ac161fd470b57cffd65840abd891d0ab93483388cbcb7da0bab55399ccfd914c

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_69cc16c17e367ee83149f83638a9ef6c_ryuk.exe
Size

1.1MB
MD5

69cc16c17e367ee83149f83638a9ef6c
SHA1

b3291aea4c1495c0d839f8627e3239739d36cb19
SHA256

ac161fd470b57cffd65840abd891d0ab93483388cbcb7da0bab55399ccfd914c
SHA512

88c05aae513aab474fdbedd2407f8e3d778266fcaafd054e0eede13fac05dd3b6ef5d7001c3897052fbb5bf2d2d8b7ec97f66bc2fce620015bad60e0a6024da0
SSDEEP

24576:HSi1SoCU5qJSr1eWPSCsP0MugC6eT0t/sBlDqgZQd6XKtiMJYiPU:PS7PLjeTO/snji6attJM

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
476	Process not Found
2852	alg.exe
2552	aspnet_state.exe
2428	mscorsvw.exe
2596	mscorsvw.exe
2936	mscorsvw.exe
1572	mscorsvw.exe
2712	ehRecvr.exe
1160	ehsched.exe
2084	elevation_service.exe
1836	IEEtwCollector.exe
1656	GROOVE.EXE
1132	maintenanceservice.exe
2256	msdtc.exe
1664	msiexec.exe
2628	OSE.EXE
2864	OSPPSVC.EXE
1608	perfhost.exe
1452	locator.exe
1668	snmptrap.exe
2208	vds.exe
696	vssvc.exe
1308	wbengine.exe
1808	WmiApSrv.exe
2896	mscorsvw.exe
1948	dllhost.exe
1716	mscorsvw.exe
2136	mscorsvw.exe
1420	mscorsvw.exe
1940	mscorsvw.exe
2204	mscorsvw.exe
2772	mscorsvw.exe
1704	mscorsvw.exe
564	mscorsvw.exe
1708	mscorsvw.exe
2756	mscorsvw.exe
1676	mscorsvw.exe
2620	mscorsvw.exe
1180	mscorsvw.exe
1104	mscorsvw.exe
564	mscorsvw.exe
2356	mscorsvw.exe
2840	mscorsvw.exe
1848	mscorsvw.exe
1692	mscorsvw.exe
2440	mscorsvw.exe
1688	mscorsvw.exe
2132	mscorsvw.exe
2580	mscorsvw.exe
2620	mscorsvw.exe
2584	wmpnetwk.exe
2240	SearchIndexer.exe
1592	mscorsvw.exe
2136	mscorsvw.exe
1476	mscorsvw.exe
1676	mscorsvw.exe
2724	mscorsvw.exe
1204	mscorsvw.exe
3060	mscorsvw.exe
1812	mscorsvw.exe
1232	mscorsvw.exe
1444	mscorsvw.exe
2328	mscorsvw.exe
1588	mscorsvw.exe

