ccd7ef01fa9f0989de6065f729efdec5bb7715378bbaa21c98813642d731778c

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 06:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
Size

14.9MB
MD5

5734d50c97440228b4c75215158acce8
SHA1

b5dca39ada6f38faf78524e9aed127a59a830330
SHA256

ccd7ef01fa9f0989de6065f729efdec5bb7715378bbaa21c98813642d731778c
SHA512

ea0dc9e79ea20bcbc2c089f61aef0c20243bf50a1f9a4539a23a2462da41a8c71e45eac3f6baa48efb0869fe57044062b69edd2e70b5a5530e5780abbb69b8b6
SSDEEP

196608:E7AP/NNECwHrc8u3x3AEcq/fByuKlWH3CTouXG:Ea/vQHrc8u3xXJ/f4uUWHW

Score

9^/10

discovery

Malware Config

Signatures

Detects executables packed with Dotfuscator 2 IoCs

resource	yara_rule
behavioral1/files/0x0006000000016cfb-94.dat	INDICATOR_EXE_Packed_Dotfuscator
behavioral1/files/0x0006000000016cfb-105.dat	INDICATOR_EXE_Packed_Dotfuscator

Detects executables packed with SmartAssembly 2 IoCs

resource	yara_rule
behavioral1/files/0x0006000000016cfb-94.dat	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/files/0x0006000000016cfb-105.dat	INDICATOR_EXE_Packed_SmartAssembly

Detects executables packed with Yano Obfuscator 2 IoCs

resource	yara_rule
behavioral1/files/0x0006000000016cfb-94.dat	INDICATOR_EXE_Packed_Yano
behavioral1/files/0x0006000000016cfb-105.dat	INDICATOR_EXE_Packed_Yano

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2548	alg.exe
2496	aspnet_state.exe
1464	mscorsvw.exe
2276	mscorsvw.exe
2816	mscorsvw.exe
2536	mscorsvw.exe
1148	dllhost.exe
900	ehRecvr.exe
1700	ehsched.exe
2592	mscorsvw.exe
2868	elevation_service.exe
2936	IEEtwCollector.exe
2424	GROOVE.EXE
344	maintenanceservice.exe
2820	msdtc.exe
1448	mscorsvw.exe
2136	mscorsvw.exe
2512	mscorsvw.exe
756	mscorsvw.exe
1672	msiexec.exe
2900	mscorsvw.exe
2292	mscorsvw.exe
2240	mscorsvw.exe
1552	mscorsvw.exe
2184	OSE.EXE
2304	mscorsvw.exe
2680	mscorsvw.exe
2584	mscorsvw.exe
2884	mscorsvw.exe
2468	mscorsvw.exe
2804	mscorsvw.exe
1736	OSPPSVC.EXE
1812	perfhost.exe
2552	mscorsvw.exe
1552	mscorsvw.exe
1460	locator.exe
2036	mscorsvw.exe
2888	mscorsvw.exe
2564	snmptrap.exe
820	mscorsvw.exe
2624	mscorsvw.exe
2328	mscorsvw.exe
1160	vds.exe
2788	mscorsvw.exe
1600	mscorsvw.exe
2648	vssvc.exe
1984	mscorsvw.exe
280	wbengine.exe
560	WmiApSrv.exe
1924	wmpnetwk.exe
268	SearchIndexer.exe
2348	mscorsvw.exe
1688	mscorsvw.exe
2084	mscorsvw.exe
2796	mscorsvw.exe
1488	mscorsvw.exe
1348	mscorsvw.exe
2996	mscorsvw.exe
2084	mscorsvw.exe
2668	mscorsvw.exe
1828	mscorsvw.exe
1364	mscorsvw.exe
2440	mscorsvw.exe

