Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23/02/2024, 11:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe
-
Size
14.5MB
-
MD5
17512948ac977a49f9e8976a86873365
-
SHA1
4251b97ea667160d8d27a4c66eee84cfc8d14a4f
-
SHA256
1260d3b23e47b2ce5d9445e8e00c90ce36630e8cd6db057f56be10a857fb6589
-
SHA512
ae70137b427a9b8ca43e60855b848055f5626f204691c23e10bf90dc2345084afbfddbb0b98c42cf30c9927888770efb2ef746b157100ea338badd6cd83b287c
-
SSDEEP
196608:RZ7dIzfYP++zRtUaYrXwr68+aghNu7XWyBOKl4lCmK2ouuqrR:HWz6oaYrXwr68yNu7XLBOU45d
Malware Config
Signatures
-
Detects executables packed with Dotfuscator 2 IoCs
resource yara_rule behavioral1/files/0x0006000000015cb9-103.dat INDICATOR_EXE_Packed_Dotfuscator behavioral1/files/0x0006000000015cb9-114.dat INDICATOR_EXE_Packed_Dotfuscator -
Detects executables packed with SmartAssembly 2 IoCs
resource yara_rule behavioral1/files/0x0006000000015cb9-103.dat INDICATOR_EXE_Packed_SmartAssembly behavioral1/files/0x0006000000015cb9-114.dat INDICATOR_EXE_Packed_SmartAssembly -
Detects executables packed with Yano Obfuscator 2 IoCs
resource yara_rule behavioral1/files/0x0006000000015cb9-103.dat INDICATOR_EXE_Packed_Yano behavioral1/files/0x0006000000015cb9-114.dat INDICATOR_EXE_Packed_Yano -
Executes dropped EXE 64 IoCs
pid Process 472 Process not Found 2560 alg.exe 2720 aspnet_state.exe 1576 mscorsvw.exe 2324 mscorsvw.exe 2304 mscorsvw.exe 2776 mscorsvw.exe 632 dllhost.exe 2808 ehRecvr.exe 2208 ehsched.exe 2548 elevation_service.exe 2828 mscorsvw.exe 1180 mscorsvw.exe 1876 mscorsvw.exe 2812 mscorsvw.exe 1792 mscorsvw.exe 1164 mscorsvw.exe 704 mscorsvw.exe 2612 mscorsvw.exe 2548 elevation_service.exe 2444 mscorsvw.exe 276 mscorsvw.exe 1992 OSPPSVC.EXE 2788 IEEtwCollector.exe 2128 mscorsvw.exe 2504 mscorsvw.exe 2452 mscorsvw.exe 1164 mscorsvw.exe 324 mscorsvw.exe 1692 mscorsvw.exe 2660 mscorsvw.exe 1340 mscorsvw.exe 2284 mscorsvw.exe 1868 mscorsvw.exe 2372 mscorsvw.exe 1112 mscorsvw.exe 2840 mscorsvw.exe 2948 GROOVE.EXE 1820 maintenanceservice.exe 2672 msdtc.exe 2712 msiexec.exe 928 OSE.EXE 1992 OSPPSVC.EXE 2240 perfhost.exe 2520 locator.exe 1780 snmptrap.exe 2012 vds.exe 516 vssvc.exe 1636 wbengine.exe 2576 WmiApSrv.exe 1976 wmpnetwk.exe 1524 SearchIndexer.exe 2660 mscorsvw.exe 956 mscorsvw.exe 1920 mscorsvw.exe 2436 mscorsvw.exe 1588 mscorsvw.exe 2676 mscorsvw.exe 2568 mscorsvw.exe 2556 mscorsvw.exe 2316 mscorsvw.exe 1832 mscorsvw.exe 784 mscorsvw.exe 960 mscorsvw.exe -
Loads dropped DLL 36 IoCs
pid Process 472 Process not Found 2408 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 2408 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 2408 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 2408 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 2408 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 2408 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 2408 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 2712 msiexec.exe 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 760 Process not Found 1588 mscorsvw.exe 1588 mscorsvw.exe 2568 mscorsvw.exe 2568 mscorsvw.exe 2316 mscorsvw.exe 2316 mscorsvw.exe 784 mscorsvw.exe 784 mscorsvw.exe 944 mscorsvw.exe 944 mscorsvw.exe 2396 mscorsvw.exe 2396 mscorsvw.exe 2468 mscorsvw.exe 2468 mscorsvw.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 18 IoCs
description ioc Process File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\locator.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\e3dc1126ae4ef42b.bin aspnet_state.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5457.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP645E.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP45D6.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5A41.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP69AB.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4CC9.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{54854102-1F8F-4A87-B3E2-57B83ACC48CF}.crmlog dllhost.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5EF2.tmp\Microsoft.Office.Tools.v9.0.dll mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0e5f93e4b66da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700 = "Print Management" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SoundRecorder.exe,-32790 = "Record sound and save it on your computer." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000801ccd3a4b66da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32820 = "Indexed Locations" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Journal\Journal.exe,-3075 = "Create notes in your own handwriting. You can leave your notes in ink and search your handwriting or convert your notes to typed text." SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-101 = "Chrysanthemum" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-102 = "View monitoring and troubleshooting messages from windows and other programs." