8c5a88d326bd991c268e3ea8ebc6f697803629747fa71eb613caf62acf341e72

Analysis

max time kernel
3s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 10:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
Size

3.2MB
MD5

f8bb0d3a72b6af0d77e7746f266cfe78
SHA1

4e78787b03dbab32b4674baf4964ea036c58f68d
SHA256

8c5a88d326bd991c268e3ea8ebc6f697803629747fa71eb613caf62acf341e72
SHA512

d055f1d52612089e9dc04bc782b20eae4fe67cd83e47af11fe2cdc71054e2f6bf154e44d47b0658a9ac75ad5bba708d122c7c11593264bd8e00e1c2a9e37b790
SSDEEP

49152:25k1YCdptya507NUUWn043oHS3fTGYwVq1/xT3DDbwwTU+ec/snji6attJM:QNhSqYw8OkEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
480	Process not Found
3052	alg.exe
2476	aspnet_state.exe
2684	mscorsvw.exe
1184	mscorsvw.exe
1688	mscorsvw.exe
2320	mscorsvw.exe
2592	ehRecvr.exe

Loads dropped DLL 3 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1f3ae54078a61a12.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2848	chrome.exe
2848	chrome.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2100	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2840	2100	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe	28
PID 2100 wrote to memory of 2840	2100	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe	28
PID 2100 wrote to memory of 2840	2100	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe	28
PID 2100 wrote to memory of 2848	2100	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe	30
PID 2100 wrote to memory of 2848	2100	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe	30
PID 2100 wrote to memory of 2848	2100	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe	30
PID 2848 wrote to memory of 2104	2848	chrome.exe	31
PID 2848 wrote to memory of 2104	2848	chrome.exe	31
PID 2848 wrote to memory of 2104	2848	chrome.exe	31
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2812	2848	chrome.exe	35
PID 2848 wrote to memory of 2828	2848	chrome.exe	36
PID 2848 wrote to memory of 2828	2848	chrome.exe	36
PID 2848 wrote to memory of 2828	2848	chrome.exe	36
PID 2848 wrote to memory of 1300	2848	chrome.exe	37
PID 2848 wrote to memory of 1300	2848	chrome.exe	37
PID 2848 wrote to memory of 1300	2848	chrome.exe	37
PID 2848 wrote to memory of 1300	2848	chrome.exe	37
PID 2848 wrote to memory of 1300	2848	chrome.exe	37
PID 2848 wrote to memory of 1300	2848	chrome.exe	37
PID 2848 wrote to memory of 1300	2848	chrome.exe	37
PID 2848 wrote to memory of 1300	2848	chrome.exe	37
PID 2848 wrote to memory of 1300	2848	chrome.exe	37
PID 2848 wrote to memory of 1300	2848	chrome.exe	37
PID 2848 wrote to memory of 1300	2848	chrome.exe	37
PID 2848 wrote to memory of 1300	2848	chrome.exe	37
PID 2848 wrote to memory of 1300	2848	chrome.exe	37

C:\Users\Admin\AppData\Local\Temp\2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=92.0.4515.159 --initial-client-data=0x180,0x188,0x190,0x184,0x194,0x140221ee0,0x140221ef0,0x140221f00
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5b99758,0x7fef5b99768,0x7fef5b99778
    3⤵
    PID:2104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1060 --field-trial-handle=1228,i,15100650449204119227,18290522595888504993,131072 /prefetch:2
    3⤵
    PID:2812
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1228,i,15100650449204119227,18290522595888504993,131072 /prefetch:8
    3⤵
    PID:2828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1552 --field-trial-handle=1228,i,15100650449204119227,18290522595888504993,131072 /prefetch:8
    3⤵
    PID:1300
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2116 --field-trial-handle=1228,i,15100650449204119227,18290522595888504993,131072 /prefetch:1
    3⤵
    PID:352
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2088 --field-trial-handle=1228,i,15100650449204119227,18290522595888504993,131072 /prefetch:1
    3⤵
    PID:500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1460 --field-trial-handle=1228,i,15100650449204119227,18290522595888504993,131072 /prefetch:2
    3⤵
    PID:2912
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1228,i,15100650449204119227,18290522595888504993,131072 /prefetch:8
    3⤵
    PID:2500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2996 --field-trial-handle=1228,i,15100650449204119227,18290522595888504993,131072 /prefetch:1
    3⤵
    PID:2488
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3672 --field-trial-handle=1228,i,15100650449204119227,18290522595888504993,131072 /prefetch:8
    3⤵
    PID:1596
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:2744
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x140277688,0x140277698,0x1402776a8
      4⤵
      PID:1824
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:2864
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x140277688,0x140277698,0x1402776a8
        5⤵
        
