1a295b650c0d9f697b881cd3ce919f6a22f5259b99ef733d7211b6d0da4681d3

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
20/02/2024, 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-20_e2b8e5253a741d930a188e974aa62821_ryuk.exe
Size

1.1MB
MD5

e2b8e5253a741d930a188e974aa62821
SHA1

4cca486517e296b585f426db29c3f39969eafb8f
SHA256

1a295b650c0d9f697b881cd3ce919f6a22f5259b99ef733d7211b6d0da4681d3
SHA512

c5ed4819207070980b7e00169f7eec326f44e48988b45e3b5c61db62f54844720d33c0bd8ab47cab9ce305d7abb1549fed7f926ca71373f5e8a75a499db12802
SSDEEP

24576:ISi1SoCU5qJSr1eWPSCsP0MugC6eTpHofe3y1sInB2COzRq8DvFqtn:oS7PLjeTdP4suIRbDv6

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
476	Process not Found
2640	alg.exe
3068	aspnet_state.exe
2408	mscorsvw.exe
2024	mscorsvw.exe
2196	mscorsvw.exe
776	mscorsvw.exe
600	ehRecvr.exe
848	ehsched.exe
2092	mscorsvw.exe
1468	mscorsvw.exe
2188	mscorsvw.exe
1556	mscorsvw.exe
1156	mscorsvw.exe
1964	mscorsvw.exe
2552	mscorsvw.exe
2200	mscorsvw.exe
2408	mscorsvw.exe
1760	mscorsvw.exe
1900	mscorsvw.exe
1576	mscorsvw.exe
1008	mscorsvw.exe
2124	mscorsvw.exe
1468	mscorsvw.exe
568	mscorsvw.exe
2012	elevation_service.exe
2972	GROOVE.EXE
2460	mscorsvw.exe
2588	maintenanceservice.exe
1692	OSE.EXE
108	OSPPSVC.EXE
1672	mscorsvw.exe
2796	mscorsvw.exe
2240	mscorsvw.exe
2200	mscorsvw.exe
1864	mscorsvw.exe
2112	mscorsvw.exe
2480	mscorsvw.exe
2788	dllhost.exe
2140	IEEtwCollector.exe
2408	msdtc.exe
772	mscorsvw.exe
2688	msiexec.exe
1644	perfhost.exe
2836	locator.exe
2600	snmptrap.exe
1636	vds.exe
1364	vssvc.exe
1884	wbengine.exe
968	WmiApSrv.exe
1716	wmpnetwk.exe
2984	SearchIndexer.exe
1144	mscorsvw.exe
1512	mscorsvw.exe
2016	mscorsvw.exe
964	mscorsvw.exe
2940	mscorsvw.exe
1992	mscorsvw.exe
2444	mscorsvw.exe
2396	mscorsvw.exe
2184	mscorsvw.exe
1392	mscorsvw.exe
296	mscorsvw.exe
1836	mscorsvw.exe

Loads dropped DLL 23 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
2688	msiexec.exe
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
756	Process not Found
2940	mscorsvw.exe
2940	mscorsvw.exe
2444	mscorsvw.exe
2444	mscorsvw.exe
2184	mscorsvw.exe
2184	mscorsvw.exe
296	mscorsvw.exe
296	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-02-20_e2b8e5253a741d930a188e974aa62821_ryuk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ce14b1b53d2ec148.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-02-20_e2b8e5253a741d930a188e974aa62821_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-02-20_e2b8e5253a741d930a188e974aa62821_ryuk.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{CD868A80-DCF0-4F95-8AE7-CA1ED1B0FFB4}.crmlog	dllhost.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPAF9.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-02-20_e2b8e5253a741d930a188e974aa62821_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-02-20_e2b8e5253a741d930a188e974aa62821_ryuk.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPED1D.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{CD868A80-DCF0-4F95-8AE7-CA1ED1B0FFB4}.crmlog	dllhost.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-02-20_e2b8e5253a741d930a188e974aa62821_ryuk.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-02-20_e2b8e5253a741d930a188e974aa62821_ryuk.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP187.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-02-20_e2b8e5253a741d930a188e974aa62821_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-02-20_e2b8e5253a741d930a188e974aa62821_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPF566.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe