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\syswow64\unregmp2.exe,-155 = "Play digital media including music, videos, CDs, and DVDs." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\OobeFldr.dll,-33057 = "Learn about Windows features and start using them." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\syncCenter.dll,-3001 = "Sync files between your computer and network folders" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-101 = "Event Viewer" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehdrop.dll,-152 = "Microsoft Recorded TV Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101 = "Windows PowerShell ISE" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10055 = "FreeCell" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\ehome\ehres.dll,-116 = "Opens your home entertainment option for digital and on-demand media, including TV, movies, music and pictures." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10056 = "Hearts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114 = "Windows Fax and Scan" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-202 = "Schedule computer tasks to run automatically." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10057 = "Minesweeper" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10055 = "FreeCell" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102 = "XPS Viewer" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10021 = "Performance Monitor" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 1624 ehRec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: 33 2144 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: SeIncBasePriorityPrivilege 2144 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: 33 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: SeIncBasePriorityPrivilege 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: 33 2408 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: SeIncBasePriorityPrivilege 2408 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: 33 2020 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: SeIncBasePriorityPrivilege 2020 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: SeShutdownPrivilege 2304 mscorsvw.exe Token: SeShutdownPrivilege 2776 mscorsvw.exe Token: SeShutdownPrivilege 2304 mscorsvw.exe Token: 33 2176 EhTray.exe Token: SeIncBasePriorityPrivilege 2176 EhTray.exe Token: SeShutdownPrivilege 2776 mscorsvw.exe Token: SeShutdownPrivilege 2304 mscorsvw.exe Token: SeShutdownPrivilege 2304 mscorsvw.exe Token: SeShutdownPrivilege 2776 mscorsvw.exe Token: SeShutdownPrivilege 2776 mscorsvw.exe Token: SeDebugPrivilege 1624 ehRec.exe Token: 33 2176 EhTray.exe Token: SeIncBasePriorityPrivilege 2176 EhTray.exe Token: SeShutdownPrivilege 2304 mscorsvw.exe Token: SeShutdownPrivilege 2776 mscorsvw.exe Token: SeRestorePrivilege 2712 msiexec.exe Token: SeTakeOwnershipPrivilege 2712 msiexec.exe Token: SeSecurityPrivilege 2712 msiexec.exe Token: SeBackupPrivilege 516 vssvc.exe Token: SeRestorePrivilege 516 vssvc.exe Token: SeAuditPrivilege 516 vssvc.exe Token: SeBackupPrivilege 1636 wbengine.exe Token: SeRestorePrivilege 1636 wbengine.exe Token: SeSecurityPrivilege 1636 wbengine.exe Token: 33 1976 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 1976 wmpnetwk.exe Token: SeManageVolumePrivilege 1524 SearchIndexer.exe Token: 33 1524 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1524 SearchIndexer.exe Token: SeShutdownPrivilege 2304 mscorsvw.exe Token: SeShutdownPrivilege 2776 mscorsvw.exe Token: SeShutdownPrivilege 2304 mscorsvw.exe Token: SeShutdownPrivilege 2304 mscorsvw.exe Token: SeShutdownPrivilege 2304 mscorsvw.exe Token: SeShutdownPrivilege 2304 mscorsvw.exe Token: SeShutdownPrivilege 2776 mscorsvw.exe Token: SeShutdownPrivilege 2776 mscorsvw.exe Token: SeShutdownPrivilege 2776 mscorsvw.exe Token: SeShutdownPrivilege 2304 mscorsvw.exe Token: SeShutdownPrivilege 2776 mscorsvw.exe Token: SeShutdownPrivilege 2304 mscorsvw.exe Token: SeShutdownPrivilege 2776 mscorsvw.exe Token: SeShutdownPrivilege 2304 mscorsvw.exe Token: SeShutdownPrivilege 2776 mscorsvw.exe Token: SeShutdownPrivilege 2304 mscorsvw.exe Token: SeShutdownPrivilege 2776 mscorsvw.exe Token: SeShutdownPrivilege 2304 mscorsvw.exe Token: SeShutdownPrivilege 2776 mscorsvw.exe Token: SeShutdownPrivilege 2304 mscorsvw.exe Token: SeShutdownPrivilege 2776 mscorsvw.exe Token: SeShutdownPrivilege 2304 mscorsvw.exe Token: SeShutdownPrivilege 2776 mscorsvw.exe Token: SeShutdownPrivilege 2304 mscorsvw.exe Token: SeShutdownPrivilege 2776 mscorsvw.exe Token: SeShutdownPrivilege 2304 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2176 EhTray.exe 2176 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2176 EhTray.exe 2176 EhTray.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
