategy game of Checkers against online opponents. Be the first to capture all your opponent’s pieces, or leave them with no more moves, to win the game."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\DVD Maker\DVDMaker.exe,-63385 = "Burn pictures and video to DVD."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msconfig.exe,-126 = "System Configuration"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10305 = "Hearts is a trick-based card game in which the goal is to get rid of cards while avoiding points. The player with the lowest number of points wins."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\iscsicpl.dll,-5002 = "Connect to remote iSCSI targets and configure connection settings."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\NetProjW.dll,-511 = "Display your desktop on a network projector."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 010000000000000010962554ff54da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\OobeFldr.dll,-33057 = "Learn about Windows features and start using them."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\msra.exe,-635 = "Invite a friend or technical support person to connect to your computer and help you, or offer to help someone else."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-101 = "Chrysanthemum"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008 = "Windows Mobility Center"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\TipTsf.dll,-60 = "Enter text by using handwriting or a touch keyboard instead of a standard keyboard. You can use the writing pad or the character pad to convert your handwriting into typed text or the touch keyboard to enter characters."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Sidebar\sidebar.exe,-1012 = "Add Desktop Gadgets that display personalized slideshows, news feeds, and other customized information."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505 = "Sticky Notes"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10082 = "Games Explorer"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1536	ehRec.exe
2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2516	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	2908	mscorsvw.exe
Token: 33	2560	EhTray.exe
Token: SeIncBasePriorityPrivilege	2560	EhTray.exe
Token: SeDebugPrivilege	1536	ehRec.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	2908	mscorsvw.exe
Token: 33	2560	EhTray.exe
Token: SeIncBasePriorityPrivilege	2560	EhTray.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	2908	mscorsvw.exe
Token: SeShutdownPrivilege	2908	mscorsvw.exe
Token: SeRestorePrivilege	2488	msiexec.exe
Token: SeTakeOwnershipPrivilege	2488	msiexec.exe
Token: SeSecurityPrivilege	2488	msiexec.exe
Token: SeBackupPrivilege	1512	vssvc.exe
Token: SeRestorePrivilege	1512	vssvc.exe
Token: SeAuditPrivilege	1512	vssvc.exe
Token: SeBackupPrivilege	2620	wbengine.exe
Token: SeRestorePrivilege	2620	wbengine.exe
Token: SeSecurityPrivilege	2620	wbengine.exe
Token: 33	1736	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1736	wmpnetwk.exe
Token: SeManageVolumePrivilege	1692	SearchIndexer.exe
Token: 33	1692	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1692	SearchIndexer.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	2908	mscorsvw.exe
Token: SeDebugPrivilege	2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
Token: SeDebugPrivilege	2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
Token: SeDebugPrivilege	2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
Token: SeDebugPrivilege	2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
Token: SeDebugPrivilege	2700	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	2908	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	2908	mscorsvw.exe
Token: SeShutdownPrivilege	2908	mscorsvw.exe
Token: SeShutdownPrivilege	2908	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	2908	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	2908	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	2908	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeDebugPrivilege	2600	alg.exe
Token: SeShutdownPrivilege	2908	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	2908	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	2908	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	2908	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	2908	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	2908	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2560	EhTray.exe
2560	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2560	EhTray.exe
2560	EhTray.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2996	SearchProtocolHost.exe
2996	SearchProtocolHost.exe
2996	SearchProtocolHost.exe
2996	SearchProtocolHost.exe
2996	SearchProtocolHost.exe
1224	SearchProtocolHost.exe
1224	SearchProtocolHost.exe
1224	SearchProtocolHost.exe
1224	SearchProtocolHost.exe
1224	SearchProtocolHost.exe
1224	SearchProtocolHost.exe
1224	SearchProtocolHost.exe
1224	SearchProtocolHost.exe
1224	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2700	2516	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe	28
PID 2516 wrote to memory of 2700	2516	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe	28
PID 2516 wrote to memory of 2700	2516	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe	28
PID 2516 wrote to memory of 2864	2516	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe	30
PID 2516 wrote to memory of 2864	2516	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe	30
PID 2516 wrote to memory of 2864	2516	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe	30
PID 2920 wrote to memory of 1968	2920	mscorsvw.exe	55
PID 2920 wrote to memory of 1968	2920	mscorsvw.exe	55
PID 2920 wrote to memory of 1968	2920	mscorsvw.exe	55
PID 2920 wrote to memory of 1968	2920	mscorsvw.exe	55
PID 2920 wrote to memory of 2724	2920	mscorsvw.exe	56
PID 2920 wrote to memory of 2724	2920	mscorsvw.exe	56
PID 2920 wrote to memory of 2724	2920	mscorsvw.exe	56
PID 2920 wrote to memory of 2724	2920	mscorsvw.exe	56
PID 2920 wrote to memory of 2784	2920	mscorsvw.exe	47
PID 2920 wrote to memory of 2784	2920	mscorsvw.exe	47
PID 2920 wrote to memory of 2784	2920	mscorsvw.exe	47
PID 2920 wrote to memory of 2784	2920	mscorsvw.exe	47
PID 2920 wrote to memory of 2688	2920	mscorsvw.exe	48
PID 2920 wrote to memory of 2688	2920	mscorsvw.exe	48
PID 2920 wrote to memory of 2688	2920	mscorsvw.exe	48
PID 2920 wrote to memory of 2688	2920	mscorsvw.exe	48
PID 2920 wrote to memory of 1484	2920	mscorsvw.exe	49
PID 2920 wrote to memory of 1484	2920	mscorsvw.exe	49
PID 2920 wrote to memory of 1484	2920	mscorsvw.exe	49
PID 2920 wrote to memory of 1484	2920	mscorsvw.exe	49
PID 2920 wrote to memory of 2544	2920	mscorsvw.exe	53
PID 2920 wrote to memory of 2544	2920	mscorsvw.exe	53
PID 2920 wrote to memory of 2544	2920	mscorsvw.exe	53
PID 2920 wrote to memory of 2544	2920	mscorsvw.exe	53
PID 2920 wrote to memory of 2416	2920	mscorsvw.exe	57
PID 2920 wrote to memory of 2416	2920	mscorsvw.exe	57
PID 2920 wrote to memory of 2416	2920	mscorsvw.exe	57
PID 2920 wrote to memory of 2416	2920	mscorsvw.exe	57
PID 2920 wrote to memory of 1160	2920	mscorsvw.exe	58
PID 2920 wrote to memory of 1160	2920	mscorsvw.exe	58
PID 2920 wrote to memory of 1160	2920	mscorsvw.exe	58
PID 2920 wrote to memory of 1160	2920	mscorsvw.exe	58
PID 2920 wrote to memory of 2484	2920	mscorsvw.exe	59
PID 2920 wrote to memory of 2484	2920	mscorsvw.exe	59
PID 2920 wrote to memory of 2484	2920	mscorsvw.exe	59
PID 2920 wrote to memory of 2484	2920	mscorsvw.exe	59
PID 2920 wrote to memory of 2876	2920	mscorsvw.exe	61
PID 2920 wrote to memory of 2876	2920	mscorsvw.exe	61
PID 2920 wrote to memory of 2876	2920	mscorsvw.exe	61
PID 2920 wrote to memory of 2876	2920	mscorsvw.exe	61
PID 2920 wrote to memory of 2672	2920	mscorsvw.exe	62
PID 2920 wrote to memory of 2672	2920	mscorsvw.exe	62
PID 2920 wrote to memory of 2672	2920	mscorsvw.exe	62
PID 2920 wrote to memory of 2672	2920	mscorsvw.exe	62
PID 2920 wrote to memory of 2872	2920	mscorsvw.exe	63
PID 2920 wrote to memory of 2872	2920	mscorsvw.exe	63
PID 2920 wrote to memory of 2872	2920	mscorsvw.exe	63
PID 2920 wrote to memory of 2872	2920	mscorsvw.exe	63
PID 2920 wrote to memory of 1204	2920	mscorsvw.exe	71
PID 2920 wrote to memory of 1204	2920	mscorsvw.exe	71
PID 2920 wrote to memory of 1204	2920	mscorsvw.exe	71
PID 2920 wrote to memory of 1204	2920	mscorsvw.exe	71
PID 2920 wrote to memory of 1532	2920	mscorsvw.exe	72
PID 2920 wrote to memory of 1532	2920	mscorsvw.exe	72
PID 2920 wrote to memory of 1532	2920	mscorsvw.exe	72
PID 2920 wrote to memory of 1532	2920	mscorsvw.exe	72
PID 2920 wrote to memory of 2772	2920	mscorsvw.exe	73
PID 2920 wrote to memory of 2772	2920	mscorsvw.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Local\Temp\2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 --annotation=exe=C:\Users\Admin\AppData\Local\Temp\2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.73 --initial-client-data=0x160,0x164,0x168,0x138,0x16c,0x140315460,0x140315470,0x140315480
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "2516" "452"
  2⤵
  PID:2864