        PID:2144
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3704 --field-trial-handle=1228,i,15100650449204119227,18290522595888504993,131072 /prefetch:8
    3⤵
    PID:2892
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3736 --field-trial-handle=1228,i,15100650449204119227,18290522595888504993,131072 /prefetch:8
    3⤵
    PID:2684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3860 --field-trial-handle=1228,i,15100650449204119227,18290522595888504993,131072 /prefetch:8
    3⤵
    PID:2632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3892 --field-trial-handle=1228,i,15100650449204119227,18290522595888504993,131072 /prefetch:8
    3⤵
    PID:1764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3848 --field-trial-handle=1228,i,15100650449204119227,18290522595888504993,131072 /prefetch:1
    3⤵
    PID:1872

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3052

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2684

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2232

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:3164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  PID:3300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:3600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 24c -NGENProcess 260 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 24c -NGENProcess 244 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 23c -NGENProcess 260 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 240 -NGENProcess 26c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:3220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 270 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  PID:3384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 244 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:4024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1d8 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 250 -NGENProcess 240 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:3996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 28c -NGENProcess 27c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:3304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 280 -NGENProcess 290 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:3672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 280 -NGENProcess 23c -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 240 -NGENProcess 294 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:1764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 240 -NGENProcess 280 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:4024

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2320

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:2592

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
PID:3564

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1992

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
PID:3784

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
PID:3804

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
PID:4052

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:3896

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:988

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3048

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
PID:2084

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:3112

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:3044

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:3364

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:3444

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:1276

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2112

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1988

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:3832

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3808

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:3544

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:608
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:2820
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:3572

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
9af71c8b0318647fda50b4721ac6c052

SHA1
5c56691a652641f48c3cfa48d67872574f07ca18

SHA256
b038f0839602e1e593ffd602b2b641030a99647e8bc2255af2b6b291e478b043

SHA512
1bcdc76e687cabf03f321ed3ea5ab4fd2974d01e6b925184a3a7f279505e3fd04edc14b4c2e713798006ef175d4a1f01e482c6de7e40b1a6e234156c4ac09754

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
2.2MB

MD5
cd52a55a2c92ee3cc1f1d6cc4cbcbcd7

SHA1
153835baf2e14679c4a509272a34447cec98028d

SHA256
fec08decd1fb9987838189c5c130501205a42dd7e52bba2b4ea0b12030b02273

SHA512
05a5fbceee72b6fd4341e142e2402feabc0dbeedc8959cc8767731c4960f39612520c14c6ceaaf2b7e8a356336409df425b05d698d643c111be74fd1ffa30e59

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
768KB

MD5
336f010a18e223ebd74e2da66ec717b8

SHA1
370fa6c9922c64c3bc4c0a484a4efb069e6ad059

SHA256
487da0714995af6f0b3ecbef9ed5631057e156dbadaf8ae2f85b16aa797c5a18

SHA512
7219daed6803671bebcf44d7c41578d5e5304a07c12fcf2d5124e407f2611c0f43fb3b102d9861371d0865599b69e112bf349adacdeca71c73de780d7b9881e6

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
1024KB

MD5
3d4c5c0bde38c89ff1b18b76f428c067

SHA1
052af760b732e1c9ffe11c823bf042f2634b13d9

SHA256
135e7285df64845ab085f348d35c927f352dbc67e9d3551f1fe0364e4a3619b1

SHA512
102009e1d425d1b8fc9f450c218725a3dfa46fdff9a535b0ad8453193d662037f7fe76c92df8560fd03892b618d63621c29183c8862857fdc10b36f1e92229c0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1024KB

MD5
4e8bc2fa68144708007c0954d52e6ccf

SHA1
c7e934663a7bf908266f9742cd2c5bacd0139f15

SHA256
3609b95261742484ea6bdd4b3a62f743c0c7c0a460ad388537e0fd02001a658c

SHA512
98901bf2691317bc01ac5d2254e5d1ae4651754fe4960b3b2d9a7aeec3d46a01b84dad88ac9732694ddac09bd6be954be395a068a57459723e8faecd8b14066f