pid Process 1476 SearchProtocolHost.exe 1476 SearchProtocolHost.exe 1476 SearchProtocolHost.exe 1476 SearchProtocolHost.exe 1476 SearchProtocolHost.exe 2104 SearchProtocolHost.exe 2104 SearchProtocolHost.exe 2104 SearchProtocolHost.exe 2104 SearchProtocolHost.exe 2104 SearchProtocolHost.exe 2104 SearchProtocolHost.exe 2104 SearchProtocolHost.exe 2104 SearchProtocolHost.exe 2104 SearchProtocolHost.exe 2104 SearchProtocolHost.exe 2104 SearchProtocolHost.exe 2104 SearchProtocolHost.exe 2104 SearchProtocolHost.exe 2104 SearchProtocolHost.exe 2104 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2484 wrote to memory of 2144 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 28 PID 2484 wrote to memory of 2144 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 28 PID 2484 wrote to memory of 2144 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 28 PID 2484 wrote to memory of 2408 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 31 PID 2484 wrote to memory of 2408 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 31 PID 2484 wrote to memory of 2408 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 31 PID 2484 wrote to memory of 2408 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 31 PID 2484 wrote to memory of 2408 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 31 PID 2484 wrote to memory of 2408 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 31 PID 2484 wrote to memory of 2408 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 31 PID 2484 wrote to memory of 2408 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 31 PID 2484 wrote to memory of 2408 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 31 PID 2484 wrote to memory of 2408 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 31 PID 2484 wrote to memory of 2408 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 31 PID 2484 wrote to memory of 2408 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 31 PID 2484 wrote to memory of 2408 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 31 PID 2484 wrote to memory of 2408 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 31 PID 2484 wrote to memory of 2408 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 31 PID 2484 wrote to memory of 2408 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 31 PID 2484 wrote to memory of 2408 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 31 PID 2484 wrote to memory of 2408 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 31 PID 2484 wrote to memory of 2408 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 31 PID 2484 wrote to memory of 2408 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 31 PID 2484 wrote to memory of 2408 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 31 PID 2484 wrote to memory of 2408 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 31 PID 2484 wrote to memory of 2408 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 31 PID 2484 wrote to memory of 2408 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 31 PID 2484 wrote to memory of 2408 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 31 PID 2484 wrote to memory of 2408 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 31 PID 2484 wrote to memory of 2020 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 33 PID 2484 wrote to memory of 2020 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 33 PID 2484 wrote to memory of 2020 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 33 PID 2484 wrote to memory of 2020 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 33 PID 2484 wrote to memory of 2020 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 33 PID 2484 wrote to memory of 2020 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 33 PID 2484 wrote to memory of 2020 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 33 PID 2484 wrote to memory of 2020 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 33 PID 2484 wrote to memory of 2020 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 33 PID 2484 wrote to memory of 2020 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 33 PID 2484 wrote to memory of 2020 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 33 PID 2484 wrote to memory of 2020 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 33 PID 2484 wrote to memory of 2020 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 33 PID 2484 wrote to memory of 2020 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 33 PID 2484 wrote to memory of 2020 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 33 PID 2484 wrote to memory of 2020 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 33 PID 2484 wrote to memory of 2020 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 33 PID 2484 wrote to memory of 2020 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 33 PID 2484 wrote to memory of 2020 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 33 PID 2484 wrote to memory of 2020 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 33 PID 2484 wrote to memory of 2020 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 