Loads dropped DLL 35 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
1664	msiexec.exe
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
736	Process not Found
2724	mscorsvw.exe
2724	mscorsvw.exe
3060	mscorsvw.exe
3060	mscorsvw.exe
1232	mscorsvw.exe
1232	mscorsvw.exe
2328	mscorsvw.exe
2328	mscorsvw.exe
1028	mscorsvw.exe
1028	mscorsvw.exe
1828	mscorsvw.exe
1828	mscorsvw.exe
1096	mscorsvw.exe
1096	mscorsvw.exe
1040	mscorsvw.exe
1040	mscorsvw.exe
1828	mscorsvw.exe
1828	mscorsvw.exe
2716	mscorsvw.exe
2716	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7fd1d256fe8faa.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-17_69cc16c17e367ee83149f83638a9ef6c_ryuk.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-04-17_69cc16c17e367ee83149f83638a9ef6c_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-17_69cc16c17e367ee83149f83638a9ef6c_ryuk.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-17_69cc16c17e367ee83149f83638a9ef6c_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-17_69cc16c17e367ee83149f83638a9ef6c_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-17_69cc16c17e367ee83149f83638a9ef6c_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-17_69cc16c17e367ee83149f83638a9ef6c_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-17_69cc16c17e367ee83149f83638a9ef6c_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-17_69cc16c17e367ee83149f83638a9ef6c_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-17_69cc16c17e367ee83149f83638a9ef6c_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-17_69cc16c17e367ee83149f83638a9ef6c_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-17_69cc16c17e367ee83149f83638a9ef6c_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-17_69cc16c17e367ee83149f83638a9ef6c_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-04-17_69cc16c17e367ee83149f83638a9ef6c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	aspnet_state.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8575.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP77FD.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP756E.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-04-17_69cc16c17e367ee83149f83638a9ef6c_ryuk.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA1CB.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-04-17_69cc16c17e367ee83149f83638a9ef6c_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-17_69cc16c17e367ee83149f83638a9ef6c_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8066.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8A74.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-04-17_69cc16c17e367ee83149f83638a9ef6c_ryuk.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7BC5.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\TipTsf.dll,-60 = "Enter text by using handwriting or a touch keyboard instead of a standard keyboard. You can use the writing pad or the character pad to convert your handwriting into typed text or the touch keyboard to enter characters."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005 = "Desktop Gadget Gallery"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\authFWGP.dll,-21 = "Configure policies that provide enhanced network security for Windows computers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\XpsRchVw.exe,-103 = "View, digitally sign, and set permissions for XPS documents"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050a926a0f090da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310 = "Data Sources (ODBC)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SoundRecorder.exe,-32790 = "Record sound and save it on your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\msra.exe,-635 = "Invite a friend or technical support person to connect to your computer and help you, or offer to help someone else."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-101 = "Event Viewer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\SnippingTool.exe,-15052 = "Capture a portion of your screen so you can save, annotate, or share the image."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000 = "Create a System Repair Disc"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101 = "Windows PowerShell ISE"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100 = "System Information"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\pmcsnap.dll,-710 = "Manages local printers and remote print servers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\isoburn.exe,-350 = "Disc Image File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056 = "Getting Started"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-202 = "Schedule computer tasks to run automatically."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Filemgmt.dll,-602 = "Starts, stops, and configures Windows services."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700 = "Print Management"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mstsc.exe,-4001 = "Use your computer to connect to a computer that is located elsewhere and run programs or access files."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10055 = "FreeCell"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051 = "Snipping Tool"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{A79152E2-54E1-4FE8-BC43-E8DEEE38C22A}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data."	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1648	ehRec.exe
2552	aspnet_state.exe
2552	aspnet_state.exe
2552	aspnet_state.exe
2552	aspnet_state.exe