Loads dropped DLL 36 IoCs

pid	Process
468	Process not Found
2464	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
2464	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
2464	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
2464	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
2464	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
2464	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
2464	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
1672	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
740	Process not Found
1488	mscorsvw.exe
1488	mscorsvw.exe
2996	mscorsvw.exe
2996	mscorsvw.exe
2668	mscorsvw.exe
2668	mscorsvw.exe
1364	mscorsvw.exe
1364	mscorsvw.exe
2124	mscorsvw.exe
2124	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
2540	mscorsvw.exe
2540	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\97cdda049a3c2c1c.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{811235C1-AA50-47A3-AEEC-3F3CD2CC6941}.crmlog	dllhost.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP65A6.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8102.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{811235C1-AA50-47A3-AEEC-3F3CD2CC6941}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6AD4.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP79A3.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7050.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\syswow64\unregmp2.exe,-155 = "Play digital media including music, videos, CDs, and DVDs."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501 = "Connect to a Network Projector"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100 = "Sound Recorder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008015cf05a276da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\msra.exe,-635 = "Invite a friend or technical support person to connect to your computer and help you, or offer to help someone else."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\syncCenter.dll,-3001 = "Sync files between your computer and network folders"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102 = "XPS Viewer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201 = "Task Scheduler"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\displayswitch.exe,-321 = "Connect your computer to a projector by display cable."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10308 = "Mahjong Titans is a form of solitaire played with tiles instead of cards. Match pairs of tiles until all have been removed from the board in this classic game."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\recdisc.exe,-2001 = "Creates a disc you can use to access system recovery options."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000 = "Remote Desktop Connection"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\NetProjW.dll,-511 = "Display your desktop on a network projector."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000014aa06a276da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\XpsRchVw.exe,-103 = "View, digitally sign, and set permissions for XPS documents"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10302 = "Compete with - and against - online opponents at the classic trick-taking, partnership card game of Spades. Score the most points to win."	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
2652	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
Token: 33	3060	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
Token: SeIncBasePriorityPrivilege	3060	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
Token: 33	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
Token: SeIncBasePriorityPrivilege	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
Token: 33	2464	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
Token: SeIncBasePriorityPrivilege	2464	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
Token: 33	240	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
Token: SeIncBasePriorityPrivilege	240	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2536	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2536	mscorsvw.exe
Token: 33	3068	EhTray.exe
Token: SeIncBasePriorityPrivilege	3068	EhTray.exe
Token: SeShutdownPrivilege	2536	mscorsvw.exe
Token: SeShutdownPrivilege	2536	mscorsvw.exe
Token: SeDebugPrivilege	2652	ehRec.exe
Token: 33	3068	EhTray.exe
Token: SeIncBasePriorityPrivilege	3068	EhTray.exe
Token: SeRestorePrivilege	1672	msiexec.exe
Token: SeTakeOwnershipPrivilege	1672	msiexec.exe
Token: SeSecurityPrivilege	1672	msiexec.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeBackupPrivilege	2648	vssvc.exe
Token: SeRestorePrivilege	2648	vssvc.exe
Token: SeAuditPrivilege	2648	vssvc.exe
Token: SeShutdownPrivilege	2536	mscorsvw.exe
Token: SeBackupPrivilege	280	wbengine.exe
Token: SeRestorePrivilege	280	wbengine.exe
Token: SeSecurityPrivilege	280	wbengine.exe
Token: 33	1924	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1924	wmpnetwk.exe
Token: SeManageVolumePrivilege	268	SearchIndexer.exe
Token: 33	268	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	268	SearchIndexer.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2536	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2536	mscorsvw.exe
Token: SeShutdownPrivilege	2536	mscorsvw.exe
Token: SeShutdownPrivilege	2536	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2536	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2536	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2536	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2536	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2536	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2536	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2536	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe
Token: SeShutdownPrivilege	2536	mscorsvw.exe
Token: SeShutdownPrivilege	2816	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3068	EhTray.exe
3068	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3068	EhTray.exe
3068	EhTray.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
1064	SearchProtocolHost.exe
1064	SearchProtocolHost.exe
1064	SearchProtocolHost.exe
1064	SearchProtocolHost.exe
1064	SearchProtocolHost.exe
1816	SearchProtocolHost.exe
1816	SearchProtocolHost.exe
1816	SearchProtocolHost.exe
1816	SearchProtocolHost.exe
1816	SearchProtocolHost.exe
1816	SearchProtocolHost.exe
1816	SearchProtocolHost.exe
1816	SearchProtocolHost.exe
1816	SearchProtocolHost.exe
1816	SearchProtocolHost.exe
1816	SearchProtocolHost.exe
1816	SearchProtocolHost.exe
1816	SearchProtocolHost.exe
1816	SearchProtocolHost.exe
1816	SearchProtocolHost.exe
1816	SearchProtocolHost.exe
1816	SearchProtocolHost.exe
1816	SearchProtocolHost.exe
1816	SearchProtocolHost.exe
1064	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 3060	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	28
PID 1556 wrote to memory of 3060	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	28
PID 1556 wrote to memory of 3060	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	28
PID 1556 wrote to memory of 2464	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	30
PID 1556 wrote to memory of 2464	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	30
PID 1556 wrote to memory of 2464	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	30
PID 1556 wrote to memory of 2464	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	30
PID 1556 wrote to memory of 2464	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	30
PID 1556 wrote to memory of 2464	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	30
PID 1556 wrote to memory of 2464	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	30
PID 1556 wrote to memory of 2464	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	30
PID 1556 wrote to memory of 2464	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	30
PID 1556 wrote to memory of 2464	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	30
PID 1556 wrote to memory of 2464	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	30
PID 1556 wrote to memory of 2464	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	30
PID 1556 wrote to memory of 2464	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	30
PID 1556 wrote to memory of 2464	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	30
PID 1556 wrote to memory of 2464	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	30
PID 1556 wrote to memory of 2464	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	30
PID 1556 wrote to memory of 2464	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	30
PID 1556 wrote to memory of 2464	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	30
PID 1556 wrote to memory of 2464	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	30
PID 1556 wrote to memory of 2464	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	30
PID 1556 wrote to memory of 2464	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	30
PID 1556 wrote to memory of 2464	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	30
PID 1556 wrote to memory of 2464	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	30
PID 1556 wrote to memory of 2464	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	30
PID 1556 wrote to memory of 2464	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	30
PID 1556 wrote to memory of 2464	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	30
PID 1556 wrote to memory of 240	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	32
PID 1556 wrote to memory of 240	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	32
PID 1556 wrote to memory of 240	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	32
PID 1556 wrote to memory of 240	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	32
PID 1556 wrote to memory of 240	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	32
PID 1556 wrote to memory of 240	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	32
PID 1556 wrote to memory of 240	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	32
PID 1556 wrote to memory of 240	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	32
PID 1556 wrote to memory of 240	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	32
PID 1556 wrote to memory of 240	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	32
PID 1556 wrote to memory of 240	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	32
PID 1556 wrote to memory of 240	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	32
PID 1556 wrote to memory of 240	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	32
PID 1556 wrote to memory of 240	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	32
PID 1556 wrote to memory of 240	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	32
PID 1556 wrote to memory of 240	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	32
PID 1556 wrote to memory of 240	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	32
PID 1556 wrote to memory of 240	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	32
PID 1556 wrote to memory of 240	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	32
PID 1556 wrote to memory of 240	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	32
PID 1556 wrote to memory of 240	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	32
PID 1556 wrote to memory of 240	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	32
PID 1556 wrote to memory of 240	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	32
PID 1556 wrote to memory of 240	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	32
PID 1556 wrote to memory of 240	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	32
PID 1556 wrote to memory of 240	1556	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	32
PID 2816 wrote to memory of 2592	2816	mscorsvw.exe	42
PID 2816 wrote to memory of 2592	2816	mscorsvw.exe	42
PID 2816 wrote to memory of 2592	2816	mscorsvw.exe	42
PID 2816 wrote to memory of 2592	2816	mscorsvw.exe	42
PID 2816 wrote to memory of 1448	2816	mscorsvw.exe	50
PID 2816 wrote to memory of 1448	2816	mscorsvw.exe	50
PID 2816 wrote to memory of 1448	2816	mscorsvw.exe	50
PID 2816 wrote to memory of 1448	2816	mscorsvw.exe	50
PID 2816 wrote to memory of 2136	2816	mscorsvw.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556
- \??\c:\users\admin\appdata\local\temp\2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
  c:\users\admin\appdata\local\temp\2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=107.294.200 --initial-client-data=0x190,0x198,0x19c,0x194,0x1a0,0x140325960,0x140325970,0x140325980
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- \??\c:\users\admin\appdata\local\temp\2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
  "c:\users\admin\appdata\local\temp\2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_1556_XHRKEZZUXORYQBTW" --sandboxed-process-id=2 --init-done-notifier=520 --sandbox-mojo-pipe-token=11914248813871943899 --mojo-platform-channel-handle=488 --engine=2
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- \??\c:\users\admin\appdata\local\temp\2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
  "c:\users\admin\appdata\local\temp\2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_1556_XHRKEZZUXORYQBTW" --sandboxed-process-id=3 --init-done-notifier=700 --sandbox-mojo-pipe-token=3841402923561764732 --mojo-platform-channel-handle=696
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:240