33 PID 2484 wrote to memory of 2020 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 33 PID 2484 wrote to memory of 2020 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 33 PID 2484 wrote to memory of 2020 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 33 PID 2484 wrote to memory of 2020 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 33 PID 2484 wrote to memory of 2020 2484 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 33 PID 2304 wrote to memory of 2548 2304 mscorsvw.exe 51 PID 2304 wrote to memory of 2548 2304 mscorsvw.exe 51 PID 2304 wrote to memory of 2548 2304 mscorsvw.exe 51 PID 2304 wrote to memory of 2548 2304 mscorsvw.exe 51 PID 2304 wrote to memory of 2828 2304 mscorsvw.exe 43 PID 2304 wrote to memory of 2828 2304 mscorsvw.exe 43 PID 2304 wrote to memory of 2828 2304 mscorsvw.exe 43 PID 2304 wrote to memory of 2828 2304 mscorsvw.exe 43 PID 2304 wrote to memory of 1180 2304 mscorsvw.exe 44 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\users\admin\appdata\local\temp\2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exec:\users\admin\appdata\local\temp\2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=100.282.200 --initial-client-data=0x198,0x19c,0x1a0,0x194,0x1a4,0x1402d1680,0x1402d1690,0x1402d16a02⤵
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
\??\c:\users\admin\appdata\local\temp\2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe"c:\users\admin\appdata\local\temp\2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_2484_HWEWRVITBBLVRQEX" --sandboxed-process-id=2 --init-done-notifier=548 --sandbox-mojo-pipe-token=12716142148990164446 --mojo-platform-channel-handle=516 --engine=22⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
\??\c:\users\admin\appdata\local\temp\2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe"c:\users\admin\appdata\local\temp\2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_2484_HWEWRVITBBLVRQEX" --sandboxed-process-id=3 --init-done-notifier=808 --sandbox-mojo-pipe-token=14363932483825519225 --mojo-platform-channel-handle=8042⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2560
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2720
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1576
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2324
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵PID:2548
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2828
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 24c -NGENProcess 254 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1180
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 244 -NGENProcess 258 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1876
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 25c -NGENProcess 254 -Pipe 238 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2812
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 248 -NGENProcess 23c -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1792
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 24c -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"2⤵PID:1164
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 234 -NGENProcess 260 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:704
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 26c -NGENProcess 23c -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2612
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 1f0 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2444
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 248 -NGENProcess 234 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:276
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 244 -NGENProcess 270 -Pipe 23c -Comment "NGen Worker Process"2⤵PID:1992
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 270 -NGENProcess 278 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2128
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 26c -NGENProcess 280 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2504
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 284 -NGENProcess 278 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2452
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1f0 -NGENProcess 28c -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1164
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 248 -NGENProcess 290 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:324
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 28c -NGENProcess 290 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1692
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 28c -NGENProcess 294 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2660
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1f0 -NGENProcess 290 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1340
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 1f0 -NGENProcess 28c -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2284