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1984

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1568

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 25c -NGENProcess 1d4 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 264 -NGENProcess 24c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 254 -NGENProcess 244 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 264 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 240 -NGENProcess 268 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 240 -NGENProcess 258 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 278 -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 27c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 280 -NGENProcess 268 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 26c -NGENProcess 284 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 274 -NGENProcess 288 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 25c -NGENProcess 268 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 268 -NGENProcess 284 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 268 -NGENProcess 25c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 298 -NGENProcess 284 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 254 -NGENProcess 2a0 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 274 -NGENProcess 2a4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 274 -NGENProcess 26c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 258 -NGENProcess 2ac -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 2a4 -NGENProcess 2b0 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 22c -NGENProcess 278 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 250 -NGENProcess 29c -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1f8 -NGENProcess 23c -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 260 -NGENProcess 248 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 29c -NGENProcess 1e8 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1e8 -NGENProcess 23c -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 260 -NGENProcess 1d0 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 29c -NGENProcess 26c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 21c -NGENProcess 1d0 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2720

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 16c -NGENProcess 170 -Pipe 17c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 178 -InterruptEvent 1f0 -NGENProcess 1f8 -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:300

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:580

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1768

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2560

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2432

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1056

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1300

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1188

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2080

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1496

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1072

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1968

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2724

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2496

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1808

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1692
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2444714103-3190537498-3629098939-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2444714103-3190537498-3629098939-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2996
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  - Modifies data under HKEY_USERS
  PID:2208
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1224

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
745KB

MD5
fb01732dcc0eb94d90a95aece9b91ded

SHA1
328bc08945d5b81006dcafd436ca896919ef9199

SHA256
88c0a1c2bf4c694d27865ab0665ba747193ca83e045b68177eb7225c3f7d4b95

SHA512
621f09847ca6c548f7907cba20835743d0be592a5d13403c70e5d0834657405e1574d3677911343e39af5a886a5b4d768d14d2626e195c66ce2d90354c0e2e76

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
101KB

MD5
51323399f17520de6d0b6fc960f28dd0

SHA1
c2a660bd16c7b23e4f406d7abe060e1efc114d29

SHA256
0d4b123496b9f72b0e5a3689f34b678cd5ca63319ae1696218dfb1d78f30e98c

SHA512
b1949ac417b2577eac57a7c5755a35cbdbdf06e45f594c90964deaeb0599cde9563074a0b9ebe013b169c38434f369d7285c91bbecdd7fcec57406249e275d39