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\f845b82a-92be-451a-8d8e-bc9c3860af3b.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
395b90b5d6e98603b7ffaddbc8383fb3

SHA1
0a6cbbddf032fbc48d9563957c84d12b3d5c2067

SHA256
b378a93abe22dd1b2c4f2bd3025f2141e4bf6b75519956d7f50815f372eb8dfd

SHA512
4ac46bb9d50f3fb2486b547ed590624d21ae72f4eccc65b92413cd0944585d2bb69af48832729d3640ca6054f31e45654ddd93b8d26eb449393298eb37834821

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ed715d36c6e1a35718245d163b752006

SHA1
aacee5bf36ae2ed34b5a7b67070af133bf605a1a

SHA256
a428a6d7caa0b2da05d2a23609a8d0b304ed47abfd582c313ab216176079ae50

SHA512
42b5d8146f04aed3e270919381e98d3de6c505572bfc771f1febcd9c26df574bf800dfa08cf1b961798c938c818f6e2ebf494848a63a44a9735096c4a0169159

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\CURRENT~RFf764692.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
05889437e94a89156df92c9dc330fe4d

SHA1
6525b8c86f5c55cd3eb56c144621e5dd68ce8c97

SHA256
13fb74a347e0e00cdd4d17bd17ded2290d39a969932e45734de87ed1ae8a6245

SHA512
f26cab3ff3ac334a626dc05bf47949d83005cc452749fc9f4e251f1dc3045cc79a25327948de5665308274f7eb7dc1cc5a0efb73ccb346448c6ff4df0a05fb3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
6528ee8f26b630555c63002f7c16b1dc

SHA1
7c7ac4a0d277fd7fd45c82870ce9f217d70bd7f8

SHA256
8759d283379829ef7c4e65a254182222aa70bffa2dfcac2191f7ab22c4bda02c

SHA512
1adb77a1d4ece19b8253b03c6bb11a8f4d0a3325853672da2e4c7357891db0f8e89c4a4d92f62ec64e8f7801403171fb7c0e8b22e77698c636bc054722db7b43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
71808398081ec6fd14863feae2851633

SHA1
a8c10c499443debf890bab1df8fe0dfa810d2569

SHA256
4aacac9897174fae0299aa93ca88c8d96b0362cdb82c9106a0daec7f86c6c749

SHA512
62f160da8952955681c03ccd91999033329beeb9c3b89173e8bb849630cb0056259ac924fec7dff5383385c3414d45ee890d1596315238f36e5a16e8451e0d7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
5bf6b7745e28016359446de8fd97bb2f

SHA1
01c08336024f795574fc3d62ea6ebd6d84cc6f76

SHA256
e2628c9a0f5c510e26a59907628508afe3ebcf2b19715ec3f5dbd287077988f3

SHA512
7fd9b59d26be5efc4f4a6547823f71adeefe543f276348013a090355a2d294b1a16c212fe51a04c3706bd18305e512e382e6026d0f962f1e7e0684d36796782e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
5KB

MD5
a3047a8f6f89c476f951ed8110a881b0

SHA1
92eb4233dc3eb919e229be710e51af502f4c8413

SHA256
2ca98f1d2f6e94d22e6a73c38ee0ae81ad09ee1fc478a313abd46bc7b519650c

SHA512
56a88e30c0446b05bbb34ca43390dd4dce681fe55e7f39101ba5fa17d522f27eab300f558229cc1ee886efa32dc9d7659248dfa279982476aedf281ee2a579b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
ef1b664af8d689ebac0d08a316e4626c

SHA1
ab5b39ea706a1012cbbbd1aa350fcc782ef9d960

SHA256
714d60266c4414c3c4eaf3d28915ac3fa3a7d4af9496959ee76c0e674aac87a3

SHA512
31625df922e425b65cd5f34f756c14c06039ba844ffa07fab78878634d4987213f615a5c11b8991f1c2f64415e55b2b6a6981bd5b239013cfd93bcb8e7f02d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2848_292546887\2091e717-092f-443b-8f6f-b08cfca84056.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2848_292546887\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\1f3ae54078a61a12.bin