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 25c -NGENProcess 284 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1868
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 1f0 -NGENProcess 2b0 -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2372
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 270 -NGENProcess 218 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2660
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 240 -NGENProcess 278 -Pipe 238 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:956
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 240 -NGENProcess 270 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1920
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 21c -NGENProcess 278 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2436
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 21c -NGENProcess 240 -Pipe 218 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1588
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 240 -NGENProcess 298 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 250 -NGENProcess 2b4 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2568
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 21c -NGENProcess 284 -Pipe 29c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2556
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 2ac -NGENProcess 2b4 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2316
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 298 -NGENProcess 2b4 -Pipe 2a8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 21c -NGENProcess 258 -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:784
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 258 -NGENProcess 2b0 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:960
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 25c -NGENProcess 258 -Pipe 1c4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:944
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 21c -Pipe 278 -Comment "NGen Worker Process"2⤵PID:1784
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 240 -NGENProcess 270 -Pipe 2b4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2396
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 284 -NGENProcess 270 -Pipe 280 -Comment "NGen Worker Process"2⤵PID:3016
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2b8 -NGENProcess 250 -Pipe 2ac -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2468
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 25c -NGENProcess 250 -Pipe 2bc -Comment "NGen Worker Process"2⤵PID:2992
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2776 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1112
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 240 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2840
-
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:632
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2808
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:2208
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2176
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2548
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:2788
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2948
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1820
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2672
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:928
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
PID:1992
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2240
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2520
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1780
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2012
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:516
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2576
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1524 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:1476
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵
- Modifies data under HKEY_USERS
PID:676
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2104
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17.5MB
MD54a8870751b817abbd6e6941ba2e17deb
SHA105b079719e78a6bac1f994496724d6a5a05508b0
SHA2560d0530ada79e75f87949f7038f9c3398ecbe898a528112c5ed2c8510259f2fed
SHA512bbc5f9c4701de11d34f96baf93ee6539fc83fa272a70ec90b713563369afacc6106beebdcbd2d6a69de5a454d68290974be0f3f192ff0a9487b61482c93b596f
-
Filesize
2.1MB
MD5baba95d40068958cd15bb92e05d86247
SHA1942285b098d0591b4c0d055d87be3405776a5a39
SHA256c5269b2b57576f4fb3e89722e61e367ea4ac9a8fa7c08fc515260094a441c752
SHA512a11b0c05f7574080b9edfe00b36ea1029ef7db3b7f03444688fa17693a6ef7764d8b6266ef87c4ddfe599de6a05398c6ffbfbb7d0b13e442e96d3be2c0c51a8d
-
Filesize
1024KB
MD5e4e8bd22f7cb41cb482ed6d096f5454a
SHA1fd9e9fbb155380f3cebd918891f934e7e2b9939f
SHA2564e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7