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
411KB

MD5
c1a1dbed56b9ffe98ee95210b46cda14

SHA1
d17468beb6c9e74e3db7a086922982bb9b4b90ed

SHA256
466abb0ba4099467716065c152ed1bdb24a77881062aea01f6e7b4caa93f8508

SHA512
df7e0720204c41b9345de68552e97d783100661bbc08c1cfd41ef3bcb4c50d26ab2161adf303ca7cc85f009c01ca853741e4a639915eb8e678a634a39d830c55

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
524KB

MD5
750855a3c8fbd4429b99f834a813ab69

SHA1
8e3493be405cb84a34abff48b41655d3262fad6e

SHA256
6d43ac5ad2fa0412ced7f203519ae9d3c16bab33293138148dc16e829c6ae0db

SHA512
716aefa74aed4e0fcd4b734ff883a069b54c6f5cb7a06b508bc671fee3e83d792c7361f247690e2b493adfade189855095b1bffa0f32196ca64c97eb991aabf9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
844KB

MD5
63d052f27cae43b187352b81b0941de8

SHA1
973ee977481c8c93d24a3c1fad6b5cedf7fa70a9

SHA256
6991395131f85d59ad4788212cb72ba085cf4f934b653f381ed9fd87659b9d56

SHA512
6e87de7afce88fe42806570560544c0dacc40e8da36c28c9b6aca23db67752fc6a167c7c4935756badd3a48053b8ba5449ffa26a079b0cdbe3f6d297c1357089

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
455b9e923e2dab3b0bf86b8bbc03f243

SHA1
40b522821a8af090c21369c6cacc9751be97c849

SHA256
8ad75675dd0fddb61752c0a68d79abb9fc8a9ff07abbd6f79b98553909621179

SHA512
996c04c9d324180443e6737d2690a418a36e18a8942b2927b858827bb0d1a4d1c2fadc04f373e43adf4dd91db0726c8bfc8c611c0cebd2a00d8e1fecfbc792f8

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
442b78b2bb4126f6443b319a480f138a

SHA1
afb6b195a87af922ae3efc51b5a86f0b42e27e5e

SHA256
68ebbeabc6deacff43efab38e924f1511b444f6ec32e0163f9a2a44674980456

SHA512
e26b9b1e6cdc5ffe33c13fe4dff7e38b48fdbf72c6f2b014c9da68e68ee96e21a370e25deb05df60850e48f055fd5440c323e441082ab16e9a4b9ab39ec87794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
961dc6bf65e2a32eb513aba941408bc9

SHA1
f6e8ec83bfd8817e7853fe9ee53a4cc08d182a2a

SHA256
4010b73a39184db9c4b7e73c3d91d81eb81eb4a7643a42506f1b10a80860f5b6

SHA512
6ad92759ec9dc464971d5db8e914170b3951c2ee187ee37397d8c0fd7fe91e5bff253f6d760673e9aff745c70e5b2dc3a8b6a2fc9c5198175ca1c4fd791b9add

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259404462.txt

Filesize
1KB

MD5
c6a94b5b709c91afc746a3b022ce802f

SHA1
10f99ce411620ba520dd9c592d52aae911e00d88

SHA256
94aee4b35bb1f6ad4865c504747d2d3614181c6adb73224a21d643617a634e3d

SHA512
7dd91d11ec3c41ce709ca16b2eddf6185daa16e7fa99120e42b064fd2ce485fcf6768eccc1a51cf8ce95327454dc7b33adde3d5a9d4975fe0237ae5d91a07541

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Users\Admin\AppData\Roaming\f44051151b98a6ad.bin

Filesize
12KB

MD5
e0b5de4ab1410448791f6c325cea2788

SHA1
913491b6ae1b33f37441d2c10c545182eb543945

SHA256
8fc8e099c79827eed7d176161b6a66d25ceffa232756c79935ac83f0f1111ff2

SHA512
4a3339ab2207f2f2388bb5bd5bb853664dbbcbd9dd6e17724fbd1a8b29d930144f910c8794a231519429578ccf4e75c701df9bef3e9e1de39cb55031a1a28312

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
995KB

MD5
f29292d55b6ded18289087b15678e04c

SHA1
aa61e814a9932e47b2374662289b5f40c30e617f

SHA256
be93090640a1473aeed789920e660ef9fcd32250ce5c8226e3820701d4fc81c7

SHA512
1559714fd0884eafdafe9f3be1474fa1b9b066f90e16dc91b2999fa16f756018071837a611638db12c0f5561db0c714564d17f2171a592dfa68d51ba937552f3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
27c29643448e2e13bada45923f95fb28

SHA1
816c69c252377f045b997281413b09ba3cf869ae

SHA256
2ca2a31a9701318d71e002aca5c493f11de73d2230162c61c1aa9dc4e9a330a5

SHA512
50a330f097ee49667baa3634043b6a07ff6d6b5baafeb66f991d46d3309ad9a8a0747ba45b1d699493391abeb00233101d602d487454df5fcf63d55d575cc9bd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
c360333ace20093225d0b58adfc2e7e5

SHA1
de14a555596fcb8181172827503a47882d0ed757

SHA256
caaade7d91e523c7c951e0fc97e03a76d599604fb46defb8847a4435836b685d

SHA512
045bce833467c3bc4d0bbe5225ae59fefc2dfe350dc7daf3f982854d0757bf483511327b55e7ff6b3b8286102027fc11436eef352894236b6b419f6eec94eed5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.0MB