Modifies data under HKEY_USERS 32 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{07C3831F-028F-4BF0-AFA9-A1477B0143FC}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{07C3831F-028F-4BF0-AFA9-A1477B0143FC}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3068	aspnet_state.exe
3068	aspnet_state.exe
3068	aspnet_state.exe
3068	aspnet_state.exe
3068	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2872	2024-02-20_e2b8e5253a741d930a188e974aa62821_ryuk.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeDebugPrivilege	2640	alg.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	3068	aspnet_state.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeRestorePrivilege	2688	msiexec.exe
Token: SeTakeOwnershipPrivilege	2688	msiexec.exe
Token: SeSecurityPrivilege	2688	msiexec.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeBackupPrivilege	1364	vssvc.exe
Token: SeRestorePrivilege	1364	vssvc.exe
Token: SeAuditPrivilege	1364	vssvc.exe
Token: SeBackupPrivilege	1884	wbengine.exe
Token: SeRestorePrivilege	1884	wbengine.exe
Token: SeSecurityPrivilege	1884	wbengine.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeDebugPrivilege	3068	aspnet_state.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: 33	1716	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1716	wmpnetwk.exe
Token: SeManageVolumePrivilege	2984	SearchIndexer.exe
Token: 33	2984	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2984	SearchIndexer.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe
Token: SeShutdownPrivilege	776	mscorsvw.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1632	SearchProtocolHost.exe
1632	SearchProtocolHost.exe
1632	SearchProtocolHost.exe
1632	SearchProtocolHost.exe
1632	SearchProtocolHost.exe
1632	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 2092	776	mscorsvw.exe	36
PID 776 wrote to memory of 2092	776	mscorsvw.exe	36
PID 776 wrote to memory of 2092	776	mscorsvw.exe	36
PID 776 wrote to memory of 1468	776	mscorsvw.exe	37
PID 776 wrote to memory of 1468	776	mscorsvw.exe	37
PID 776 wrote to memory of 1468	776	mscorsvw.exe	37
PID 2196 wrote to memory of 2188	2196	mscorsvw.exe	38
PID 2196 wrote to memory of 2188	2196	mscorsvw.exe	38
PID 2196 wrote to memory of 2188	2196	mscorsvw.exe	38
PID 2196 wrote to memory of 2188	2196	mscorsvw.exe	38
PID 2196 wrote to memory of 1556	2196	mscorsvw.exe	39
PID 2196 wrote to memory of 1556	2196	mscorsvw.exe	39
PID 2196 wrote to memory of 1556	2196	mscorsvw.exe	39
PID 2196 wrote to memory of 1556	2196	mscorsvw.exe	39
PID 2196 wrote to memory of 1156	2196	mscorsvw.exe	40
PID 2196 wrote to memory of 1156	2196	mscorsvw.exe	40
PID 2196 wrote to memory of 1156	2196	mscorsvw.exe	40
PID 2196 wrote to memory of 1156	2196	mscorsvw.exe	40