2552	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2328	2024-04-17_69cc16c17e367ee83149f83638a9ef6c_ryuk.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: 33	484	EhTray.exe
Token: SeIncBasePriorityPrivilege	484	EhTray.exe
Token: SeDebugPrivilege	1648	ehRec.exe
Token: SeRestorePrivilege	1664	msiexec.exe
Token: SeTakeOwnershipPrivilege	1664	msiexec.exe
Token: SeSecurityPrivilege	1664	msiexec.exe
Token: 33	484	EhTray.exe
Token: SeIncBasePriorityPrivilege	484	EhTray.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeBackupPrivilege	696	vssvc.exe
Token: SeRestorePrivilege	696	vssvc.exe
Token: SeAuditPrivilege	696	vssvc.exe
Token: SeBackupPrivilege	1308	wbengine.exe
Token: SeRestorePrivilege	1308	wbengine.exe
Token: SeSecurityPrivilege	1308	wbengine.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeDebugPrivilege	2852	alg.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2552	aspnet_state.exe
Token: SeDebugPrivilege	2552	aspnet_state.exe
Token: 33	2584	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2584	wmpnetwk.exe
Token: SeManageVolumePrivilege	2240	SearchIndexer.exe
Token: 33	2240	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2240	SearchIndexer.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
484	EhTray.exe
484	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
484	EhTray.exe
484	EhTray.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
1752	SearchProtocolHost.exe
1752	SearchProtocolHost.exe
1752	SearchProtocolHost.exe
1752	SearchProtocolHost.exe
1752	SearchProtocolHost.exe
840	SearchProtocolHost.exe
840	SearchProtocolHost.exe
840	SearchProtocolHost.exe
840	SearchProtocolHost.exe
840	SearchProtocolHost.exe
840	SearchProtocolHost.exe
840	SearchProtocolHost.exe
840	SearchProtocolHost.exe
840	SearchProtocolHost.exe
840	SearchProtocolHost.exe
840	SearchProtocolHost.exe
840	SearchProtocolHost.exe
840	SearchProtocolHost.exe
840	SearchProtocolHost.exe
840	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2896	2936	mscorsvw.exe	53
PID 2936 wrote to memory of 2896	2936	mscorsvw.exe	53
PID 2936 wrote to memory of 2896	2936	mscorsvw.exe	53
PID 2936 wrote to memory of 2896	2936	mscorsvw.exe	53
PID 2936 wrote to memory of 1716	2936	mscorsvw.exe	56
PID 2936 wrote to memory of 1716	2936	mscorsvw.exe	56
PID 2936 wrote to memory of 1716	2936	mscorsvw.exe	56
PID 2936 wrote to memory of 1716	2936	mscorsvw.exe	56
PID 2936 wrote to memory of 2136	2936	mscorsvw.exe	57
PID 2936 wrote to memory of 2136	2936	mscorsvw.exe	57
PID 2936 wrote to memory of 2136	2936	mscorsvw.exe	57
PID 2936 wrote to memory of 2136	2936	mscorsvw.exe	57
PID 2936 wrote to memory of 1420	2936	mscorsvw.exe	58
PID 2936 wrote to memory of 1420	2936	mscorsvw.exe	58
PID 2936 wrote to memory of 1420	2936	mscorsvw.exe	58
PID 2936 wrote to memory of 1420	2936	mscorsvw.exe	58
PID 2936 wrote to memory of 1940	2936	mscorsvw.exe	59
PID 2936 wrote to memory of 1940	2936	mscorsvw.exe	59
PID 2936 wrote to memory of 1940	2936	mscorsvw.exe	59
PID 2936 wrote to memory of 1940	2936	mscorsvw.exe	59
PID 2936 wrote to memory of 2204	2936	mscorsvw.exe	60
PID 2936 wrote to memory of 2204	2936	mscorsvw.exe	60
PID 2936 wrote to memory of 2204	2936	mscorsvw.exe	60
PID 2936 wrote to memory of 2204	2936	mscorsvw.exe	60
PID 2936 wrote to memory of 2772	2936	mscorsvw.exe	61
PID 2936 wrote to memory of 2772	2936	mscorsvw.exe	61
PID 2936 wrote to memory of 2772	2936	mscorsvw.exe	61
PID 2936 wrote to memory of 2772	2936	mscorsvw.exe	61
PID 2936 wrote to memory of 1704	2936	mscorsvw.exe	62
PID 2936 wrote to memory of 1704	2936	mscorsvw.exe	62
PID 2936 wrote to memory of 1704	2936	mscorsvw.exe	62
PID 2936 wrote to memory of 1704	2936	mscorsvw.exe	62
PID 2936 wrote to memory of 564	2936	mscorsvw.exe	63
PID 2936 wrote to memory of 564	2936	mscorsvw.exe	63
PID 2936 wrote to memory of 564	2936	mscorsvw.exe	63
PID 2936 wrote to memory of 564	2936	mscorsvw.exe	63
PID 2936 wrote to memory of 1708	2936	mscorsvw.exe	64
PID 2936 wrote to memory of 1708	2936	mscorsvw.exe	64
PID 2936 wrote to memory of 1708	2936	mscorsvw.exe	64
PID 2936 wrote to memory of 1708	2936	mscorsvw.exe	64
PID 2936 wrote to memory of 2756	2936	mscorsvw.exe	65
PID 2936 wrote to memory of 2756	2936	mscorsvw.exe	65
PID 2936 wrote to memory of 2756	2936	mscorsvw.exe	65
PID 2936 wrote to memory of 2756	2936	mscorsvw.exe	65
PID 2936 wrote to memory of 1676	2936	mscorsvw.exe	66
PID 2936 wrote to memory of 1676	2936	mscorsvw.exe	66
PID 2936 wrote to memory of 1676	2936	mscorsvw.exe	66
PID 2936 wrote to memory of 1676	2936	mscorsvw.exe	66
PID 2936 wrote to memory of 2620	2936	mscorsvw.exe	67
PID 2936 wrote to memory of 2620	2936	mscorsvw.exe	67
PID 2936 wrote to memory of 2620	2936	mscorsvw.exe	67
PID 2936 wrote to memory of 2620	2936	mscorsvw.exe	67
PID 2936 wrote to memory of 1180	2936	mscorsvw.exe	68
PID 2936 wrote to memory of 1180	2936	mscorsvw.exe	68
PID 2936 wrote to memory of 1180	2936	mscorsvw.exe	68
PID 2936 wrote to memory of 1180	2936	mscorsvw.exe	68
PID 2936 wrote to memory of 1104	2936	mscorsvw.exe	69
PID 2936 wrote to memory of 1104	2936	mscorsvw.exe	69
PID 2936 wrote to memory of 1104	2936	mscorsvw.exe	69
PID 2936 wrote to memory of 1104	2936	mscorsvw.exe	69
PID 2936 wrote to memory of 564	2936	mscorsvw.exe	70
PID 2936 wrote to memory of 564	2936	mscorsvw.exe	70
PID 2936 wrote to memory of 564	2936	mscorsvw.exe	70
PID 2936 wrote to memory of 564	2936	mscorsvw.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-17_69cc16c17e367ee83149f83638a9ef6c_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_69cc16c17e367ee83149f83638a9ef6c_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2428