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2548

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2496

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1464

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 260 -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 248 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 240 -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 26c -NGENProcess 25c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 26c -NGENProcess 240 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 248 -NGENProcess 25c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 250 -NGENProcess 278 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 250 -NGENProcess 274 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 274 -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 250 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 250 -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 248 -NGENProcess 278 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1f4 -NGENProcess 284 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 290 -NGENProcess 274 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 290 -NGENProcess 1f4 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 29c -NGENProcess 274 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 294 -NGENProcess 2a4 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 294 -NGENProcess 2a0 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 27c -NGENProcess 248 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 27c -NGENProcess 264 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 29c -NGENProcess 2a8 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 274 -NGENProcess 1fc -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 258 -NGENProcess 28c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 28c -NGENProcess 1f0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 240 -NGENProcess 220 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1c8 -NGENProcess 1f0 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1f0 -NGENProcess 244 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 2b4 -NGENProcess 1c8 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1d8 -NGENProcess 264 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1d8 -NGENProcess 28c -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 254 -NGENProcess 284 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 264 -NGENProcess 29c -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 28c -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 28c -NGENProcess 24c -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 274 -NGENProcess 1f4 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:2224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 274 -NGENProcess 244 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 244 -NGENProcess 2a4 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  PID:2912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 254 -NGENProcess 2b8 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2b8 -NGENProcess 28c -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2b8 -NGENProcess 254 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:1820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 254 -NGENProcess 264 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:1976