MD5
a864d4188f787508201e751e0df3fd27

SHA1
8f94c20601f2c6fbb2cba120fd187bebb4933ac5

SHA256
a09e9b69b89fcc12ab55279066803904a1b33b0bf45726ffb64034e29fcfb7f5

SHA512
b47e79243987fbebae520efcbaa4bfc229eba2ba590b89e0d1cc1647d71f55de54aedfcc8ec443c14335d247e9ce4a359c90a5bc5dec372f84b2f18aa10f3b01

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
745KB

MD5
ed5215951c0cf534e7c44828ca0543df

SHA1
75a682801cf25f22666ba6a514e43c13aa53181e

SHA256
56f01d941015402564b98232915eaf506901519b1eaa9ab2900a744954a097cc

SHA512
58e6ef9a00827ec9144dbab694d8c67488c9e542bcbda74bd39a0c79ec26cea67f1e6d66e772dd7070c603fdb07913a78b3d0f8281bc98106167b661785d5a52

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.4MB

MD5
1d91caebd6118f5c31bfd755e290fd6c

SHA1
22dd3ffa71f5e9b11d11a7037186c0630077eb05

SHA256
4e831caf423e561b472550cd53972d67b836611eb659907cdc6517cc9453dd40

SHA512
1204a47f56fec997eef6febd2bcbcd611e0c9073608fbf3134c1c6ceb54a74a2cd3d84a3e725c24f51a4dcf0b30292e231d4d74caf3f445e9d9f3010a726f63c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
bd66ff24b94a28e9ff52fc152950f661

SHA1
a50d92aa287925f8a173ef518a3ac5acfa84ea6a

SHA256
c4d0936b8e7184a3d942945286225f9635b0a53ae2ece2e1bb3999162d85da88

SHA512
62938bd21b1da6b5c8513cf7224c6c4327972ce77555019d1dd24ded476383dfac70b376e84b854480782a6c3cd1c6397a0937f6d6b274ee2693da752bdb39aa

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
937KB

MD5
db50d0f8ef34a93fc2235ee54f2b4d77

SHA1
aaba55727c5186dcb2344198a7ccb64723e4dbe7

SHA256
7cdbd3979c31126da29efd40d353c52d0109e9cac0f902824b0ad4e5c240141b

SHA512
cada7d73b2fa890e703f714db3395518972fa4dc9611693e115f69df12ed6848e754e347768563d1efe6e76c25accd4d06296c5decb9be4b6d4cf959eb319da0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
596KB

MD5
bc7de55cd25dccd6ae30e3622501bcc1

SHA1
061fee28675efcaf48c679ce774aa6e85b52a3d5

SHA256
aab2199c96adb8380617cf20ee68600bec398b19f4719f459fa6840c39b2a12d

SHA512
3ec49b7e0c22a2721856ec834a95c2246587304e05d370257b0b83d3be44e6dede1d66b2ab8f1d0eb3b4d3315ae087511ddaf388a29cff0ce2652eb8bbab9d82

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
80KB

MD5
82228535492bb2ea6850a0b52029a1a6

SHA1
dfb78808ce6adf8060c1dd5e538ceebfa5d95403

SHA256
5cad7fa922c20b01cce52fbeda7452e8c3e830493892cef647f9f0bc0128f1cb

SHA512
b2ebc424e32e0078690852429a9d1f9e77c2e3772de1fe08530521a1064694f2d9dec469e61b75cef52ebbff2eaf2565e36c7008f1b77a609b550f77a526a5f2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
459KB

MD5
61c28f25dfd378a35b2b79666ba85d45

SHA1
605e47741cee5f142672179c25c12bce406c7f55

SHA256
1b1a8222947f0d383b26f9014ad6ea395c7c2223198e45abfde7cee770f259e0

SHA512
f0a8deecfda3def06d88fc7fa5e6c512f925cb096d8603e9868ddf9cdf684da0b069f957ecc6d2479fbd2482635553335af875715d7af481d498265bb0470446

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
207KB

MD5
44a61cce72e9975d97ce54c9229b7c54

SHA1
d07b46f8b960ee73c9e3416bda2f3a37a25c1e57

SHA256
6a8ba41ebd52aa4c8872dc53ac20e2fa8e622a6ebae82c8758746e1dfdaed5fd

SHA512
bd0cc292a785d516066c1e77d3c3b517c4543e402a89cdd6bc6a81bd880fc83885fc18edf46165c9e873c2b692ee6e315fe0b0ab22c3cd77b8bf1abf95e1e8fb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
853KB

MD5
6287bd2519d1171a04d8a438b8512a98

SHA1
06182c14458ddf22b99c2dee1b4dbd689d8efd65

SHA256
cd4de0252ad7c050ce389bfdde123dd01abcd4dd60498a517955b8218b0a6fcb

SHA512
469a75c90f50707f13821f65bd6f6d861be823ed7f492d143cf758154767d8ac51f639a3b3f7cd6f1e6b79bd2f9cc1fe4504de3559309e7e34784b43352f4836

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
373KB

MD5
77a95157f4e3689676a0ee199afcb5b4

SHA1
5ee99a604662dcbed7508168e34693b6bec50108

SHA256
7c341c1256e5285c5d7be7a6a9c3d58010f9ce36e9146ef53c92dc2d2b054924

SHA512
b26449d91b8681d46b6cd0486d057dbe5843287479f145c654fdd3ea0a2996871b72842ea95c46794a5b8c72ee4fd467d8b7e8a5ff61946aa8e0083a2cfaf7e7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
171KB