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 248 -NGENProcess 1d4 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d4 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d4 -NGENProcess 248 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 23c -NGENProcess 260 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 26c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 254 -NGENProcess 250 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 254 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 278 -NGENProcess 250 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 25c -NGENProcess 24c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 254 -NGENProcess 284 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 288 -NGENProcess 24c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 288 -NGENProcess 28c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 288 -NGENProcess 248 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 25c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 260 -NGENProcess 29c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 248 -NGENProcess 2a0 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 25c -NGENProcess 2a4 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 298 -NGENProcess 2a0 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a8 -NGENProcess 248 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 218 -NGENProcess 280 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 264 -NGENProcess 28c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1f0 -NGENProcess 274 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1f0 -NGENProcess 264 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 26c -NGENProcess 21c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1f0 -NGENProcess 21c -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 2ac -NGENProcess 294 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 26c -NGENProcess 298 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2a4 -NGENProcess 264 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 264 -NGENProcess 294 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2ac -NGENProcess 21c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 21c -NGENProcess 2a4 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 1c4 -NGENProcess 258 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 258 -NGENProcess 2ac -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:1228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 21c -NGENProcess 248 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 248 -NGENProcess 1c4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 290 -NGENProcess 264 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 264 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 260 -NGENProcess 21c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 21c -NGENProcess 2b4 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:1988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 258 -NGENProcess 2c4 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2c4 -NGENProcess 290 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:1592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 2c4 -NGENProcess 258 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 258 -NGENProcess 21c -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:3036