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 240 -NGENProcess 1d8 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1984

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1148

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:900

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1700

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3068

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2868

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2936

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2424

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:344

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2820

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2184

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1736

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1812

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1460

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2564

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1160

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:280

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:560

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:268
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1064
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:1232
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
ecc1fbf9def6bf0384a31a2dc280246e

SHA1
dff0b3d3cfa35f17fd5d0b31a39051decb2d5de6

SHA256
b0bdc224d58daf7e6231de6fc6f9b42afe37132f824de2434e240b059416930d

SHA512
3ff6764173ffa38b63b0b898737da56860ad7a5537a186a9953db4d7a912917b1e1a68e5e02e94cb84902ac352b363ad921eca779cb6e24aaefe44d5945dcc72

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
e6aa4dbc17a755df116bfd4ac5d35ca5

SHA1
052e6d62c3f538f88e852bd339791d7f2459a1f5

SHA256
fde84144ffeb3eecd5422ce3a35cb0ee25e440dc919a5f4e58e6c621faf49d29

SHA512
7ad820fbb0da41b797a7b4890d752bb7cdd68982bca4af29272169140705c192deedb00db27269243984eecfa0ca3106d111438f7f54f65d9d2ecca286af69e5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
2.7MB

MD5
2be31cced31057718fe0154076da4fc5

SHA1
d6518365100fdff851049f4d77b64b5bdded1cc2

SHA256
0c2bf6fe8535cd98b1f49505aee0c37400861cdc94540e6dfa93835c2633158f

SHA512
f380a52fe6cd406565b2c0d4af542e030f370645847a0ef02c533acafc0afe48f21837b1292e878baa4c3802957f93e2acc483fb3aca1feaa011453f030cc630

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
18f0cff9cee07418a6e635c4782288ed

SHA1
67100183443982e78101a64970a7aa2c7b9e6fa1

SHA256
a3032ab475dbc1e7138ecece2927304792ffe6556e2958b509403a06f96c692c

SHA512
bbbe77909d106da8c9feb0cf15afa2d91e12fa5c571959dd5635552c40e22ef5256d9f5284ad5aefe5238aed126e1ac1c38f82dc5968aec960137bf23eacc7a5

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
94f12f85e7c264d29d6d9fddb6ab419e

SHA1
7db5b770b02c2866ad4277f373fa906a6a6d4f42

SHA256
ff9932b402aaa8e08a71bca079f65b7135c1ac73691acc4532c1aca49a10efcf

SHA512
840f68ba430fe85eeade0c1804635f50b17cb799963da2f6681674666666249b633b776cb419cffcbf01ef31459e665e3364817ef249a2a9b8ab1d1b749073c7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
87a2d56f473fa2bd0d02ef87b518184f

SHA1
9ac7cbc3208095486e615a088fbb08fb9e50b3ff

SHA256
24637012361525381ba4f037f96334517747d1df15aa73f47f7a20a27af44111

SHA512
e393325fb7b6978d07bc368b092610490d45ab109a28c13545073a5e642782ab713a316498f0700225c2f9d99ffea1d74f9d141b1c76be9f6a1da2360febb679

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
0b3a7eb6c9f30115d74e509f2e72821e

SHA1
9a1e5718d56ccad808b035f7b54f4b67a3d1ee55

SHA256
5aee9b507e4d46dafcb19ef04466e04aead79b3811b78f90dd5358eb677f9499

SHA512
33846ae0ddd896d55080a13461766b7714685d25e6b9c9db4dd4ced080d61d62d7ea8fb349bb2054e957421413c137dff7edc7f96d50e3ee769c8366b554c171

Download Submit
C:\Users\Admin\AppData\Local\Google\Software Reporter Tool\software_reporter_tool-sandbox.log

Filesize
2KB

MD5
d84721c2c58bea873983483bfdad9c33

SHA1
5f0e0634bb8c09b8e3509a6e801f8dfc0a9aaac3

SHA256
bf23d06465e9289e0c5a0aac975f0f7f1d93944ab455f0477037bbd737e910d5

SHA512
cfb188998a8a7bda1e27221db95018136433a98890052d6cfd9a89e424067f74ce03469cd14a4897290f5f6e549b73fb6367a88f5864e50246cf8d4510fb02b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
91adfa179a3d1b64c78005cc575c3294

SHA1
6b50269cb9144b8276734cf3c09dc91bf5bbbf03

SHA256
67ac898d6b6e9c3fc8a46310fa26ee997ba49467521e8a615f99788603f4ff16

SHA512
1a45486a015bee0c7f14ce8036f67dbd4c0fc4cd3c4adef8ac9b66649a0d28b63cbe1bf4b39f7c1e1df55dcc5f3cb288737ead7aef7e7eb2883f002c4e4dd4f0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e5981f1616b1c0bd6a3d0f68d3b54eed