Filesize
12KB

MD5
912d927eac23f0b3398541fe8beec04e

SHA1
308a09f85b902b924972cc2c4e516381cc88b278

SHA256
d966add152a262f38c6ad1b7a50e0716cd3e569a568654e01485c2b4c11d1ed1

SHA512
47dcecd48ec3a5f7db57e827f240823a6877fecdc78e9588904b9c5439a460c8d87da9566c5ef96c937e57320f60a1309fc7c6d6d4acccc51faf477e0645438f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
f10c1de6693a34efe552c7d1fd7ad15b

SHA1
7d638e4b987895762e1ed33d4b80f91f6f86c96a

SHA256
9222ca0016c9ccdb70ac718c9c963a8283faa2d98cd0bcda04bdb0a9c9ba0e18

SHA512
0c3c9e1a3845353f222f312ef3f7bb166e0886e550e148710c371b50167b7a0fd4ddd6960b25d9816805f8d51c09d2254c738450817b4a6e6f547a43e744242e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
0785e15ba1f96cf92f08b278945c822b

SHA1
4b369f8840ed196a3533694f5a2ecb91213cfee3

SHA256
70893df6005fbec7fdb1a05d4f31a79dc3ce0263764f07829ebed1f6c1325ad1

SHA512
a2eb40b98e1b1228e50f3c22fad92f1331309785da348aedb7f6c3e663e00a3724e2770ea575a270514852e684c00209ecccd97a0c6b3655a34b70beaab2a34b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
312101dce163beb45fdd76025e3aaf2c

SHA1
637a8194946469e62ad9ea8f4dbd035fe3502b23

SHA256
b5865419a94b21cf0f180d428bbc84330e3c10962cedd9a1b2e5b40e4682baf8

SHA512
060dce4a0f663057c548f035c5c39037ebe882e07a9a51c82c64b2b89a36b3b26712ccb47e8473798dc7fdba747faec0039c7975580250b70075ba0d7f53c2c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
ccb58a0026684a2e8f479da36c8574b6

SHA1
89a0a80240de31cdfa66e0b9169686bb9e31478d

SHA256
d56683483e4efdc52efe8c2cf5d64bc42eda53f7781e6a919f28e9f7cc788aff

SHA512
f060aad104bef1c6aa0820dac65e5541215e6d1fd90910996a3278680bfef8665be2a5847b148b0408147298b7386b8cc53f9e20a005b5adeedce18b39df335a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
a4f0463c9f9d1a724660327717ea5edc

SHA1
b51829a815a4c45d8a043eaa1ab08b1f2bf36f41

SHA256
f8015b509973e9d36f1cf001a6543f6e9e10806f5ddde9a0c2a241358ef24066

SHA512
c16ec9940d5bdfe19459c329c26af61afa2a3da0e1fcc45449c0eb32079141fd8412d6eebba310921871014b4059a451e6062c9cb55176074ea240d21cc151e9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
128KB

MD5
cff47f17f0b573f868d7a40470ea47d4

SHA1
defeb9914254d9ba4163632fc57d4209de7a87a5

SHA256
d4b6644b21a7878e33167c73ffc4b27376c6c785ad4aab0ef4bef870e3cd6da4

SHA512
a8f9bbc8e93ada75d61985508d21eaffc4a3ff49dc0a9edfdb3b94f1a2a4e2bb805f1b7761016fad71143935b1b0f29aef4d3cd054f12fa852e41f5608cbb9c5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
294fff1cdcc901fa1597b879213c5d53

SHA1
641894cd58b5d66a49f8229f9bd7a03a3cf2ebc3

SHA256
3eab7fc99db7778e99087e9b249aec7ef8604c7a4c6c7c98bbe4d4071c61c3f4

SHA512
750145b498706cee78157f24ed1cf93c540cecaddef4bad9c2dd250ed6d02c0d54c7255d9f3c6b8fb9d02b3444b950ea8667aaadc00ff3d29549285baf4dd308

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
97aa3c49ebc31d90e65e7c71a997c687

SHA1
ac04ad596ba22bcafbe111f02d1457f20fa14a45

SHA256
0e513ef84065db2a6755a3844f1c0c8850d2acfd96f4462e56b032251209d111

SHA512
e105960e69a7111c2e077b39094f70f4fc3a417f87dbcbdc7fdba7ec129d79430a13777e8b922e9fe02712595b940df7e3894c33b16a71b4c53ecc7dda3d02ea