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2620

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2712

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1160

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2084

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:484

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1836

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1656

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1132

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2256

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2628

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2864

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1608

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1452

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1668

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1808

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:1948

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2240
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3627615824-4061627003-3019543961-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3627615824-4061627003-3019543961-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1752
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:1244
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
bcc1e8a1e2ac0c5d67f6dad3f4ab35c3

SHA1
f9daf276b31142a71b2cc98ff7695190201536c0

SHA256
8c4ea31d56aa28e4a21604767ceaf12211b16bbaf01604757edc70267d6f3b54

SHA512
c86f6eae09404790522605d07119863f924e46c40ba531166cf932549560eec25e11321e371dfd14bba696c7a512b8731e4483af6b1d091619c09cc4a25aef81

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
cb76fb7ab9a1a36ed0441d61fc704ad5

SHA1
d4b57358cc1ef389201451016ee4e86c92ec0d4c

SHA256
30e4c7120134c8c48a4be98bfbf14e203f62034093e3f0a7b35085f08830a3ae

SHA512
9cc7da03793eb679a438a2668537fd41683b7763f43d21f6e0b3d4ac0ab0b32da8a8680897c0987d74378a4f5d5b99da183944b9935388920339e18fdc919e1e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
6846207d4cb087333c943929e05e4a7c

SHA1
829bc967bab9bf296f3c19ae2313e2a197fd411e

SHA256
aa60e55dfd418aed482d3fb7f0a473a9080c87a3a5c5614eed42d44bb4f188c6

SHA512
3e7db8b26826cb4b890e0d90db2a6e66d836108be133ffb2baf102842ceaffd7f4afa907c1f872436711fba26fda41b3e8d7ab2451f306257e86b4c0399f09cc

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
58c2a81b7f8712af5ce041b3ba2750ad

SHA1
694bbb82649e9c3a549434946041f26679ca2185

SHA256
40e096eb2044c40a873b80d0fd15c7483ca5d38c23c0ed8e46b272e5e3bb13e1

SHA512
859ff9f895b9fa1bcf88d09f41b5aee7304196d72b4ee43e2877768ac64679f45132580464096890963ae6803d649886baf5d26149e9e45fefb53c94bb8589e3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
692b13ff3cae59652d152d1fd7ba5c81

SHA1
f8ef3d1f865a416c127d2be394d3ddd99bde4505

SHA256
bdf6b3ed77b9f83faee02d6fc121137ccf77ea99b5bf0a05578271097ea70c74

SHA512
55d35e9d6509c5347f519171a36e72be8c99c4a32215e62b0fe44535f6e36c03a52ff99b6529318146c5cdf023dcd8dc8e6b99e03214822d6cfa493e44af62f1

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
797286f6bd275073e20ba1d6dfc4ff1d

SHA1
1f889d4ed1188976f33ea15dd44f652dfe1225c0

SHA256
b52c6ee028dffa1497cf118a32b54ab7c9e5b56c774ad2d3799bc7257b9de459

SHA512
6dbd54f0cc16b9fc9dc479a9fc5b00573c1fd29e65cd6c8870794cf0fc5879ee7b05cfe0211fc3bf84d3caa695dd826562e7db1ba08f1b3e978fbdf4ebedbfc8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
3678cad6d4a55f9b0c0db5bb315524c9

SHA1
ad6b2215ec7acfd066a7532b352e02871e3b31a0

SHA256
396cbdd41875e105ec92903c3ee3eb66e24a586c6f5e0b11c7127cb481b6f329

SHA512
a67b7dacc2af9d8b8dd116665a75e1351484f10f594816496705cb542274952e885ca4f17fb3572c963d3acde845458af785b3979b5dddab2a47ddeaa7c78522

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
726f27909b2584f8c9fdd37bea77e1b4

SHA1
f49b24f6736ec920cbc05da17f32ff7428d2d1cd

SHA256
f8471c82034cca795a8c80cf35c3fc1a0a093c06fc47ce003562582edcfe7cc6

SHA512
0f9177131770ea9230c009efd9521d90c7b7dc37958e8deb843898c79eb6d610a118a4dcd57e8c9e07c5120b63798d6f791f16b317fcf924b3b049f959f4601b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
0dcc5b6cbd68f2f49d622cfc026df712

SHA1
11f5f7dfe371a12446fd74ddb46cc5b55b80f0e5

SHA256
cab0bc8d5017a3cc15b3309695a05e56a96e35666008c03cdc6c7a410ab2f3c6

SHA512
77804213e510d347f4050b0178ce4dad3ec707875fa577ee35f5937dd31a02d31611f79a69d1475658317c956e5ce1abb346429ad0d410162524d27ccf75ab78

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
8d821342b6afc616a2d70ba73dda9096