SHA1
6c93be13b1fcf3b34b6107ec36fc0150fa2a7abe

SHA256
c2f254f706d19b30e3dde5c84cea519e024ad33efcb3737ced3c5859834d45bf

SHA512
b444fd9901a1d281e403f97c47d1ea96d0e53c7fe0d9e099f41ba89bee431015689e4097907b3deda78a79e337b15070623d3044dfec478410ebc884c1ffe9c0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
b2881ec01449823941a30bde0121328c

SHA1
33fbd3afaa30f84f6aec5985057997569837c54c

SHA256
4482749f77f7db849220c11ae393feb774b42e80e27dc0e12cf07b20c4f57bba

SHA512
4ffb17ef173222e29b238f1fcd86ae091a39a47acacb949104f17016ca3e862a8525e793ba3004e7e99d8cf960d2ba69a960ac92eac8d106aec038543abd0cea

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
42db034892a7b555f3bbad100d7a772e

SHA1
e0dde5283b8e4fc71dbbcb63a6be57a610a70967

SHA256
3dd56e81a5cc5d012b9c586b805a90bc9bcfc599a5521057415abcf563d6d973

SHA512
5e584ca5d7f53b672582030676985a2c0f31946a0f5eb77f8802498dcfc9aa1e310ea756319fdb312a00c12926bfc7a2b4e69b09b2e37a3784682999c2b837e5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
38a72a1b5b977d1527495d316c2ef748

SHA1
63384bd4950e9ff6082bfa24fefe5d07795126aa

SHA256
f35aba6b9cd037b7341f9551a7226debbfebf11af452bca6e99400a318322dab

SHA512
0d146c5b48b258ab12762a70fbae8b6466822a2b48c375baa37aecddf00f23f97ee266988b431013efcc25346a3558fa1bb25d4f346235e64033ce446c594b50

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.1MB

MD5
282a394b8dbafd80421f9953375abbbf

SHA1
7a8d55c6e74f31dac772bdcf136b0bde556cdbf2

SHA256
d08c6beb63d759746a5d359135ec65fa4bacd7f466fb8f9dcef599c500758bd7

SHA512
5a460c6093c7f227ef5d0b5d9290650bfb30d6de3e750b376d0eb7e813be036107e6a477c18701a19620bb54a2e83984783abf2868484840d6a46aa528a51660

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
69045e71f77b244d210b6ceec0ae4389

SHA1
dcd029ab1711029e96d84fde62c004971a256455

SHA256
717a908c73bef473c41dbd5200b42daf3934cb48034949f087134c56a9532fef

SHA512
bdb4daf06be3498715093a035025077a8d96b9ead4214463efbdaf66299a80a30b1ab67e10b6c5f1b11cd0494b585c37abdbbb9e9f3f1a687aad2cb3f1a5de93

Download Submit
C:\Windows\System32\alg.exe

Filesize
512KB

MD5
03b052bb182126c7e813a0a106cf340a

SHA1
614ec683319e8d9a7cb1a80c4465cc2aef021eac

SHA256
3df7f384f3cff8d6ad0f1024526ba0aebd75e539f54eb803cc6323a063021840

SHA512
1c2013999610af57f521d07b12cee14d7ec9a800c6ec33440650225ffd142589916069456348e3b816c136b67f7a0924ebc0880ab7b411164e3402d7c91fa589

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
ba3e78efd7f4b213cad7aed379cf142a

SHA1
6bc663dc7b11b9bf9281d5692a309437b77d71e4

SHA256
44d95d8b7a5c7201e5f47ced997db5e5835a6ef86dae00b467ffefc9047c32a5

SHA512
c14fd35bd426319c5694f666cad0f1db18f5f8e2684a44118066fa7a20fdd2cf8af7049c109f5d9878f6de388dae2de2419a215e1f8ff18bfb0e67535c389dbe

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
8b82719c350ed20ca905cdde4c02f756

SHA1
03f0588d39673c0868576123f3f66dd6dbe8180b

SHA256
5f16018091d802cbb354c4739638f6908a876360916dfe91e095dcbebdc2d9f1

SHA512
019d3f37125d376fbedd64ec8e8faa55b4a96c01fa3aabd4d321f09dc79e428c5d0fbf18e5e5ca9c036569bc74f37f2f6228d6f3ad68d93386bb3657e601f4cc

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.dat

Filesize
40B

MD5
199324858902dbde2c74840ef663091c

SHA1
516c5ce5389a3320bcb58186a7da6ad1e30e5a5c

SHA256
d99e9a40b8730636b8d9f24cb34d4509f67d7194d5e15d4e6adc854b736dbf40

SHA512
76cf4ccf2576ef995f0ed3c5abddf92c6cf268a566f596d111f18b0774d42b0b2dda811b53399e6f12490b8bae0cb9181214937100354fc6aba229c8b40a9d79