PID 2196 wrote to memory of 1964	2196	mscorsvw.exe	41
PID 2196 wrote to memory of 1964	2196	mscorsvw.exe	41
PID 2196 wrote to memory of 1964	2196	mscorsvw.exe	41
PID 2196 wrote to memory of 1964	2196	mscorsvw.exe	41
PID 2196 wrote to memory of 2552	2196	mscorsvw.exe	42
PID 2196 wrote to memory of 2552	2196	mscorsvw.exe	42
PID 2196 wrote to memory of 2552	2196	mscorsvw.exe	42
PID 2196 wrote to memory of 2552	2196	mscorsvw.exe	42
PID 2196 wrote to memory of 2200	2196	mscorsvw.exe	43
PID 2196 wrote to memory of 2200	2196	mscorsvw.exe	43
PID 2196 wrote to memory of 2200	2196	mscorsvw.exe	43
PID 2196 wrote to memory of 2200	2196	mscorsvw.exe	43
PID 2196 wrote to memory of 2408	2196	mscorsvw.exe	44
PID 2196 wrote to memory of 2408	2196	mscorsvw.exe	44
PID 2196 wrote to memory of 2408	2196	mscorsvw.exe	44
PID 2196 wrote to memory of 2408	2196	mscorsvw.exe	44
PID 2196 wrote to memory of 1760	2196	mscorsvw.exe	45
PID 2196 wrote to memory of 1760	2196	mscorsvw.exe	45
PID 2196 wrote to memory of 1760	2196	mscorsvw.exe	45
PID 2196 wrote to memory of 1760	2196	mscorsvw.exe	45
PID 2196 wrote to memory of 1900	2196	mscorsvw.exe	46
PID 2196 wrote to memory of 1900	2196	mscorsvw.exe	46
PID 2196 wrote to memory of 1900	2196	mscorsvw.exe	46
PID 2196 wrote to memory of 1900	2196	mscorsvw.exe	46
PID 2196 wrote to memory of 1576	2196	mscorsvw.exe	47
PID 2196 wrote to memory of 1576	2196	mscorsvw.exe	47
PID 2196 wrote to memory of 1576	2196	mscorsvw.exe	47
PID 2196 wrote to memory of 1576	2196	mscorsvw.exe	47
PID 2196 wrote to memory of 1008	2196	mscorsvw.exe	48
PID 2196 wrote to memory of 1008	2196	mscorsvw.exe	48
PID 2196 wrote to memory of 1008	2196	mscorsvw.exe	48
PID 2196 wrote to memory of 1008	2196	mscorsvw.exe	48
PID 2196 wrote to memory of 2124	2196	mscorsvw.exe	49
PID 2196 wrote to memory of 2124	2196	mscorsvw.exe	49
PID 2196 wrote to memory of 2124	2196	mscorsvw.exe	49
PID 2196 wrote to memory of 2124	2196	mscorsvw.exe	49
PID 2196 wrote to memory of 1468	2196	mscorsvw.exe	50
PID 2196 wrote to memory of 1468	2196	mscorsvw.exe	50
PID 2196 wrote to memory of 1468	2196	mscorsvw.exe	50
PID 2196 wrote to memory of 1468	2196	mscorsvw.exe	50
PID 2196 wrote to memory of 568	2196	mscorsvw.exe	51
PID 2196 wrote to memory of 568	2196	mscorsvw.exe	51
PID 2196 wrote to memory of 568	2196	mscorsvw.exe	51
PID 2196 wrote to memory of 568	2196	mscorsvw.exe	51
PID 2196 wrote to memory of 2460	2196	mscorsvw.exe	55
PID 2196 wrote to memory of 2460	2196	mscorsvw.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-20_e2b8e5253a741d930a188e974aa62821_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-20_e2b8e5253a741d930a188e974aa62821_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2408