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
fb642e02d1fa6df06b23211c2230a350

SHA1
fa375369a3e00261a9ce73339bc1d3d07cc540e5

SHA256
931e3c50f8356aba3db607c8530e827cfd19ee4aac1af04cbf80022d287cea61

SHA512
96e5d75a05aec409d11f091abf211b96e3e67b89198e611ac73ca07000c444aec96e7080b8ea92a1266e1f860db36da05e8ab28b5c41067c555c6dfcc82217ce

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
8e57bee7d9964ec378facb472998af9c

SHA1
b6a4729c7e03bb8001de780d35e56397446f6a25

SHA256
452150b8d455f00832a6926bd5d6d85bfb91ae2f9f5b106db1de1aeaaf91573d

SHA512
a97233c24510a02c11a304e3cee9865511901ba6302ca4579db155f5fa9c5d4346834be3ca33c54ee0c1a86615966b6b74ccb70ea0663f7cc7a85e6497945b0a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
691KB

MD5
dfde29392569a349c6b44c7a2949478d

SHA1
9fc1356fdf3796958343e698483e181b7bcc29ed

SHA256
cd229912c96654d0d3de555b2f6274305d8a0a1530858b70dab288abac285f0f

SHA512
50e5200948ba5343f391e54e5bde00e2a8e061db2a2feec51084c6d541c9db4f9270c734c59d74d7704571aa0bfd00c251e0ea6611cfb9c84488d625c24f915a

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
499e74fb12c6c71082a59320dd243319

SHA1
6ab640dd4a49f0a5fda399d53985737045730a07

SHA256
d326070fa9b080eff66e229a0e760e47f976a0d7898174577853dde9fe03bf11

SHA512
9e03a29bd4f2daaeb91b4cc9cee9c6058d9ce4d20849dbfa2d56db2481550b83efe539c6585744d7cbef3a00768073999d4bd76fef612ef6d345fd23efd0f8b7

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
bfe2208d4dab6ea1a6c977947ec974e4

SHA1
44abe02d8f9dce2ac1891004083685319cbba7ad

SHA256
bec573990619374427b5d1a64fdc86aa31321dcb7a0dc8fd187cb2080bbcaf31

SHA512
39c210b313a04f83f8480f1ea94a10588266cf9e75f490374be61a1eae87e0d1319713041e54fc147c5aad5e3fb65b3b8577917dc9ce93912fd262855937bfda

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
1f37c8d6d2fd89f63434368c23bd03b2

SHA1
0e1b7e8cd2d47e5e0d5bcf393efcfc56084735d8

SHA256
c2c6be1e257b04d521c8dd6cbdc12fdd47a5f93a5a9c982b3445061224aaab4d

SHA512
ad6d91c2eb3f0b4b433247b4f83e1139a3f5806c9c6bfe6081b977ca9ea215e33edb899a64ca369e5a699e7f57bdafb55ddb534a0a7571a21d63e813c860e803

Download Submit
\Windows\System32\msdtc.exe

Filesize
576KB

MD5
2a3832518159ca06bea59cecb27055a3

SHA1
b6094f5a0393c053d63b74fc65e68efe9e5fa9d6

SHA256
58c508512a9e1d3f6eaba83c0ea7b37af4d8d7547d6e54d00878560ddbb4072c

SHA512
b5ae190ae3d7cb204ebaac4e7b39692fe56b254f86b8652071e2141b6e1cceffc69a70f080edeae47580220b6d27a9e2a9c076e9160b2b27e5ffd9c404aa58bf

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
3645e2c71d77b77d3f4ac1cc00a6e533

SHA1
eef19ba092c98d9507cbcb6ca68a6c125dbc1e87

SHA256
15013f10cbd118f096a7f4bad8852efe46f58959d3cdd5b0e270f0a3b360d006

SHA512
7dbb679f913c728a0b215a23375375296ca6e01d829d2683b7ebc8da175155b902d6ae78f694b0456e2dfb675adb844113df5e9d55751e79bebf7e968a10ec3b

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
1445d28972bdd99fd57eebc211a3ffc2