Download Submit
\??\c:\users\admin\appdata\local\temp\em000_64.dll

Filesize
37KB

MD5
f8b7cac6e9587baabf4045c34890c7ce

SHA1
61814262c6ee5ceaab2c0263c913cae52e203af7

SHA256
8b0613b91229c98dfa5398568a4fa40dde2a2d40028654f74923bc929d6b5b30

SHA512
4f80021fa2a6e6bd3cdd8248d6139d105dca984a914184d5b1e251e97daa77e36c4e059ed3a617ad12dd998eb603accd34ef3951261ad997a081d8ac934b6211

Download Submit
\??\c:\users\admin\appdata\local\temp\em002_64.dll

Filesize
1.9MB

MD5
467f5a59d227ce7bdbac8637f3e15327

SHA1
2768b20104e91b7d8181658ea21241707b4b9289

SHA256
b1462fee2eac699ab0e5c1fb698f80878e5ffd454f55c80704d1593f2a966e92

SHA512
9fa450772dc9c3fb9823dd331d9437eaab6c9c6c3d206fa19d380952775507a0e046ff7a68d6bec7a7bf16a34e1cd2fa35aa33db3f2996700211f310092e7dfc

Download Submit
\??\c:\users\admin\appdata\local\temp\em003_64.dll

Filesize
1.3MB

MD5
7f3e3ab3e7f714da01ec0f495982e8d4

SHA1
a6cdec146f2eb192460d3d3061baf4a7ead6ee22

SHA256
ebfeeac7733a77a1e32995d638d67d2e05eefdbb62782053d8354959e046d0fa

SHA512
493b6db2193cd91e95f0963b9ad898a2040c2abcf1b4a509e5a4d53980c95ec030b412e180c26a1bd504e4c839ef5b7e3b6f08878ec11cefa531157ef0f6368b

Download Submit
\??\c:\users\admin\appdata\local\temp\em004_64.dll

Filesize
576KB

MD5
472ace3ec1c0594a5f890bb7ea80d933

SHA1
ca5b635e21bdcfeb330b14985e34f42c6a41a198

SHA256
4d567c9e23fd43ce3a24e3eadeca73ca1c2faffa9ecc466b22667212267c1e08

SHA512
9cc9441c633360dbce9629f1250342947d2cd7d3f6a32ad6d039d64cfd2364190daaca9271ff07eb0c6336ffdd2d6c43b9fa1719600449cb0ac565fb08b83ebf

Download Submit
\Users\Admin\AppData\Local\Temp\edls_64.dll

Filesize
449KB

MD5
79d7f318441c21d17739e43990697d1d

SHA1
9683265bf401d11313b768dfc4b3aeb10015d18c

SHA256
0ce49dc9f71360bf9dd21b8e3af4641834f85eed7d80a7de0940508437e68970

SHA512
67c7a7d3bbadeff21951809d2f843311328771ed46bc1ca14edba486263f56f86922668dd89d11b05a16130380b7543f7c9556d79503c505807407763e9d3595

Download Submit
\Users\Admin\AppData\Local\Temp\em001_64.dll

Filesize
378KB

MD5
7adcb76ec34d774d1435b477e8625c47

SHA1
ec4ba0ad028c45489608c6822f3cabb683a07064

SHA256
a55be2be943078157b7d1cfb52febd4a95e4c7a37995bb75b19b079cc1ee5b9d

SHA512
c1af669ee971b4f4a3bb057fe423a63376cfc19026650036b29d77fed73458d235889a662ac5e12c871c3e77f6fbdb1fa29c0dfa488a4a40fa045d79eb61e7c4

Download Submit
\Users\Admin\AppData\Local\Temp\em002_64.dll

Filesize
704KB

MD5
e826fcdf44cf9d7c8cdc70eb4a3b9103

SHA1
69165f9fc35633cea4b90e129234d93a51182bd1

SHA256
dec9a00fbe148a0f072e2f6a8ebe5632de70a27724919e97cec5b5931ae3ba3d

SHA512
3ac0c9873387e9ba249b7abd388a3448df4aaea10591a4b8e61f8d4dab3b3341bbc58efcdc1c5b62aa86eb819123ddf8763e38a89834c17762deaa161add5aea

Download Submit
\Users\Admin\AppData\Local\Temp\em003_64.dll

Filesize
704KB

MD5
e74fa2306c8553a6acfcbda79f253f74

SHA1
4fbcde39ccb7e1bbec21c685e1ff392445a5958e

SHA256
8f365ece690e6855852b33142c4bca7573d17ff45a7fb9128d6d8460c7f3d42b

SHA512
d4f2489ec0c1244f958e578dba659db3699ee8b6e717fbc4a2b3a3d23c2c1ee0bd67811f7dc0211e95fda2b23176748c0fe480fd2d8afe2bc633c9c967a46df8