SHA512a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a
-
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.000
Filesize240B
MD57ca2da6f1e7bca562d7d9376700a912f
SHA167feaa004013eee76282e3b3fc196279f2577dcb
SHA25604fd7654331261ff9ec331c31b238ba7770f082abfb817d7881813ec02084a4e
SHA5124f2f67dee86af03dae15145649f5eb65cd158686381d26005b91aab89f017b692289050f0b1def00f8c2e724aedba4025db0baa6b55f76d402ded8006c48b38d
-
Filesize
1KB
MD5e845e9c0f45337615b3a91025b983254
SHA196055e02d82cd40ac167baeccb65dc70258a5a6b
SHA2562d5ffee072a6f552f493d7307890892c1d197fbeca8024444bf304a45ee8a631
SHA512c16b9be7cdd6d8e47572b77aca91fa34c9d27d78b4ac7f3afcd303b53d5095cde4232a14b6a969995cbbe5be112e247f27af63982aac6e90c1158638474b9d51
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
535KB
MD51d5a0e49f89743009ca141c2717114d2
SHA1a0cd9efc18ba35ac393934c3254a464b3e1fddf0
SHA256db22b382bb84366f74a5084bb7c80e70dd53cc50893cf736c8e3159ed5a237c1
SHA512e00cc71ac70318ba68d4322677db7bd6efc30dc40478c005340d4ad6a9e0925532403e5fd335feed225a5fbc39409d458ddcb0a697228721e675074fa24d3dcd
-
Filesize
487KB
MD5d61fe9be6566d0d7e681e71eb30ba3b3
SHA18e5c99585ceca2111fdfe6e896058484e468c626
SHA2561d946be823ce56cf219e83874173fbf1ab1acc31dc96b413670aadeb1f7ea731
SHA512723da45b0ba0ad405a2fa647b9730b274a1924299e9fddecd169e4d6c66708a5cb308465127f5fa328c214e9b461af96baa91c294f7da80690f055c310ded6cc
-
Filesize
453KB
MD5714e4e6324881eadb452917ad2d85e39
SHA1285afcf9e8a3c44a84e261dc8aa4d4bad76bd5b2
SHA2568c841f2b68399a26cf1762654459f8632360d115349b974abb78913d79310247
SHA512d02b800d68ca400a228655fa7668e374b2e2105deb17e51605e9303d73d8c6871f25f250d1608e2f3bb37b306022fa5ede57799e7ac6b57b5b94da10808321f6
-
Filesize
1.4MB
MD566791e863d086a0f6ec9ac8dc0995582
SHA14edbaba4dbf4fb64c927ef8395375e63f16f7b67
SHA256a92a29b15f56531c9f31a4c952f902aff4111b593589eda5c40ef99a0a0f11c6
SHA5121f311df6f0491c957cc5e775d4f3801908799da80e301b402b3959b7cafe4a35b45c751b551c87c2000a40b7784279bce6aab26a034532b453cd91dcbb076426
-
Filesize
161KB
MD510330d33ffaa19a016544b326170e8d6
SHA1bbc3f189d24dc57d22f0cb30d182e5e1aba2cb17
SHA2567bc5ca8bc80047703bf391be244295fd3764eefa8061580113c712dfc56ea8df
SHA512d096659217839e4e1ec8e73e15c2adc0b9a78b4f11dd925a77bfbe6b94d1403086e61aae523f9f7b3fc34ff21c1eee56ca3b803acca9e9a18264c0c358dd3526
-
Filesize
1.3MB
MD5436ad05564d2680ae332de8e49853f70
SHA1ff5d063245ed5c1434cc2a4d92a18f3e9b00b5c8
SHA256a8d43b2f205d71071e5cd6c5e2f5af574bb7bcb9ffd4f7c775616f3ef901a5b0
SHA512f5f03d3145b1f98aa38cf70adeecb6574fcd270d26ebf485c062a32bc00b438d24f71b5d2d7eac900c22ff72a9e79f7f036d90f930a912a68e7af1ef6ee0eb27
-
Filesize
1.6MB
MD57af16ad7f66548682f7ea91f793b41ae
SHA1c7f10982b5f38c2299dacd95890558df61597eb8
SHA2568788541568bc94b33bd4dd48395f044e275ec7d863b748caa2ed17a66488f910
SHA51205b332702f1097ee6c9fc7d630662a6c09a4eec8d94cc8ca0883e9ba13fd3d1d41e4d7de92a548f80f4bca7e77d525d6b6611da07c98b822bee0ca949ba38f5c
-
Filesize
618KB
MD5ae7e52863d8cc7bfd8cee7b120907550
SHA15b20fe4b94b45bd95e122b1a052247a19f08cd2c
SHA2565ffa7d9d02a1599b727f8fe92e0e6d19000d9a50de527b1461fefb7fdb07bf9b
SHA512a7f1ecce70f63dbcfa403beeb6965835bb4b0f98ed923f0d1e4f088c7b7fc777b47c276f7f5492febf07955f50a706c6b24c3968afa2cb44ef94d96148648948
-
Filesize
470KB
MD59d518d753b9678e0721dc16b80bb962c
SHA1e8e1ee57cbf3ddd32318e70f3474d6a611b8cd4e
SHA256309d10b1a17eff9ae83b5ecfac9820e58ed1cb26b14ebe5b4813bc404e5edd58
SHA5123d49c5284b69c43245c022b70a2624954c3027ea83b344dfdba06a719e884d624714f2babc3aec52ab786cd8804b9866926b53a691f927fcbe3b8c4e2c8ec1af
-
Filesize
618KB
MD53f7828587a961aca7567e1f233da6ded
SHA18df8036865776052b81b1aa256c600cafdd4f3b6
SHA2568ca04ec6bf4f3d324ec77165422f187e133105de87e269698620521916b19edb
SHA51238d3e0a42c311caf0c4a277e744abd155b89ba3476a6ff03b6b13ba650224a4ce0d236fdc2fbfc86a3f9359818484b16e5dda7ff350441169bd6122a76b15b26
-
Filesize
60KB
MD564066b472cea12e8d38a34f8049825ef
SHA17f9f5f0b597168573ab2b66ef86c0cd4f8fee4ad
SHA256a2d6fdfc7e09edf7b61223236924f95bc15d48ceaf55b731a2c15fa0d54dd04c
SHA512fe1cefab59fa2b9a92f592e7f6a292fc09082881f8c6163ff3207b94f38ceda63a14443ef20f2338fd7d3d1a49fca8a7d6acc713fe6e837a7e60563fbd0b2c40
-
Filesize
555KB
MD5ec0088032bca3e0a9fdc83d0c0ac5ccd
SHA1b63ff1163665a86daa22a907ab6952901e87f2a8
SHA256ef4d4be7bb7a6f5bb422d5eadb242e620a2f640a2130eb46f504869c4fc8d213
SHA512be88809629032e477ec59afaa2c25d9489226041acb0c9e4860057df7e561833af3284385a0bcd5aa761b690995a01f23a791c49a2bc0424a576060b85e1c4d4
-
Filesize
1.6MB
MD5647e99b01f0aa66b78a44ea041b634c4
SHA14ab6f49691a986d6eb8acacf874770d1f032fd65
SHA256bff33546c92140758fc7b9f776a0ee893620794b034f11b90a638748b262a4e5
SHA51235fc10b5a35f62af7187a3de07d80221f9285818580a5ef4e095af7bb7589d15534769701c472a677cd1a06799fa2f6389387446ba2672603ccbc825cfa1632d
-
Filesize
1.5MB
MD5b036fb20d4c6f12ee600edfdeb941298
SHA164f112b68cf71c09bf5b7c83943c013bb6b444c9
SHA25611cb053bde5c7bad37e4c9cb293b206ac52381df03b7519ec1389db1fd44898f