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 250 -NGENProcess 248 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1f0 -NGENProcess 25c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 260 -NGENProcess 248 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 268 -NGENProcess 24c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 274 -NGENProcess 1e8 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 26c -NGENProcess 25c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 25c -NGENProcess 260 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 268 -NGENProcess 280 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 278 -NGENProcess 284 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 24c -NGENProcess 280 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1f0 -NGENProcess 28c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 274 -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 294 -NGENProcess 28c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 25c -NGENProcess 24c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 29c -NGENProcess 290 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 268 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 280 -NGENProcess 1ac -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 184 -NGENProcess 24c -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 28c -NGENProcess 1ac -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 290 -NGENProcess 284 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 280 -NGENProcess 2b0 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:772

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 200 -NGENProcess 1e0 -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 248 -NGENProcess 238 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 248 -NGENProcess 200 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 248 -NGENProcess 24c -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 250 -NGENProcess 258 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 200 -NGENProcess 248 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 204 -NGENProcess 268 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 25c -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 270 -NGENProcess 268 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2184
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 268 -NGENProcess 260 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 268 -NGENProcess 270 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 280 -NGENProcess 270 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1836

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:600

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:848

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2012

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2972

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2588

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1692

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:108

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2788

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2140

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2408

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1644

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2836

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2600

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:968

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2984
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1632
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
8afcc2fd6ee1985b200959a301434c33

SHA1
e21bbc2262af5ead4f226b924ca9ca8d29939a8f

SHA256
b92a90cf57cb55574c9d717222d95859343856d67b278755d2582aa641258a21

SHA512
066d4f42fe39987928daf384dcc9d7401d019b1e228a9b79152b46db0e1b151be485ffb5786caf8dbb885cfb93cebe0a9be6a227600d34de6d343aefa68f886a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
4.6MB

MD5
6d27217cb4a5d2b209c93e19c8c044f1

SHA1
176687ad486064b98efcda34f4912c2777a7c35e

SHA256
4a84aca821ab918da8f647c401750a9e7f3172e702b5d92a37c24a0ac44da8e7

SHA512
cfa79c2534b81bd7daa591621515ae0ccef77156dbe35f95fb55bb1d01f140cbbfb7fb9c590fc3a4b55f7c02dd24d71cfd48e606ee246a633e13bda1c5c2967d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
9ea169ab75c8f828ebb029d60a50dd9b

SHA1
7504b784e9a349c2f9031ef4e20bce436177dc7c

SHA256
80849d69480d663d97c3c05018fa16e80351edd6389c20e01774988c71509fbe

SHA512
9964052ed93701d5e1b705863e8043563588406706dc8f9562dff82f088b23812fd294d65d7ae41ecff3e435982ba0e69a5e544a65f953774b95874532fe6fd8

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
2.4MB

MD5
650097fdefdcb6fdeb72ae3ba5a92f4e

SHA1
9327aaf295bed3813b01d0793111ff91a90058d0

SHA256
d3a67508ead2a9e7379ab7ebc97839660cc9911c0a75895ef27bb60be923d014

SHA512
9b2945bbcfdf1b97d9203d9b6469f55ebc20735940a5c62b5e517ec348600236179f6e7f2ddae77706ba6fbfb11b12ab71ba2fa393b1dd342c281080f2fd8bb3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
bc0b7fd1f72ff46aa0d5a53c5d14f4c0

SHA1
bff472cca0169b7f5fb97ccea654c677df510d34

SHA256
04c3f296ff914a808a4b50dc43866431e94af03e1e12b8e917fea901fe4e421b

SHA512
d2e0bd5b5bdd64bc3f7e1a55c16c5a724ef21c73245052f32dc380bc5a81fb19a967bae06d4244e52ea720222d25dc5a7e6bba938e8bd04c300af64dec9f4a8d

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
10b29ab6a20f00bfb34f115d114c9f3a

SHA1
12fe0187e6ad0382241bf272f4c876d5cfb84cda

SHA256
618d9073b5daaa227bc665901cb63eb5399f5e7c6a530fd298dfe8f90f4acd65

SHA512
8dcc96c7a2959f07cb9ef87ae512a84f00cbeaa50a9a92b121fe5557664b3ec6b36c49e443ad654fb1dbd06f6f9147913805b821d8b9e025e89ca9ff28c61f35

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
67ababaf4d1c17acb2488ddb8a6e2764

SHA1
2d3518533220dba4ba835bbeeda47e995b4308e3

SHA256
76688c37ee8356f6e7cf0c92b800b7fc50fb3df05e9295e2858dd15e0612d819

SHA512
d14f7d4fe6bdc41f014877e9993b8a3cbb4750556e6a431a626a114c33815cb4a5cbebcf9a48b307a67e1c02196bc071c7298247e1532ac43d773a77a8b694c3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
b73c9d8b8ea1157027120e9a02f88c3e