Download Submit
\Users\Admin\AppData\Local\Temp\em004_64.dll

Filesize
704KB

MD5
b6b4dda275ca19f9cd7ceb7d9f18ce22

SHA1
855d829622f31cd3046dd7f6fd8767bb3109152f

SHA256
0d581675db21e89de7a0a412e9bbf6bac78d2a785ceedbde30e2e5cbd508db9a

SHA512
3b9b9a80f35745850e3b99916956e3a5b9b38bb9dee9707799b445a3453027a46cab37f84473c22e383847e8e5350c78948b18622f87602f95da3e3f9f90fae2

Download Submit
\Users\Admin\AppData\Local\Temp\em005_64.dll

Filesize
576KB

MD5
169a2ef320119891cf3189aa3fd23b0e

SHA1
de51c936101ef79bbc0f1d3c800cf832d221eef8

SHA256
1072d49da0a70640fb9716cb894f4834ff621ca96d4aea1f478754edf4d0f780

SHA512
7fe27d360bbf6d410ea9d33d6003ab455cd8b9e5521c00db9bb6c44a7472ccf2083d51034bab5ffc5aef85db36fc758c76b02fa31f0d0024c9d532548a2bf9ca

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
1af377c9bd5a0ba7b3d46c79f3ac75ba

SHA1
5abc1793eebca9ad6a28265f4c6998681517fb4b

SHA256
d0f0a45ef8682e52d6d16a7fa9f15b519807ff18f4f9e4f17efe9c87a8eea3c7

SHA512
162cc495a7b8f4d2c5774e91801163d016c09efe959f015ecb58f6994a29039623d39824e1d9b3b773ff8e654b124eeaf72ea540452ef0be73693509ebbbb362

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
152c5475733ef6693e6b31d62d0f242a

SHA1
bf5b51e1aeb5fde22c10d8e59a2c3b8554a6726e

SHA256
e81166b407ed8953f2c356d8448cbeaf5629045ca540edf79e99ae74c664cf8b

SHA512
29d48342737d976487e71a4c79ca62c666a876295deb81b93b405f6e100607565bd02c18f3294354ee93fd42b488523a6a133ee343c3c68ff900791a92459deb

Download Submit
\Windows\System32\alg.exe

Filesize
704KB

MD5
d3baf1bba7f248144a7498c6faf5035a

SHA1
79df107591e905b1f2b0eb7727f56016d30a2a4b

SHA256
4e635d22737526a0c8335468a18ddbf31350b14680e5a049f51600e8bf0edc52

SHA512
18a55a48cf4dc995f7fddee609bc4fb042b268c59a72d7f9c5c8be9b575c0957eda3e32cb32014053de8f411614ca3b03d68f549d09f7a6cad76f26cf50e011a

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
c1def8cc2b1b018bce35ee47934baac8

SHA1
006e6c9e573f36dcd9091a30dc6dcb7949a5000d

SHA256
8c9f8c5478b87cc3ae094547cbd63b1195ada1ff03d7112836040d70d2617dad

SHA512
8ef9d175525eace655ca3094ba7b8a3e896edba288608f925b9e3b3f90a8ee3c2460bcd8e188e02229aaea627af89d069106cd0d965c651912caca75413fc76f

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
715a9f00aa014581f57e908f666d6767

SHA1
2e143dfef6954ecd7f27c0eb77aed2ff7bc65e4d

SHA256
2900e3f2719d855fe787008e7fea6fb4591228e760acc79e3d5f8c166102c795

SHA512
d4f3f448f319e19597d4d8c3b8944af9b96bc950a1a38f424e4a85c2e93dd1872d4b6050b8c6ac1924bb0775e35bdeb28068c44c48aef075680af7ec91d99490

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
4b887bc68f5fa6540021d1f1b7046b14

SHA1
9f0ed294a9c1a86f3a370e335a91de8d2779ec49

SHA256
8ecd661a4af52ba2a37050b9114393161feffe90585a2c6fbe2238003e8b0eb7

SHA512
12afd4fb87ef5705ee16c3ffade8027fe547d2ea0b3f642f1db040b78f3d86e19798d058bb3dab1b0384e1abecdde575d353a64f12cf832b1734cd0c3ee006b7

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
38fb432cd5b4d44c8f496fe7e1742bbf

SHA1
97784755e5afb4e02b968f60a7479b64392adeb5

SHA256
7989165bc69ec0871bf50cb2907e202fd2031b4ec7be1910f3049b987920565f

SHA512
70fc80a770126e7357e95084e7bd5c8ca323b3b1bd8b53fc85c62b0085ba51c233e0a93110b036e7de62fb87d255a44d9bce7ec160bca583a45c137fa8e5b900