MD5
13a43c37c01905444fd7f359b6beae9e

SHA1
5ceb099879620a67766e624ab19603222663cc8a

SHA256
126769c2d0d09551004775abc4dfce038ada43edde9207b111f6215dc656dbfe

SHA512
675b89972a99fdd4c8a1aadeb34cbcffbbc85090b5fb7bb4544c36dde19fe1b75e2ddd7aefab6bc5a0e66c7a4ed7423b70b02a9b8db508fbd1231ef5ca1aa7f6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
947KB

MD5
0847885093268c907ef3f32ae1a8458f

SHA1
5741108bc418db2757459422dc08980f1071376b

SHA256
9f1335a65fc13a077b1e8561d2449c4b7dc9c1bdaf319e3a6fadf6508dadc3d1

SHA512
d3d2aceefad899b46758bfa9e013689ca5dda6128833ee424cfda1470b3f943082af3a3a7a44b5f6ed324808ec4cc579965757fe3fe297eaf5b1bbc2ccf9cc6d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
566KB

MD5
96d650bf9bcb6f3ae913d0927d04ef08

SHA1
83f1265fa71fe61148e8200542a2fb60161e2e23

SHA256
f60778512df5e80662b4be975a25c8dfc27a3159a1e9d6cfa5a7fbf4a358cb7f

SHA512
fa13bf0c5d84846fba6f4e1a618fd54293dd1156ce245213600e86fd6c1c60793759f5ce278d28efd42ccc61aa9d3ad606303aa97acb32356f68ff7a1fc5d14f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
167KB

MD5
9a6ceb6553ce21b0040e6c938ef225c3

SHA1
c3097728ac0f764083a49887b050ff6130737a76

SHA256
27d48a4ee59b91fdeb8a4c4778893acb49a684ded5421c29c0eadf2a13132a0d

SHA512
31fa24cd6e165adc59de2362b342dfd0fcfdfb30967bc27ba86fb33cf9d0c8bd33af92f9655570317a3c2d9d6c54d6ab73502d4dce5c49392c7ad8d46ba20557

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
757bbee71133c82684d076c860131ebd

SHA1
5edfd214490300b7875fe14e8628c0d2022bf6b1

SHA256
6eef166f04ef66a3456860ce560284c91892a22ec410ff1b3b1488bd1accf780

SHA512
139e3f5ad77082b198acaa9556463eda364da3a47afa9f396953d1c1ba44d863534c4f2fbbbd63eba35fbccf744147c98c043acfff91394b7d002d768c3b0f19

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
740KB

MD5
895b3ee280298a7161b428a522ae98b3

SHA1
ccb1ae07366422bc1152ad60db6cbfb167f6ef8e

SHA256
84a947703118843d7c1249331145a0d0e7c063b39ef8b5fe2249a03de4b8f96c

SHA512
d7e4c68a1b58490e9612c9e43147ba07e23add6231608802b6139a5ecfea912f7623548d34b996f4df53bde2df345224bddd16b41854c1e64059cca29142fd10

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
f265d8fa99e65008fb781148dbb851fa

SHA1
f0c390cb44d953801e89ec352f8640373a91bb7c

SHA256
b654d0349298ad610141e09a36c8dc160c8b77c05bb128532e4ea9a0b52250cb

SHA512
729938a3a3ff5586398920fae1a90b5fd07f532459afc4e891a18a734dad26abedc4fc3cfcc3d53615896751754d5f63f17c780420cb7e0bcbd3635e6b04cb69

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
286KB

MD5
39b0344b945d435dd0e6a398365113e1

SHA1
a5bde835ed4028cce168ed03ff28b0e015a7ce13

SHA256
e92943de84fca683077f2c819ce0068067748c0b3e392da5eed37f596612762f

SHA512
1d63c15388bd49142551b89a801995bfcbddbad278d8324a03b3d38838916ee3b573e104e86f7512ee28fbb6726f783a877048aead17e3338db8104a362de706

Download Submit
C:\Windows\System32\Locator.exe

Filesize
135KB

MD5
a5fd8d374e285fd48676bcafb30a741b

SHA1
e74ad173083385eba8d646c8a61801e293580fb6

SHA256
7160b6a593b235f3014cbe2b5f0eee8492b48746d6c3fba2a1fef033dd0f59e0

SHA512
8b1d28b4aa3210f143d73f8b7ba13a55028d8ecfe8e5877749e64dd060c7345925ebf490323eca246c5eecce5fa29978ac7768af68b653871084dcb51d81d65c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
b3f85dfb093ae0d6e4dafccfaff7eb37

SHA1
ca9b45b38c7398d02a5afcfd4e69fd51a9cfb2bf

SHA256
769ec47df98949a936c3a39faee9933c1ac15185e00008d9b5ad91d31a78e5b8

SHA512
d6a678be427dec3e44fd4ca76ba654afa4f82031a9b4eb7fbbba16b03004ce92254ddac743533058cdbcabc2386ca6d6d5fdb48c5441a641399cd0fb0b8a8960

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
bd5f3082697dc1fa314e46632f947c54

SHA1
8b825e0a9079df531c389413bb1152165d9c252a

SHA256
726057bc8eba41760fc7b2d8fafbda5358e35856ddd73d1fff97f77db263c886

SHA512
687ea0de578134ce63f21985a6e5cfb6c9ac1e0259c479901abfd82d1325edfc599530b3e7dbfc92aa84f3b0b92c0fa5e83d314c4ff89ec79799f3258eeaa0fe