SHA1
8be0dd829c21c5bc79d3d40324db846e9ec052fd

SHA256
e5522b914fb2fc4ceb4be5230d99a20f496d1110b117049a8544b441552a90e8

SHA512
69f9ab0889a6c861d967c4007b5929ca4ea3eea7d4101ab39ae284ed8bd4d61972a64e60113b02f0dca4377b84c1971f357aea478aa6473b6f1cd09bf0f1c2b8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
f98ee6a06f6e4fddbc876824c4c9bdd0

SHA1
09341a461e5e368bb7eeaf91d24679b7f4a9171d

SHA256
8d1895fb3475d311c990ddae9054eaafe42cd4901663bfb1c6945e042079060d

SHA512
84a0f383a279892fb24efd789cc81ab22666c19bb9c923c296ebf72db9cb7502fa414e2cc3f285f4e69cb0066416bce43350fb4675026f2d20fd780e5243b411

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
20f52df2fa2cc6559009866f712799a1

SHA1
a9bdfc1ebdd5f7c671544429c60abaa73d1ad33a

SHA256
7c259c84d9f03bf580b83042e1c37644c25b22a68d31c6b09acdd0bf046a67e8

SHA512
8709488f3e43ed4b132a272ccb7114bc96d520f1229a1a84bf85fe57dabc492e4997bc6754dc8b9218671fee0b517db705a5344d02802d93b5e82451c1d88c03

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
24d7a1680b6cfdf94886a529f6e7b134

SHA1
c4d9a4f8f7f82c6cc19a9b7674e48ad0ab62f69b

SHA256
38107c779f35a2a78c2591b882fdedebc6769c7322ed5a1be4a090fac7ebf351

SHA512
033c5c5f0016e34a67efef0f1fb2b58a5339cd7914ff4bf9f09335f5a7e08a8a7f8eeedcf19d2280184b7e191d2d8876d3917886d2f8f627ff1e86297edcae33

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
0ca87e280d865be449d8f4be427f1b56

SHA1
13b8d5fded187d1de7da36dc1db98659c942beb9

SHA256
c7960189d9df4a430c277738d487aaabc023bac86571cb00c5c1ca99737e0fcb

SHA512
61a0e6d2de0c480bf66ff66945c5b12875b3699379bf19d4d299811dd2ed0f5f876438df8325d022a63ef790b6ef47a45e3bbb0e99cbde99e3020218e2db4d57

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
64KB

MD5
a3cb06ca2953548a4c29a811186dc475

SHA1
f4b0991569a102694f9b658c470cc3a234cf9a0b

SHA256
ab7a408e5e2a4a9604b6778e836e93657838189ce08603c7d35715261ea08d29

SHA512
917eff59d3317cc58a68d24e572bf27c3b8101a5639fb8dd36c83f3ffb514b86498497c4274a40081c3c7d4dd61dffbd39226ed84a3e109d295f5f103a2458a5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
512KB

MD5
05243382934b17a13794c183a7b47f0f

SHA1
b1b8b0eb540ed0c97a94379b162f46fe95a4ba54

SHA256
2f34dde3affd9bd2d4aea019009c68bab1d88955ca94ad13633fb7d61277e548

SHA512
cbd7c975e7e09705ea6fd39fd512280a5b1c63ac5750689e7897d9ed971e5a9e5fa874a02eb55a82730991effae60b8be3435ed603fe894e7d7d74ff2b28b72f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
31a0b3779d4e1a856a2341ec875ac493

SHA1
beca2f3bb9b318b09cbfa1269eb0f8816e7136ca

SHA256
4915f56ddc7c97ca25b056feb6e7c3788c28ea7db751467375999ba4dad0e0cf

SHA512
ef8fcea98f5f692dcb40e7ff777bae95cd69c2dca53bf0416fd5d62ce70fdaa0aaef14752cc41bb052054f07a22890deef8fe779c219fe3f80cd803a48a1a992