Download Submit
memory/240-126-0x00000000005B0000-0x0000000000610000-memory.dmp

Filesize
384KB

Download
memory/240-125-0x0000000140000000-0x0000000140F04000-memory.dmp

Filesize
15.0MB

Download
memory/240-132-0x00000000005B0000-0x0000000000610000-memory.dmp

Filesize
384KB

Download
memory/240-198-0x0000000140000000-0x0000000140F04000-memory.dmp

Filesize
15.0MB

Download
memory/344-313-0x0000000000FE0000-0x0000000001040000-memory.dmp

Filesize
384KB

Download
memory/344-307-0x0000000000FE0000-0x0000000001040000-memory.dmp

Filesize
384KB

Download
memory/344-300-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/344-312-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/900-217-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/900-210-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/900-209-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/900-235-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/900-253-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1148-199-0x0000000100000000-0x0000000100141000-memory.dmp

Filesize
1.3MB

Download
memory/1148-249-0x0000000100000000-0x0000000100141000-memory.dmp

Filesize
1.3MB

Download
memory/1148-194-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/1148-204-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/1448-334-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1464-140-0x0000000010000000-0x000000001014B000-memory.dmp

Filesize
1.3MB

Download
memory/1464-149-0x0000000010000000-0x000000001014B000-memory.dmp

Filesize
1.3MB

Download
memory/1556-148-0x0000000002D60000-0x0000000003C64000-memory.dmp

Filesize
15.0MB

Download
memory/1556-39-0x0000000002D60000-0x0000000003C64000-memory.dmp

Filesize
15.0MB

Download
memory/1556-4-0x0000000140000000-0x0000000140F04000-memory.dmp

Filesize
15.0MB

Download
memory/1556-66-0x0000000140000000-0x0000000140F04000-memory.dmp

Filesize
15.0MB

Download
memory/1556-7-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/1556-76-0x0000000002680000-0x0000000003584000-memory.dmp

Filesize
15.0MB

Download
memory/1556-8-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/1556-124-0x00000000030F0000-0x0000000003FF4000-memory.dmp

Filesize
15.0MB

Download
memory/1556-0-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/1556-14-0x0000000002680000-0x0000000003584000-memory.dmp

Filesize
15.0MB

Download
memory/1556-195-0x00000000030F0000-0x0000000003FF4000-memory.dmp

Filesize
15.0MB

Download
memory/1700-273-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/1700-230-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/1700-222-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/1700-279-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/2276-160-0x0000000010000000-0x0000000010153000-memory.dmp

Filesize
1.3MB

Download
memory/2424-294-0x00000000002E0000-0x0000000000346000-memory.dmp

Filesize
408KB

Download
memory/2424-292-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2464-53-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2464-47-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2464-158-0x0000000140000000-0x0000000140F04000-memory.dmp

Filesize
15.0MB

Download
memory/2464-46-0x0000000140000000-0x0000000140F04000-memory.dmp

Filesize
15.0MB

Download
memory/2496-170-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2496-57-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2496-58-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2496-64-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2536-185-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2536-179-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2536-240-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2536-178-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2548-141-0x0000000100000000-0x0000000100150000-memory.dmp

Filesize
1.3MB

Download
memory/2548-24-0x0000000100000000-0x0000000100150000-memory.dmp

Filesize
1.3MB

Download
memory/2592-341-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2592-340-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2592-322-0x0000000000B60000-0x0000000000BC6000-memory.dmp

Filesize
408KB

Download
memory/2592-242-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2592-327-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2652-245-0x0000000000B30000-0x0000000000BB0000-memory.dmp

Filesize
512KB

Download
memory/2652-244-0x000007FEF3BA0000-0x000007FEF453D000-memory.dmp

Filesize
9.6MB

Download
memory/2652-254-0x0000000000B30000-0x0000000000BB0000-memory.dmp

Filesize
512KB

Download
memory/2652-246-0x000007FEF3BA0000-0x000007FEF453D000-memory.dmp

Filesize
9.6MB

Download
memory/2652-250-0x0000000000B30000-0x0000000000BB0000-memory.dmp

Filesize
512KB

Download
memory/2652-296-0x000007FEF3BA0000-0x000007FEF453D000-memory.dmp

Filesize
9.6MB

Download
memory/2652-293-0x000007FEF3BA0000-0x000007FEF453D000-memory.dmp

Filesize
9.6MB

Download
memory/2652-287-0x0000000000B30000-0x0000000000BB0000-memory.dmp

Filesize
512KB

Download
memory/2652-286-0x000007FEF3BA0000-0x000007FEF453D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-164-0x0000000000320000-0x0000000000386000-memory.dmp

Filesize
408KB

Download
memory/2816-229-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2816-169-0x0000000000320000-0x0000000000386000-memory.dmp

Filesize
408KB

Download
memory/2816-163-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2820-317-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/2868-266-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2868-321-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2868-274-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2936-280-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2936-332-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3060-19-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3060-20-0x0000000140000000-0x0000000140F04000-memory.dmp

Filesize
15.0MB

Download
memory/3060-12-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3060-123-0x0000000140000000-0x0000000140F04000-memory.dmp

Filesize
15.0MB

Download