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
250KB

MD5
ac7d7c6ab2f6e7ffd6a1b5180fdc8f3f

SHA1
e3e6407b9504af34771315bd638b29c2f49978f3

SHA256
1c106173e056047f76619b803962ec1430fcd9b4cff2baba5871fba465c24a32

SHA512
c880b0d22659337181997f79606b3414ebb9e78624cb649ea06a1d20a2e87f9a7339df2ccbb3124d1d3a9ba36ab449604fda707f10cd68c6dd9845328ab16826

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
515KB

MD5
54e682f1c24a1f79423f8c3ff6f47c79

SHA1
e00554a3718c13f6a7c74c4db8fd5d1ca20ef9cf

SHA256
fef41581fb5bddf684e235c5abeb563f36999de9fc5647918a98e6241dfa0865

SHA512
b0d61ab09172c69b4b8604f73d62cec65d1cbf8c0db0c9f7892a54b5f69c2cad2f71a6764014c8c151b21b9e85ac99e2b67d472173b18619baae1cca7ba8cce6

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
970KB

MD5
cfb49c059951c1e4247c947ccc4a8d13

SHA1
599a08865a868446b70a77cc9a909484b669656c

SHA256
93a1d6ad2a0071b431b42ccec4f2cbf99e42348359e19f3f73c156c93b3cec22

SHA512
f76f736cc0014d2fb3b4e95c49a35cee004c763a89486a2969dea98946c8a4a5fb581f42f4a531d12ded962436b97a7760722b278ef67078b389bd1974f3c899

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1KB

MD5
6d2b0c26525379bc3fb409c036c1a259

SHA1
9fc76e3268fca24ffbcaf669a2d20b7c931d41a1

SHA256
b1d9fa091d1826e1e1c8d6afc1b8032fab4454762e9031e969e8d9187e328638

SHA512
bf9307ed2e74bd61c4ed27073ffbf08b0a1b73efb8ac9db78c9e19870ff838c0de861526f4b661ce34345c85a112cb8a587b86f8acf3782f2e67818694e6c615

Download Submit
C:\Windows\System32\vds.exe

Filesize
214KB

MD5
302ebbbc88bc2e954b2197660ad761cd

SHA1
ffa6e41bb3199f7c6d673772c6c5ae8e855fc682

SHA256
0d16e10f1bc031b5e6984199226fa6fb5e65abec44db4482a5847a6f1ea4b6d2

SHA512
5fd806ce079ec599bbb94de6464980b0017fb05f0fba3724676bbde921a4ef49ee975ccbdf86c8aeb6492626e2f243169ca02abbcdbd5e3990cfac3866e7d9d4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
1.9MB

MD5
efd6e9c57827f48e7018861357b6b955

SHA1
5dad0942df300b0978cfa1d91018e2a1b166c32a

SHA256
6591a26000c5621dcf01791f1b7fb241a1409ada1f775598b6579760ac61454e

SHA512
25f23f6883f7a9c0e29a0aa2d949317cd6741e8e86ab2ef25ea7923576bee72aa4648dae9577f813b47637c5a346d2bcddb789da9a45623e87d05488d1dab55a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
253KB

MD5
f7a0cbb5b240e1a9722fcd46c74038d8

SHA1
059f7866af49aca514411e8f892195037c5be5f3

SHA256
341dfecc373b40d77f857f0b0cb8f951ca0485bea9a71f6783210f86229ed61c

SHA512
6399bf9b9a971ec4b23068f84433159014c993b2d1e1a68491042f50e9a29e493da2dd48917c0e5e01aa2c3231018199fdf417ec2434897a56d3bf9fd7dc69fd

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
444KB

MD5
c2b31b762b577a9e890f9b5f56ac3dc0

SHA1
e88be0e8c6e2875415c3471775529611debb0fa6

SHA256
28672c2549d713c61e4250eec14df708dfcbfaf131a3960451dd49df0e06e47e

SHA512
9704f2aeed002f790aa9c7d1e89c74a16edd24c14dd6894c1abadc31e988853fa3b6c82320500d3fd824d1c7546a3cc9c510dbdf79b3d42c47d8d751e34913cf

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
744KB

MD5
b12b5cf9c7058d7e1908ff0c953124bf

SHA1
8448a60e85cf55fa01224d1d2c244702a0cbeb27

SHA256
572b1a979027ddf6c51ce16ccefb2bcd5a308d218853d7083ad0db9336861efb

SHA512
70113ea84bcf44a12f2fd9a01ec7b1c1882621ccacbd886a78291bb91263eba8651e59d8ab6f7c258f5d32501ec94eec047fafc2d6da3d34c7cc4d0197a0372c

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.8MB

MD5
f021f9088faac16841bd89f572cfd912

SHA1
4ab1a470bcc1c0734aac722bf4238a0da5581a30

SHA256
dd511af05cc2efd92656ecd2a5fb737c3e2aa881a9adcff1c6d2ab496f373c10

SHA512
bf91b9eaab210c9bbad226e2d8de6abfde149659be0cd84f50c6c87f4182059a5419353d3d62ba9af8281d5285a331afd1066e33b03c9df94172401b7da82eff

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
687KB

MD5
520ecd7fab95fbb98541cb17b770e64b

SHA1
f93a1db0f0f7d252c1ca70101d1d5fa94b10da68

SHA256
fab5e50c246e5f1a12c2cd5db2925c6dad2a21a8a3c7de686d3ac815c429e69f

SHA512
ec5e3a2ea373de9ba74393caee648d21015209a53208910d276c2363bac3d0bbd224cad859a6c93d291ad2ba7ef350915b8c6d08ea0edf0caefa0727b545fbd9

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
25a6e629485c4cd900b49dab85c428a7