SHA1
2e9f3f78d757effee06f01054c833d3c514856de

SHA256
940a0c886ebac26a74fa6253332e8aa04155cdce9fe34bf8d5c5f618a9e88b65

SHA512
93ecba7d4e904841a687b268605f9022adb905dbc3e09aea0fa61a25a3997406ae28b1e205e2cb80374e73856c32d491468320d11fc9a0d60d7fa5df58e229f5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
93cdc0ae4e7fdefefb1d6298819760da

SHA1
c321ee48e4879ebaa11ce19985001050c8f83b15

SHA256
b73615f84223690c05589cc25f133e8459f48dfc8d78938e5aa76761d0270629

SHA512
b23a10e5007737b22da54cbd9755c1e1442c2f3122f8a9eaf16e9d4599f288514f484c3b14cc8f4119e15cbb4228774ac3b37d7719fd11cd70d6a431985c921d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
4bf7ec95d0f706e98f97a94d42dfb3ad

SHA1
59add2add9feb9c4edb4eadb4f12a5de3e646370

SHA256
70fc3394afc5969e5ac233022400b904f46f5ebb61f1b55ee89767bfe23ccf52

SHA512
fe9a8bdc9e8f18dcb9d90f04c81e58793ccf51f858ca443c1c1cce24489f795d383cd6509be10a44f71cdc641f57db8b74ca6db701d4881ef3dbf1ef05c8c615

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
02fc39512315b830267b01924e9dcbc7

SHA1
0247ab22665b5b959fcbad7ee37f2a2d60bad9b8

SHA256
24c0b909f44ae0312097170a0669e928bb6bd9b1ad97bd27014d85fd1da14243

SHA512
66eb4bc66ea237d2373c23f9b1fea9d770989f729665868a7b0ee3df43343875b8fa6b3836e749dcc696dc31660cd907ac8ffd1f9828572b61369a5c809228f6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
1320979e8548713a75a5e9622f373cfa

SHA1
e15afa5d19355e1b33a95208b6e9b68941c8dd77

SHA256
594efc6286029aca3ad248b9f9fd75d322653802daaff1f40c7b8e78028a89a3

SHA512
49c696d81bc3a7f500ba7d75a6c880f699fa8da9fef374e7ee12d4dfa9a8a6d6bdc477aef516cd7330f0aa5855e0d0c210df02a65e677c0721ff47259d971225

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
487cc133c31ddc582280e492b0179740

SHA1
6b11f9d17676a9985549d6af88303c9feabff3a4

SHA256
b90a233ae5977acac0ff71a959d17d653f5ed983472ca417a09368b2a3cbc79f

SHA512
f9611d71d0aab17b7badaa0af0dd7fe3e452380642da909fb9167a7527423d609b7b5a3ab3294488d61b925bb822fda7300524e7e2faed59dcf9b27b57c4f0a5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
999e96bb991e63bd5c7df30b25c091e2

SHA1
82d0eb3dc6fab99716822c297429b68baebb9636

SHA256
d828527934e807c32c6afd89bdfca5ea3219ed5db0e68f3a79dc2898d26c1a3d

SHA512
a613d65c6239b4c8bc741f2d4fa6eeae461e9deb255b217a9ea23c360a61f26931d03ea01aa90ee63b15f0798efb65d913b0a0687a1ad7c997a233ea2eada764

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
3d2d77457a27339af6c2e7406db845aa

SHA1
ea99fc5c199c82d8816b2aecd33d1fb8ef2e4791

SHA256
12d9ecc8de6de9606beca302ce4c1a2a0ee994791a54bb4041d3c0b7da1b7f7a

SHA512
b9f17d16bff3417aaf46ef72751b234d637e6835890136d4fe6451a2e429b2cceaebd6e870a1063bb57b7c6dd9a30429dd2701868e2908e79a9d59f0484fccae

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
5acc96db31c00ff3f59f76bcf885c41c

SHA1
ab06891ca3a4a08cabddd80512b305e8e9f8dca6

SHA256
be01d426400904a4641366430ad78d35882711e525b3106468282e2f086a758e

SHA512
e5a2341e4760f7227507779c452fad019ad3e3fb95b2acd821ed2b33c520248751ee8414e6552caa3f734e038126a34734628ee59e0bb473a6e66791cf216c80