SHA1
0bf0f232182c2ef87cb2e1eb02c70711e7a3def6

SHA256
026d09323370f8f9b0eb642bf86ec44bdedd2e4155a8c82938667406ae29ceeb

SHA512
57b05b744aede6f9451a4ec64636ce65ccbaf9b2f60fc509af1d94f15a5bcdab07a018f6f76ce85d873dc85aecc0bc24c6e27bf88a01070c4658c082dadade9f

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
e2643378b49a93eb24680bbfd0d0a33e

SHA1
9fe689d2c9dfa3b496f0039a6fe5e938a5a94a39

SHA256
d398dd76b5e5f7e683ed2822ff44490a39b2e5633ec7ef37f57b8b1003dc1cf4

SHA512
36dba14852c362387bc78efe14d2106a77c695c38ef9b08ce6d79980b79e970e618e1a6cee3f049704b448e36158c5d4ebf71bfe4a7b1ee844f79e7e6df4ccb1

Download Submit
memory/1184-110-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1688-457-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1688-119-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1688-125-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1688-118-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1728-710-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1728-686-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1728-692-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/1728-696-0x0000000073B10000-0x00000000741FE000-memory.dmp

Filesize
6.9MB

Download
memory/1728-709-0x0000000073B10000-0x00000000741FE000-memory.dmp

Filesize
6.9MB

Download
memory/1992-777-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1992-768-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2100-38-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2100-13-0x0000000002830000-0x0000000002B6D000-memory.dmp

Filesize
3.2MB

Download
memory/2100-8-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2100-1-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2100-0-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2100-34-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2236-669-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2236-675-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/2236-695-0x0000000073B10000-0x00000000741FE000-memory.dmp

Filesize
6.9MB

Download
memory/2236-694-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2236-681-0x0000000073B10000-0x00000000741FE000-memory.dmp

Filesize
6.9MB

Download
memory/2320-500-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2320-136-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2396-711-0x0000000073B10000-0x00000000741FE000-memory.dmp

Filesize
6.9MB

Download
memory/2396-774-0x0000000073B10000-0x00000000741FE000-memory.dmp

Filesize
6.9MB

Download
memory/2396-761-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2396-705-0x0000000000A60000-0x0000000000AC7000-memory.dmp

Filesize
412KB

Download
memory/2396-699-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2476-48-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2476-429-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2592-155-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/2592-158-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2684-53-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2684-62-0x00000000004C0000-0x0000000000527000-memory.dmp

Filesize
412KB

Download
memory/2684-141-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2684-57-0x00000000004C0000-0x0000000000527000-memory.dmp

Filesize
412KB

Download
memory/2840-22-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2840-24-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2840-15-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2840-12-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2840-156-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/3052-166-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/3052-33-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/3052-26-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/3052-23-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/3164-433-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/3164-434-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3164-485-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3164-486-0x0000000073B10000-0x00000000741FE000-memory.dmp

Filesize
6.9MB

Download
memory/3164-439-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/3164-447-0x0000000073B10000-0x00000000741FE000-memory.dmp

Filesize
6.9MB

Download
memory/3220-724-0x0000000073B10000-0x00000000741FE000-memory.dmp

Filesize
6.9MB

Download
memory/3220-723-0x0000000000690000-0x00000000006F7000-memory.dmp

Filesize
412KB

Download
memory/3220-716-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3220-794-0x0000000073B10000-0x00000000741FE000-memory.dmp

Filesize
6.9MB

Download
memory/3220-744-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3300-659-0x0000000073B10000-0x00000000741FE000-memory.dmp

Filesize
6.9MB

Download
memory/3300-455-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/3300-459-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3300-473-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/3300-501-0x0000000073B10000-0x00000000741FE000-memory.dmp

Filesize
6.9MB

Download
memory/3300-660-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3384-742-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/3384-734-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3384-763-0x0000000073B10000-0x00000000741FE000-memory.dmp

Filesize
6.9MB

Download
memory/3564-752-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/3564-760-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/3600-677-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3600-526-0x0000000073B10000-0x00000000741FE000-memory.dmp

Filesize
6.9MB

Download
memory/3600-520-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/3600-513-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/3600-514-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3600-678-0x0000000073B10000-0x00000000741FE000-memory.dmp

Filesize
6.9MB

Download
memory/3804-788-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3804-781-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/4052-804-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download