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
4e5dd8fcb83d827e87ec05bb8faa7242

SHA1
4d6af0f69e5e84c0df0c067280c74546c7dc8cd7

SHA256
77b80c71934b0fcd271e21b19d4f3fade178813ba8bcf31a2892a75ef8202a9a

SHA512
4a4c5c9774cc96fabf4cb368487a3d97624eb147c60ddf52b8e01097f18ce156d62f0555b39a2402c9f177b9731f83ee264ef4fdb179590aa8b6f939ff473394

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
bf39ba3e844932109f3480ff3454ac24

SHA1
df009a63a28ab4d13a93874c48b54eacce6b97ab

SHA256
aabe3686f0faa46077a449b03b89317c0213853e7069cc0a38af8c5718942115

SHA512
a54975002f771299e1aead9ecae6d53d1de939f63f0c7a30776212bfc3e12fca746d45e98dcf3021e6e90f945f931a3462604909f66765e2c7d7bfcabe6f9ce9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
7bdf9e38ddae57be8b40de7b5a054c12

SHA1
13871b780fe98aae23f35e1a5fab26a510fa5c4e

SHA256
ccf08ecbecd709a56a058b21ef3226a90728be5cf9b49d10c5a58a6c7c6d34a2

SHA512
c8bd187b9175299916b2ac3ee6078ab78b9b07b142ebeb223575958072278eea9fe04bc0f1a499a8c8e3abc7c5bbc987788208174f6178f1bf9e384e58ffb780

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
64KB

MD5
bebcf44d4b2c596b596735b86ae55a2d

SHA1
e2425ba1e283ec91fd6c226e8d5d13e532c1fe97

SHA256
17ae34e0976114148936f6a70984ab48b1dcd62d4b357d24863281e1e342a8e8

SHA512
dc453bfb6e1dd278007574b3531d32aa40c108100e90b05e99f0db99095e49b4b3620071cdadf7c141d7e518291681ed757c0ef8a43c51c26441a752518abb24

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
892bd947fc91f251e3bff34f283e7f19

SHA1
15d9d94086f540ba174cd1d95945995542da9ec0

SHA256
b4008326c3b93064033073fdcc0bd87d4fafdf308180c4b902ab79bd99720f2e

SHA512
7678640ce24ac697a703bf473e822678e533608fbce8f43ce976b1c34001fdbcf190fd9275cdf1189552ffecd0cf568a47af33fc138afc410269c3cbf1dcec69

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
d9bf5e223db9fdcf01f411136bf5ffd5

SHA1
b370099f660fd713bbf36681838ac75580148645

SHA256
50cd115cf6969216848a170aeeac1e91afdf8af5ee3a4b38b2c0d07231172822

SHA512
ea6acdce7331233e3f9080d83685804605d511c2a902a52c7892df4ed8a55884441757970e8c0bba4bcbf42d44384f078fe2e539e5660d592af8a87674c647cc

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
82016e4d906c182acd11db9e2d4605fd

SHA1
1af87ebff0fc97cd819abd521740036f932592b5

SHA256
283524a19d6f74134133772e4e8d2e018d7a48857d7e9fa8ac142773304590f4

SHA512
53dac7d56e57c5c57bf217c5e28e63df2da893c42bab08bcf5dbd5a6116f7771c4e036c016f6ec365959fe3908efb73c4a371971b53171dc58944a701accf7e2

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
49e53556422415bae0fc07608fb4c7a3

SHA1
0f196fb15f2a905f6396e48ae5cf12067375cd5a

SHA256
5afc50d2664a23426ffa870a70f6dba12dffb237f22526b3995e0ca28ac13d3e

SHA512
f4e8543291780926d4b522a84bc707efa0f1bfa7a0fd6ac69ea70a93ca8077295dea67fec1b4a4cec0c095445b8f15fa19d99454defbc113d24aae131d9980b3