SHA1
8075d172264d0fd78bdcfef0b0c6ccfd717858b1

SHA256
ed800c6649ddb5cc3b1a7597e641ef0368b56fd3daab8a429dd8fbdae73081ec

SHA512
7a61e9d43eea326b614bdcb7ac571efa05e615a82f190a1a6f108722faa55fb686105a87e45257b8049d8e4d5cc2028bdba9da74714f44593dcaa045b6526731

Download Submit
\Windows\System32\Locator.exe

Filesize
312KB

MD5
2583a8468332f30e030fea03b3e1905e

SHA1
54666c6ac688fad02c58461b0ea1b61e600c8906

SHA256
8e9a2175d9f0aa70ba872841f92cf2da2440cb3a7ad6316545529340094e69cd

SHA512
0e92e355d3d10e275058f6b43c1bffd228055291a7ca06d36496bc891dd9c1ce5a904528c1dfd406ffa8575ec9bca493ccf095323bf2bbfd5c6982fc63fbd5d6

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
fe05049ad8dccb6ef3f698f73aeefbc3

SHA1
b046f17baa08cfa14e5d0512e5fcdaef78815585

SHA256
382290cf753fc1aaac777396be8221ef01e7a20280045fc7b7b8dd359756b7ee

SHA512
211f420d2555fd0d83796c57e7a21a7887f79b161d3648d80e76f1496d926461da52f335445c0219170b940b081b72098cd9a21e8309a0749ab33c0275a89f0b

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
355KB

MD5
9b2de30a87cea393a35b834ac860a96f

SHA1
218513df104cdeef8ea5bcfa6eac335f251ab649

SHA256
c0bebaf40247797b03d14eab696b769486c72d0349a61866aceaa32820702e2e

SHA512
8cfbf55b3e4573d12f4f911fded6df7921573690a0e6f9475648cbb3e4e767b0cfeca26a6b4b953c4c09064ae350a7a69efb1138fc0666dd71a55881e3bd6adc

Download Submit
\Windows\System32\msdtc.exe

Filesize
455KB

MD5
8cad456a0f02c084fcc86f0dd289712c

SHA1
75c5d1364c2202d993474ba513efd8f237eb7157

SHA256
632413c3cbc99f97c2f69acca2fcb1c61f99f88084edf14cbda08e25f330023c

SHA512
f2c740bfa3e8e436e1196e6b190688f94e6f8fe20b396ceb61eee77bfa031706b7a3d4f0f1fc2c5bea01f083fa3fc58d63f87211f1a8591e848d69f2fc0b6472

Download Submit
\Windows\System32\msiexec.exe

Filesize
638KB

MD5
cd62767df86e4282849b3208baac4297

SHA1
546dbbe5ca0c53af61c32b8f165d2e634379bc68

SHA256
946254fa699c613022ab06724f608bcdc3d3bd82d00dfa59de32e0d8880b46d2

SHA512
19fed8c1d611f2ee3471daf6cf78d0ac34aa8f3b23360916b7fc0d1d0b82aad856282c535ff05d6a153ba715c97624ca9734934cef97aae95f90830646e96ce4

Download Submit
\Windows\System32\msiexec.exe

Filesize
958KB

MD5
19f60009b0ed0837e6486ebe8831f83f

SHA1
e7edd37c280964582ee883788a1d82193e72b401

SHA256
626f533f9dd489cabf5de675fddfc21833a0673e454a60da024cd68940889ac1

SHA512
7f22cd5ce224299174123763ba4b80f8952f2238de17df841df6b8d60b910d9e4551ec244fcc44e67c941b389f32c34da462e9fea95da097f21f3667b182567f

Download Submit
\Windows\System32\snmptrap.exe

Filesize
80KB

MD5
0072c74f16cf80de37d74faa5353c4f1

SHA1
3ab8b573af24e0058c2eca3134ebc5a0bd8508ef

SHA256
8102256b3534c1ce8d2812ef454274e8d54b87730b7a4ecdd7589799a92a0384

SHA512
30552829a4d2ec32cc5498ac6a5b44902818c072164eec1221ee4c45348e14d8098bb011e61a59475696b895d35cad51d5f791b8cdd3ee34c22bf8b02900b6a7

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
8b4859a15aba94f68d4dc9e444d4cac1

SHA1
2a1da7385d94acd9c13099fb400e507083042ec4

SHA256
f445a422b6f67695d347f764eb34c248e4a9a08ba2fa3e0eaa670a7f64f1a289

SHA512
d131cff47eb22489d42a03652e6203ce00c92f784497784f3d2f8815b383431797a30670b2e288533acffe5fcf499d455eaf201e9587a18f252e1a35f0963c48

Download Submit
\Windows\System32\wbengine.exe

Filesize
1.7MB

MD5
d603ef1d50f19bda938852ad0d313e79

SHA1
beb35e9742e46252e8c07c5234bca9b466344c31

SHA256
d70b713b16f225ce61e7a53a1545297db6f85f0bba6db6f0b1961637b9cb4a4c

SHA512
3095bfaa01554fb35858216b2bce720061efa6fcb21e1d71671360d67026b0f4a61630026aa3195897a0dfad35645a240c578c1818fe70b34a2f1c2842411949

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
190KB

MD5
8f0274f421fac5bd9b9849ce31d43112

SHA1
f52ff1bd642212bab7a8c9afd0cfb44636d568e6

SHA256
29b29258b5586d2476e44b8a78f4467a9c67d9fe97f9a8d13f1c8f3918a38ee3

SHA512
23c00713d5928a787c46553025b1911313a14251948183f2fe414b58232372a66b2cdf18efa40f390651a2b575aba88ccd90dbe7360615bcec28a01ac3297f80