SHA5121a9abde313c91852ea512b9edaa1bfd1efd2720eb534d8e5970c32df9233f82c0831be667dbdbcf092c1be717ea88fdcdc1d2bca82d7a3a131618c7408609532
-
Filesize
852KB
MD57ae24620a5d6ff476f3c1b4beceeb861
SHA16e9be018a7970b4c9b2987c7c79aaef2f8ec9b12
SHA256be6da8f50aab853b9cccf000fd8a0b261b6b7d91256eac43843b253dd0e8345a
SHA51212f8ea342d428976a2e0bd5abe0e16f28077d4dd03db9687270ccc90c7477a6ba646afece7eea7c779a3b78dfa68930e765b6334c069200a45e9d1957d110a3f
-
Filesize
1.2MB
MD5380e545264fc0a0e1f29cc17b50542a2
SHA1c8832702c7e9d2a276506b15efd17ec6b0a025ed
SHA2565b79034c644588dbed5eb22ed0b788c6e8cfb85877d60d83dde39e37015a5445
SHA512fcab87d48a94d10a12e34420a36f37a33ae11d7e762e072f67fed46d79a7ef5ba8ff9261115a068a0a0ccd636be91d38744f8e087fb669e3190bd7a32c20f5c1
-
Filesize
131KB
MD5004484bbafa2431da936ae32e17237b8
SHA1c92ae67d735ea84d7575c1ffb3ef9facbff21920
SHA256c76e775d56a59a20bea5bf2ad73980ee1840128576e7ad9ac54ebd166b295d31
SHA512416b9acc79679fdeabacc832029a8a8c22ac44d862e0dacaec4ad2a1aebf0f5468df84c3a565e91cb6d8ac852c5dc4c5e45ba39046bf32b2cfd8ff2aa5efaa8e
-
Filesize
65KB
MD5c5491a5981b27a5975376cf01005a965
SHA12acf49d1086fececf045cf0828c6d058ca90568b
SHA256cb4fffdb4596d7be17873984b066c62c64054a593512b52571732a786df61984
SHA5127ac0253be15a2f9575b671a028a9c5148199d57fc7126c34bfe7e0852742c81a6a7595f353b60f25196472aaef6b38c11bf4cb99ae27c7aeae37d0357575474c
-
Filesize
1.5MB
MD504ce5fe51839e33d1917b6e1ac20726c
SHA1c045a8377cfdb84fef4f92dfc2ad3d777c0e8a3b
SHA2561f3a748f291dc8979d0a696f6333dfbe5f116de6ce11120223f98b402f6088b9
SHA512000aeec2148194d2ec13bf7c33fd7dbd1637b4ce6300862e8a2c04c00ff5ff4092feb70bf9f1b6c1aeee1c169097febc60c53a472ff21672cd2cfb52e45de241
-
Filesize
164KB
MD5021d1b687962d75f933aabdd3e076da0
SHA1304beccc537cd8b2963bf1b87785ca34de0b42b0
SHA2569c287c6ab8782302555ee6a7051e1269236aa9eacff6e946bdb23959f2b59118
SHA512c5ae9d4eb2f721edd42a30b2272e511ed2a72c653ae5c554bb5cb3123084b178a45f2746fb104842f76b64af53e9d6d33e78bd18474ecd9c712f5ed367861d62
-
Filesize
896KB
MD5833872bdb7aaa41ca3e4544c9345b662
SHA1c8f876e87bef1c780c27ce2b9258d7c6b5264039
SHA25626d6b5a82d49e4c8c674b9bcad17d2905f3daae009f44bc2d280f60236abe0a1
SHA51261a6c3c6a086912d8348aec03617dad79d2a033dba7b20b1479e539458076c9a53bc024030e7dc40666a4deebc2b5541f3ca724c531b8d2b784a4d3c99ae7cf7
-
Filesize
8KB
MD59ac6f34f726484157b38ba012edbb1c2
SHA1123d85183ec1548acc4ac7be152502f71c6c8b97
SHA256783951c977f7b177a2102c9491a8d7c763db4f8bade364a112eeb815f8da70b2
SHA512e66b015fd98317beec69a03c8ec7607aa95eefbb9805403f8b0f14e1c7e1d3478225bcfe647cfb409ff1cb2d8c2645a638bf1d0db22e53c5306332b15686221f
-
Filesize
595KB
MD5e7aba3172537b39829736ca6747aa634
SHA14bd54f2d3b4f092141e8eb32f0e97ab34e1c25b2
SHA2569b2e154c2bce4e808d368add0ce4ff49dc0e776c9d2f500200ebf3656170b35b
SHA512df149c8a955400b5b518c6aca354c48f0f8b1fdb5b611ba9460ea374ec2409643e07d819870d0ee2bb17ff068d2b16d64a9a59077d7eb1dde563cbf74dc528ec
-
Filesize
640KB
MD59edd90e75d04dbfd64b9ca31d02d1564
SHA14356dec82b3ffd5c5f683511b9b73d1d73cd556f
SHA2569a7533c166d817d580efb7c161e0c8bfeb27280ac1b3c59597171240030fb4b4
SHA51254b350c77a979305c409f98857543ca215ff4dc0c2b624c5c539bf99b23ef32d591f6caadbc45be55b8793265b10f1c70234f35d649d894d72604d56fab40941
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
Filesize
1.2MB
MD5d63351016c2956d84d404c5b532b5917
SHA163bb01fe424d2b90f3767411b830d5f516ae8887
SHA256b7b49356879aa2fd82835a81c6ee90277224fdf2bd56ed321ebdf8f8bfde6254
SHA51210a918528587214fe72fda8ec5e226fbf91a367f21b4e01e1c24763bd3d4beeb5543feb4b8faa71a859506ad60851c0ffb6788cdbb8ec208d424a1e96e828dd3
-
Filesize
1.6MB
MD53c8923c1dc5e412e30078f75d7450b56
SHA158ff78fe0c37d6989d5632adb158b3fcd195eb30
SHA256cb453fc8763b47ffe7f72ac97d18fe75a784e6729c9163b7380fcf2003b05375
SHA5121135f18b94ec5e62ad74feada08020faea9fe1b1eb09b2e7fdfca47f3bc63c466654432a6ae2b17d617d472778f9fd6401d58ce865a8aaee14c342996c355d1f
-
Filesize
40B
MD5e6e4c95a9b05f1d25dfb6f3df31ba7cc
SHA159f19700154df3ec28d0c5115383777e9b886cc3
SHA25631cfb62645baa25cfd89408f28b12054176495e20f8a944ea977054f4e53134b
SHA51297cfab3af46303a9cfab087d111999606153316eb22099ba33e5568fc6b3c3629359c3a9654216ba2a619e7efd2bfa4256bed40d760bc072624a5f4746599d56
-
Filesize
92KB
MD5d222ab81ed320a76477a62b03e0a4db4
SHA17aac6c305348c88a5f610ce06d5de0312be04ecb
SHA256418e7fb7e0a06852f38a06924bfba52cbab07498e9a2ad55243bceee8cf069c6
SHA51270f1f62649c5600966c274d53751e38b05321514262fbb26780351be1fb6d9c02ea4354d66a8306649b9f5afad3a480bbfcc6bdf8ff55bf4625c94d01430cefd
-
Filesize
77KB
MD5d4672115d8156d024d545ffbb223aea3
SHA17888462c92c7a0f622736364e265bc1ce3eafecc
SHA256f6e41b65ee68a7877d84913f5e28042dd8f1937e887bbfe4b7f838c3a0a4fa19
SHA512a5d73a73cecc8880b4dc18305567bc70f87f84f8fdc458605a8f103d7dab297b87b2a6fd63484cf4bea349d4d1ea2788523838d468e0e017ab6577b5a3b61aaa
-
Filesize
158KB
MD5dbd0b0d05a1f751ae46da8084c030126
SHA1f17cc9c28ce7cff87984d6d1e3dd9731841d54dd
SHA256dc1748db073a0bb128a335a024e3663f2f98634f6f4e6860dce1075e9d4e0da3
SHA51264c8c3d016f85b4ce1125b0a1c6de5d809706f95e05ad266361b03c7ddfa08c6f63407dc4833eb6a572958c6d70e1b4ff1d01c1a747266a16f3b0004e7e51380