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
c2e367e82eba47cfe22f50e1883de626

SHA1
0c7a3158a71adb56df21b35a7eed936957032c09

SHA256
bbc04ccb12929bcd88763aa7cf356c0240867a28b01dc98ca33613fdb10a2e9a

SHA512
db83ad4c1415d4a2ddb36118ea3954add031f8bceed8df31bb4ad3467be082fd7ab2fba2ae5db1db46d9e656b65158d094e0d569b90e11a98fb77ea79c815677

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
d83a84ecfe44404c66759229bfcdbfd4

SHA1
74cd076ea2946346efb2d20f019c29df6845a466

SHA256
b385b5fceda0e76834e4a3beff2a6f9c4ef338dded0a5c4e6b075a12f10ad176

SHA512
f08eb9cdeefcaa0955fc7b579c4f1d1bf0600c54460a89a7213ecca2fa1fa1320a80a70ca2a9d96e21569491bf21aae8e8cf2f6343a0180af4257ae9b17ba9c6

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
3aa356b3275b686c013a38347e49d068

SHA1
740e3cb7b95d68848945920f18e49df3753eea21

SHA256
a1001b881a9e2054c29e9edb64a9808af54792f53d8e6695f1e7d3520a3b466a

SHA512
f98fbee50cd91f08884ffce1e551d1eb4a0c944b34a925dafef512e60c6ccc922b340ca5b07f9acd34eadc0c4afaa3eaa48454c46eaeaccc79bdaf1d1fe38d68

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
a1a8b2a5e65da00ea3a13f4e0653741d

SHA1
1faf55ed5715bcda454a096b66e2f849a9ac9385

SHA256
9a63542ec5c87256b21fcdaa606d876dc8a27e4038c6968d99aeb70794e664d1

SHA512
c233ddcbb5c0c81556fae6c53f80511edc3e4312705d223357b62852f862cdef10138c90a606a21793db32c2d6dba10d99fb85bdc8e745222a2cb23da8da0f95

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
4e5b0613507120b68d839657077c1d82

SHA1
712adcf06094285677ebe21b51654a49291ad1d5

SHA256
ceb1c4db5793cbec1e22a0e79252dcb094c5df52e255cb81ccb599a2e2facbc9

SHA512
fa343774cd466ac8bd9030e9661244dbeb2a2671ba0ed2d92c4480f86435ae2f32fdde44b74ce9e19c69340b7b91220c2a3cce41701d38a3309ccde5b6d252ec

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
d96a750338c033f38e1717d5fe7a969d

SHA1
c00b275e03b1289d7b82dc7976e6cc92ef12dd2e

SHA256
e46b128a2860113fe73df091e04a1effdfc6672679d85b35f18893c189b96ed0

SHA512
0585c6cea4b7d3e61679cd0388e26415b16dab0baa2a9716938d53c951a495c2c0bbd730a792d555585b707f70450e924dd49f45401f9e1068994c50a5ba4b2f

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
a279b189c0cdd83deffcab4e8bbbe7dd

SHA1
77d1e10a1de3a95b4c40018d4d1f27c3d6a96fc8

SHA256
1187e46ef84b3d377409cbaadc233625d09b9ffd74b32f0bf88cdc0bd1e7d1b3

SHA512
7088eb73d02d16f6fe47aae20cf1c636938f4408d2a1ad7c87bca53c38b2baa946065800205ca4c88d1fa177907211e5d4d25acc15d957e2578aa27a0cb2d2f1

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
bf8a9a05ef79531dd3037589be2aa084

SHA1
b3f615380edc62f6bd935d16a1a864516ba230b8

SHA256
94c4423441ec3d4c6da08b4ee3d313c75da13a47189034dbf06de72235ef9886

SHA512
3cc07d8d5b37fc53643a0422602568b59f446b8629b22537d3400211be983fab408a245d511a91948080a71973ce0d2a647092daf414fb8113deddf80524b90a

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
77ec69bc19747dbe0d24c59a886afeac