Download Submit
\Windows\ehome\ehsched.exe

Filesize
295KB

MD5
b663e45b7d32875cfad56b2184c418e8

SHA1
33a78cf3da2e3823c926060555b7f9896cc25b1f

SHA256
2b41eea76670bf7b672405bf8d5fa3d26fda50b91044426f2da1ac098af0da32

SHA512
485efb09e5c5239939affe807167969c486c7b758d6588574020745d82b4484f90cc66c77463d3cc85f67e23ac0b1ad5c370096bb0212cfef21650f01cda037b

Download Submit
memory/580-101-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/580-186-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/580-111-0x0000000000A20000-0x0000000000A30000-memory.dmp

Filesize
64KB

Download
memory/580-108-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/580-168-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/580-122-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/580-102-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/580-112-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1056-154-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1056-143-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1056-156-0x0000000140000000-0x000000014026D000-memory.dmp

Filesize
2.4MB

Download
memory/1188-246-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/1188-182-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/1188-179-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/1188-239-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/1300-167-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1300-221-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1300-169-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/1536-152-0x0000000000E30000-0x0000000000EB0000-memory.dmp

Filesize
512KB

Download
memory/1536-209-0x000007FEF4CF0000-0x000007FEF568D000-memory.dmp

Filesize
9.6MB

Download
memory/1536-274-0x000007FEF4CF0000-0x000007FEF568D000-memory.dmp

Filesize
9.6MB

Download
memory/1536-259-0x0000000000E30000-0x0000000000EB0000-memory.dmp

Filesize
512KB

Download
memory/1536-247-0x0000000000E30000-0x0000000000EB0000-memory.dmp

Filesize
512KB

Download
memory/1536-193-0x0000000000E30000-0x0000000000EB0000-memory.dmp

Filesize
512KB

Download
memory/1536-153-0x000007FEF4CF0000-0x000007FEF568D000-memory.dmp

Filesize
9.6MB

Download
memory/1536-216-0x000007FEF4CF0000-0x000007FEF568D000-memory.dmp

Filesize
9.6MB

Download
memory/1536-213-0x0000000000E30000-0x0000000000EB0000-memory.dmp

Filesize
512KB

Download
memory/1536-151-0x000007FEF4CF0000-0x000007FEF568D000-memory.dmp

Filesize
9.6MB

Download
memory/1568-96-0x0000000010000000-0x000000001025E000-memory.dmp

Filesize
2.4MB

Download
memory/1568-56-0x0000000010000000-0x000000001025E000-memory.dmp

Filesize
2.4MB

Download
memory/1768-180-0x0000000140000000-0x0000000140271000-memory.dmp

Filesize
2.4MB

Download
memory/1768-119-0x0000000140000000-0x0000000140271000-memory.dmp

Filesize
2.4MB

Download
memory/1768-115-0x00000000001C0000-0x0000000000220000-memory.dmp

Filesize
384KB

Download
memory/1768-124-0x00000000001C0000-0x0000000000220000-memory.dmp

Filesize
384KB

Download
memory/1968-227-0x0000000073220000-0x000000007390E000-memory.dmp

Filesize
6.9MB

Download
memory/1968-210-0x0000000073220000-0x000000007390E000-memory.dmp

Filesize
6.9MB

Download
memory/1968-208-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/1968-207-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1968-226-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1984-125-0x0000000140000000-0x000000014025C000-memory.dmp

Filesize
2.4MB

Download
memory/1984-53-0x0000000140000000-0x000000014025C000-memory.dmp

Filesize
2.4MB

Download
memory/2080-188-0x0000000140000000-0x0000000140275000-memory.dmp

Filesize
2.5MB

Download
memory/2400-88-0x0000000010000000-0x0000000010266000-memory.dmp

Filesize
2.4MB

Download
memory/2400-63-0x0000000010000000-0x0000000010266000-memory.dmp

Filesize
2.4MB

Download
memory/2432-137-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/2432-205-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2432-133-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2432-130-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/2516-46-0x0000000002680000-0x0000000002683000-memory.dmp

Filesize
12KB

Download
memory/2516-43-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/2516-38-0x00000000002D0000-0x0000000000330000-memory.dmp

Filesize
384KB

Download
memory/2516-1-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/2516-14-0x0000000002680000-0x0000000002AB1000-memory.dmp

Filesize
4.2MB

Download
memory/2516-8-0x00000000002D0000-0x0000000000330000-memory.dmp

Filesize
384KB

Download
memory/2516-7-0x00000000002D0000-0x0000000000330000-memory.dmp

Filesize
384KB

Download
memory/2516-0-0x00000000002D0000-0x0000000000330000-memory.dmp

Filesize
384KB

Download
memory/2600-44-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2600-116-0x0000000100000000-0x0000000100263000-memory.dmp

Filesize
2.4MB

Download
memory/2600-31-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2600-32-0x0000000100000000-0x0000000100263000-memory.dmp

Filesize
2.4MB

Download
memory/2688-261-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2688-266-0x00000000006E0000-0x0000000000747000-memory.dmp

Filesize
412KB

Download
memory/2700-20-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2700-100-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/2700-12-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2700-16-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/2724-243-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2724-222-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2724-223-0x0000000000280000-0x00000000002E7000-memory.dmp

Filesize
412KB

Download
memory/2724-228-0x0000000073220000-0x000000007390E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-242-0x0000000073220000-0x000000007390E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-248-0x0000000073220000-0x000000007390E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-231-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2784-241-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/2908-91-0x0000000140000000-0x000000014026D000-memory.dmp

Filesize
2.4MB

Download
memory/2908-159-0x0000000140000000-0x000000014026D000-memory.dmp

Filesize
2.4MB

Download
memory/2920-81-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/2920-140-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2920-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2920-75-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download