-
Filesize
126KB
MD5f9aecc8545f2566a0b8176f7c8319179
SHA14d3b83fd68ac58308c647908086af5cd2d0ac687
SHA2568fe424f1d82b67c4cab87eed37b00503e04643efd78a26f9de13f635ca6e53e6
SHA51288dbc6b25e1646928acab4110ea3d0ae5b8f5c3acd4151a979c6da512be1dbd50a2d5faeda79c741c8072dc0e949342cac267e3f5acef2d689d09cc4491c34f9
-
Filesize
139KB
MD56bf0bf84f77523afa7a4c7fb95dde422
SHA11bfb7c686b7dcf25d5f5e1418394691fe5592469
SHA256eb64973bf8bb31e29652deaeb3ee4caebb55eae3506fe3769eb66f657f736d46
SHA5123149907681d92858e1cfadb8e3d34872ac67586a491c8fae1a7dbd443d5a194fde1b0ce16c9103ecd8edd04e6b34b8e5712ad9143ced2627797513ca53517577
-
Filesize
176KB
MD5065322740e91a223e07b018fb57c3e9c
SHA1b0beb24a37cbe46111446eba01e1641df545943f
SHA2560f03d30655da31770278a634f70d9151700e6b06339ea57db5ead33acd4a3125
SHA512def8127ebce7465d447412f936e12ba69e0b3543b5eff2ee786c9dc87249589565de007b906b3afba674bdeb73b52be571ac266182cea550049cb99617750bf2
-
Filesize
36KB
MD5d0cf72186dbaea05c5a5bf6594225fc3
SHA10e69efd78dc1124122dd8b752be92cb1cbc067a1
SHA256225d4f7e3ab4687f05f817435b883f6c3271b6c4d4018d94fe4398a350d74907
SHA5128122a9a9205cfa67ff87cb4755089e5ed1acf8f807467216c98f09f94704f98497f7aa57ad29e255efa4d7206c577c4cf7fed140afb046499fc2e57e03f55285
-
Filesize
160KB
MD5d4e6f08c4ab4e19aa199bb4a36e4b147
SHA1f86d177d0bb8ae1241329dcfac0b096ae67b32d4
SHA25644e66de7e37c20a537f80e3675d88ecb05d03318abddf4834017847907a0e153
SHA5128ae2e7e5127bed745005fdef803aeb3626619a08a9d5027ae2331688d3009b19fcb66e74503ac2ce298a277d7b49f63246fc67fe6107f54c1dc3b4a643896485
-
Filesize
249KB
MD59e114800a96210f0a0275c3cb77d2f36
SHA1d10b990a840cb092a6fe71a548d7681d8f9b93e6
SHA2569bc1746976378db6eb459b670b61caaad03f4be78109eedc6f9ebd1fe64b759f
SHA51274f49f74f53eb12b1c282ee216ff194e33c425f1aa4a96b4c53d59c2b1036b7981630ef7c0b1cd192ae514f16f8f7185abb378e72317c33044ddf578255682bc
-
Filesize
183KB
MD50de13ac073daf8b1aa1083f272ff3df4
SHA1bd4d342254a6d0199c6af4ab56f4b88cd268b4b6
SHA256a5342cada87366ba13d79fa1e58ca4af68887e6bf10e164a9b1ce35ea12b87f1
SHA5125fd5e660e4e06dd72b3f1f2f4f89c0f4013eb415f889c685b2b232a71b057b38003ac2335b484aa8c62b9392c96f959dee728506082143b503798a83a9527111
-
Filesize
166KB
MD58ade19fbba084cf416d1fa2fb59e193f
SHA1afb9b7329ad29e37914948ff915c2ff72dedd8b0
SHA2563c8aa0fc8c579edb516d9ac1cc55f7d2a7f820eff72e55190e3a7714967fa581
SHA51273f3b151d97057287cc4f32df624a5f3a322621353ce34172c2aa895304cbfe501e6f021fc329e77cbe3bd2e940f24a03ffc39c5943ccb125edbcd16c4e9fe40
-
Filesize
339KB
MD5aac2061cefd3c7b357c73da18697b8ab
SHA1ad79a732e63f6bbf8295a96453bd14ddcbdcfb29
SHA256ba3c3a8f449f5478ed1c37c183969fa401174c19401b9d73d67edfce7a3f711b
SHA5129b202389b1cbbaa873f3930300e88dd28e90e03d684c3cddb6c312d8438b02eebe3a780187975c476b9465cd93fa35844d2ca8e664381ce1dc7ec051e00bc585
-
Filesize
595KB
MD5f72d5f8b88335e08dc080ad7bf4080ff
SHA198f4a04f31253173203cbf3160bb782d29a2a1ec
SHA25696400a7d84db357f8924b50c51830ed2b5bb2a4d729f27ac6cf048b0d4b5f3d3
SHA5122244a60110cf4b0f95f37ebc095d08aa05b38c367d424af8040422bd62716f6a02f88226126c5a5cd5de558cf342b8259df2e277129fb6af777f4090d0a0f373
-
Filesize
1.4MB
MD5f7304a590273966b7b6bcc98e601dfb8
SHA1ea3ec0e77919ef3c8fd11a1277829812aa08970c
SHA2561f61edcfa59d2f863c3b7befb268d4cff826cec36befc38fc28b9e30181b0ca0
SHA512fa8223c31017159db807ba912b52707285bab5efa20f0c2d9bb194fe1c5fc127bce8cf189461040c75975d984dc011915146d4e70565002e80b8cde6b2a0bd0d
-
Filesize
1.6MB
MD5930af300922d5096cce292d9c6cab655
SHA19c488a007275a780d2219c58c7eeffcffbc705e8
SHA2565437f218805d6cb53dd712b7f5175489b88b7f618d610ecdf0a46eb541d36d16
SHA5128de5fd07af5336d11cf1b5e53b9a6e84a3be90650fd456e76dfa1ff2be78648333b3079e4fa39991fb346b7f616a67b07a712f3b0911521a53cc329ffccc466d
-
Filesize
771KB
MD562dacb577f5586cefbd43f2b7034fd6a
SHA113966a09f90dc1eb9938987d2335d4ef8c8712a0
SHA256b4164d13be2a13ebe1fd2dd4e6f469b40d226ad71ccccfc39ad0f5b30cbd97a0
SHA5120a3b3cb17f1226bec53a90bcb964cddda790f26476e8152e81d89ca9d2cb7be10c1ad125dce27757397baecaad31f638a1ca72db59215fe70963c4f32507f4ab
-
Filesize
896KB
MD5be7da5e028be26d20f783bf2a4369ef0
SHA17447d35c2829238ea15188aa80cf0922ad14d4b2
SHA256bc6d2a5ac867e5ce2cdca5e7eb2deaa19d693332fe08363ab2012f850ee1afa7
SHA5120492a0ade37d5ca379c09c5352b1cfb9e1e146baea70fe9aa9946ae18a177661dc75b25027dbc1b600ccad26645c1afcc33c64998bf4c2a293d9293eec9aa194
-
Filesize
1002KB
MD5e03614622db2364058214fa22a9d34dd
SHA18e614fc59409f4c7da71383db238a3c45db357e3
SHA2566cfe7dc311b1d6d59ed8af713871b92a676a3a5227a1957ac965cb9c17f2ad67
SHA5121a1a7245869ad078530615c3ab617c5c66474bede3e4399220bbe11f958bf0b0315f89449053bb9aed40b7f21fb53a5ede93790694eb14a3ddccc50aea294ce4
-
Filesize
1.4MB
MD527d0410971d87a2e2a879864d4477aae
SHA129368bebd5ba689c4d2f01ec83af90259527970a
SHA256b1177b98ea52a430b7bd4ac4d66995a9451bce9e4604be9f5472aa24fedbeadc
SHA512baa179bdf5a3e5198049082121e7f9ab8324b1b06481862115789617973ecfc996c31c70e86721379863490633c34ce4e0034558b6c7562cbf422fe238dc8241