SHA1
91be2fea6a1711d78d90497ddbf2bb20d48dcd47

SHA256
0dc2eb705a06ab6f50ceac96be229c86cda95715100c30428a674f38475cd9cb

SHA512
0e78d331d94c7f4267a5c6a8f065c70b8e72a06b47d3267bf2c6ceb1a92640d7a990c2bdd92c71b57a116990c7ff7cd7677644900922537f5328c4e50142412d

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
abe78bf9cadbfcb332ce2946feb9e101

SHA1
82ea2f3c7d232538e98c57ebc1c00687f6326043

SHA256
efa5ad3a51ad7e23a380edb7738e9eb74419897960ee972f22400f6718746ba1

SHA512
c8a82e97f3317deeac60460710b450c8f84df8a4b36d31d282697702d34c7b062ed2b81e6feb38e90649ac8b7288b7d02b96933822b366e5873e078d698d68b1

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
4c49d7eeb18839f3ce09e6cd2f495bfa

SHA1
52e76be9b538fc9d360847969e4fc18755d01a19

SHA256
f49c6dd6711c257f8f6de65a4fc716d94dbea715380b7cdac5bbeb9e3f24d5b0

SHA512
615e4d56094babc074324a9c0e8180b414b9e5f01116ffe4c724f3d05347ecfaf7b179d687c1bfac3ca61c1e42083d4d38e49f848643f15ba8a7efeadd38e532

Download Submit
memory/1132-192-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1132-201-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1132-195-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1132-200-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1160-136-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/1160-205-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1160-127-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1452-293-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/1452-287-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1572-95-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1572-98-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1572-167-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1572-104-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1608-280-0x0000000000170000-0x00000000001D7000-memory.dmp

Filesize
412KB

Download
memory/1608-274-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1648-272-0x0000000000F50000-0x0000000000FD0000-memory.dmp

Filesize
512KB

Download
memory/1648-207-0x0000000000F50000-0x0000000000FD0000-memory.dmp

Filesize
512KB

Download
memory/1648-186-0x000007FEF47D0000-0x000007FEF516D000-memory.dmp

Filesize
9.6MB

Download
memory/1648-179-0x0000000000F50000-0x0000000000FD0000-memory.dmp

Filesize
512KB

Download
memory/1648-239-0x000007FEF47D0000-0x000007FEF516D000-memory.dmp

Filesize
9.6MB

Download
memory/1648-177-0x000007FEF47D0000-0x000007FEF516D000-memory.dmp

Filesize
9.6MB

Download
memory/1648-241-0x0000000000F50000-0x0000000000FD0000-memory.dmp

Filesize
512KB

Download
memory/1648-257-0x000007FEF47D0000-0x000007FEF516D000-memory.dmp

Filesize
9.6MB

Download
memory/1656-190-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1656-182-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1664-221-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1664-286-0x0000000000580000-0x0000000000632000-memory.dmp

Filesize
712KB

Download
memory/1664-279-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1664-227-0x0000000000580000-0x0000000000632000-memory.dmp

Filesize
712KB

Download
memory/1664-233-0x00000000002B0000-0x0000000000310000-memory.dmp

Filesize
384KB

Download
memory/1836-158-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1836-166-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/1836-232-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2084-152-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2084-150-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2084-225-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2256-204-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2256-215-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2256-266-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2328-0-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2328-8-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2328-71-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2328-1-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2328-7-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2428-91-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2428-39-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2428-40-0x0000000000580000-0x00000000005E7000-memory.dmp

Filesize
412KB

Download
memory/2428-45-0x0000000000580000-0x00000000005E7000-memory.dmp

Filesize
412KB

Download
memory/2552-34-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2552-112-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2552-27-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2552-35-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2552-28-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2596-60-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/2596-54-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/2596-93-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2596-53-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2628-243-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2628-255-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/2712-115-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2712-121-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/2712-193-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2712-220-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2712-141-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2712-113-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/2852-96-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2852-21-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2852-14-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2852-15-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2864-258-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2864-263-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2864-281-0x0000000074198000-0x00000000741AD000-memory.dmp

Filesize
84KB

Download
memory/2864-270-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2936-79-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/2936-73-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/2936-72-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2936-156-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download