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
c6ca781055fd67b79b010168cca58a3d

SHA1
6d950b245b70c1772c79b394efa3acc2aa4981c4

SHA256
3f967079ed6f2ff918948bd05c03073482c562f81604b4f3dcae0697cb598e73

SHA512
a5f8a4805c835028fc5bcf33e02f8ba9f09f5a6536794b001380356bea697ee8cf764a2ae71195cf6484e5483296593cb601032d014362e4a2e9383e29236ab6

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
489ce57da0a71d56c1ae07b2edc01e17

SHA1
0b7cf93640a64473c2b7d3e85882ec69dfe30d47

SHA256
e2fbab71687411d9d3b06d1f7552c15429643d1710099ca57b110e5bbdc66094

SHA512
701e586b3164cb4322185c5d136a42bf376cb36103c9d4cca0a1cab4dd9297eb1c4cef4f27c818d9fcbdf54a77cf31c544fb3ac2a7775dacd2db0921509cbeb2

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
38c033da47958e3ebd7a103fb0e09e09

SHA1
b54da8999d4c15dae7c12d7ad4683f3d5ff2c23f

SHA256
7cdc38f69b65d9198f40fec8f16785d684165f1307636ac2179b5823e800ab29

SHA512
d6ba68519707600773d056d07004565013e6de92f74479a8c4ac08f09c447934adb47368b1bec4e31ef2d49eb772b2fe02346dcdbf193d9d65b529a4d78f62da

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
43fe4e9022d781094cc37f7840e7244e

SHA1
519161ca17128e37e29b4dc63e0349b3bf9f975f

SHA256
7f23d468842185a3204abb0acd2db9860f2225816a5ba8cfd550b7e806835649

SHA512
f9db7af19ff2f1de7a54279a098a357a6c3eb11ffb4acba57f33652744cec2a9a1944c85ff5d0c1a94ee981153a03eec4d0b5ddfe70cd685028e42772848eb8a

Download Submit
\Windows\ehome\ehsched.exe

Filesize
128KB

MD5
1706c0c1046361f60a00d89dfb6f11e4

SHA1
89b98e5d4eb6b093ca727f64dd3043b051ceb479

SHA256
706eb463b2ba3550bd0b81173c235b63c41fb4b730ea6cf41650b10e70a75817

SHA512
33d3e51e05515dc13170a75e99e1552937bb351e25aaa26a3337581b7989a84540f74e220592643fcf6355440c91ad64719432aef3657ad70f8b118c0675d604

Download Submit
memory/600-182-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/600-135-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/600-112-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/600-198-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/600-114-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/600-122-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/776-102-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/776-98-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/776-94-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/776-165-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/848-126-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1156-229-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/1156-230-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1156-216-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/1156-210-0x0000000000690000-0x00000000006F7000-memory.dmp

Filesize
412KB

Download
memory/1156-204-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1468-172-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1468-166-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/1468-162-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1468-171-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/1468-173-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1468-161-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1556-189-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1556-215-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/1556-201-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/1556-200-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1556-214-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1964-227-0x0000000000A30000-0x0000000000A97000-memory.dmp

Filesize
412KB

Download
memory/1964-231-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/1964-245-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/1964-219-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1964-252-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2024-93-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2024-62-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/2024-55-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2024-56-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/2092-164-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/2092-160-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/2092-163-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2092-146-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/2188-185-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2188-195-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2188-196-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2188-183-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2188-176-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2196-76-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2196-77-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/2196-82-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/2196-148-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2200-261-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2200-249-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2200-257-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2408-71-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2408-40-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2408-45-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2408-267-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2408-272-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2408-39-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2552-234-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2552-240-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2552-244-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2552-259-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2552-260-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2640-96-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2640-14-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2640-15-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2640-21-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2872-0-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2872-134-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2872-132-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2872-75-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2872-8-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2872-1-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/3068-35-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/3068-28-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/3068-27-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3068-111-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download