982b11078870cebf5dca8c01abcbd677ae3503f8e42c4cc50ce063852f407e14

Analysis

max time kernel
1s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
Size

3.1MB
MD5

63079a50c43de564a9e2e5a7ebc146e5
SHA1

73c7cebcb0b4b94615eec37a7a98302a4c594907
SHA256

982b11078870cebf5dca8c01abcbd677ae3503f8e42c4cc50ce063852f407e14
SHA512

b53f522c5efb90ccb3d3b085d9760656330cd9d5929123c783faedfe782ca8504863b4b5c1450772e4ac5b4a657b6ff52939875dc9a9de3c74012c7b70efd842
SSDEEP

49152:+w0rFYicKub64torDZg30AiShLtivJGHfAuOp6mSlFr6PTaaxid5/IbsT0:+LuxttZiShLtebmac0bs

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
484	Process not Found
2084	alg.exe
2664	aspnet_state.exe
2324	mscorsvw.exe

Loads dropped DLL 1 IoCs

pid	Process
484	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\990a719c78a61a12.bin	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2016	chrome.exe
2016	chrome.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2208	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2536	2208	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe	28
PID 2208 wrote to memory of 2536	2208	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe	28
PID 2208 wrote to memory of 2536	2208	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe	28
PID 2208 wrote to memory of 2016	2208	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe	30
PID 2208 wrote to memory of 2016	2208	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe	30
PID 2208 wrote to memory of 2016	2208	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe	30
PID 2016 wrote to memory of 2400	2016	chrome.exe	31
PID 2016 wrote to memory of 2400	2016	chrome.exe	31
PID 2016 wrote to memory of 2400	2016	chrome.exe	31
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1792	2016	chrome.exe	35
PID 2016 wrote to memory of 1824	2016	chrome.exe	36
PID 2016 wrote to memory of 1824	2016	chrome.exe	36
PID 2016 wrote to memory of 1824	2016	chrome.exe	36
PID 2016 wrote to memory of 1804	2016	chrome.exe	37
PID 2016 wrote to memory of 1804	2016	chrome.exe	37
PID 2016 wrote to memory of 1804	2016	chrome.exe	37
PID 2016 wrote to memory of 1804	2016	chrome.exe	37
PID 2016 wrote to memory of 1804	2016	chrome.exe	37
PID 2016 wrote to memory of 1804	2016	chrome.exe	37
PID 2016 wrote to memory of 1804	2016	chrome.exe	37
PID 2016 wrote to memory of 1804	2016	chrome.exe	37
PID 2016 wrote to memory of 1804	2016	chrome.exe	37
PID 2016 wrote to memory of 1804	2016	chrome.exe	37
PID 2016 wrote to memory of 1804	2016	chrome.exe	37
PID 2016 wrote to memory of 1804	2016	chrome.exe	37
PID 2016 wrote to memory of 1804	2016	chrome.exe	37

C:\Users\Admin\AppData\Local\Temp\2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=90.0.4430.212 --initial-client-data=0x178,0x180,0x188,0x17c,0x18c,0x14021b4e0,0x14021b4f0,0x14021b500
  2⤵
  - Drops file in Windows directory
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6639758,0x7fef6639768,0x7fef6639778
    3⤵
    PID:2400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1092 --field-trial-handle=1360,i,505691982784533292,6125116267765320398,131072 /prefetch:2
    3⤵
    PID:1792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1360,i,505691982784533292,6125116267765320398,131072 /prefetch:8
    3⤵
    PID:1824
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1572 --field-trial-handle=1360,i,505691982784533292,6125116267765320398,131072 /prefetch:8
    3⤵
    PID:1804
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1484 --field-trial-handle=1360,i,505691982784533292,6125116267765320398,131072 /prefetch:1
    3⤵
    PID:2756
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2168 --field-trial-handle=1360,i,505691982784533292,6125116267765320398,131072 /prefetch:1
    3⤵
    PID:2364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1392 --field-trial-handle=1360,i,505691982784533292,6125116267765320398,131072 /prefetch:2
    3⤵
    PID:1520
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2920 --field-trial-handle=1360,i,505691982784533292,6125116267765320398,131072 /prefetch:8
    3⤵
    PID:2492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3372 --field-trial-handle=1360,i,505691982784533292,6125116267765320398,131072 /prefetch:1
    3⤵
    PID:1252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3328 --field-trial-handle=1360,i,505691982784533292,6125116267765320398,131072 /prefetch:8
    3⤵
    PID:1880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3116 --field-trial-handle=1360,i,505691982784533292,6125116267765320398,131072 /prefetch:8
    3⤵
    PID:2012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4044 --field-trial-handle=1360,i,505691982784533292,6125116267765320398,131072 /prefetch:8
    3⤵
    PID:2860
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:2856
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x140287688,0x140287698,0x1402876a8
      4⤵
      PID:2052
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:1156
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x140287688,0x140287698,0x1402876a8
        5⤵
        
        PID:2480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4120 --field-trial-handle=1360,i,505691982784533292,6125116267765320398,131072 /prefetch:8
    3⤵
    PID:2548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4080 --field-trial-handle=1360,i,505691982784533292,6125116267765320398,131072 /prefetch:8
    3⤵
    PID:2376
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4104 --field-trial-handle=1360,i,505691982784533292,6125116267765320398,131072 /prefetch:8
    3⤵
    PID:2192
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4044 --field-trial-handle=1360,i,505691982784533292,6125116267765320398,131072 /prefetch:8
    3⤵
    PID:2864
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3900 --field-trial-handle=1360,i,505691982784533292,6125116267765320398,131072 /prefetch:1
    3⤵
    PID:1068

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2084

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2324

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1832

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
PID:880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  PID:3068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 258 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:3108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 24c -NGENProcess 25c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  PID:4056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 24c -NGENProcess 25c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  PID:2832

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
PID:864

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:2148

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
PID:580

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
PID:2724

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1468

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
PID:1264

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
PID:2244

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
PID:2900

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
PID:688

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:804

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:2492

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2068

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:1420

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:3180

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:3464

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:3548

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:3700

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:3808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3880

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:4004

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2324

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:3196

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
ed51cab872d40f37bdc15d0e9ff6d783

SHA1
9cdb2789f62824b30f26aaeeac620c701ff3d70b

SHA256
742979870ff88eafe6cfb03378c4646ba350450b58df92573e2876668436b54b

SHA512
f36e4b4116141f66f4666892288cd8952d1b68cc141f1baa2ee87b0b106aabc5a991de188facbdae8afee1cd4b0cabc4d6979db0e7e2224a5b396ac9f847d5c9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
c3d7c1bf191ffffe176d24cb029ebb0c

SHA1
0f58353c7f57263cbcab2d5f15cdedc2aa316c4f

SHA256
86640a7e2bb5ac28581f025c85096f0c09f1b013e959736106d24780569b759b

SHA512
2f00f6658e74bfd68b22e59d6966aa7d0029576fc63c6fdc6a294ac696fcd9887386aa86363655b669ad7a3cb3390e2dc30dab3c9f124e6aefe215c44e022245

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ca7f4a0ae726093e818bae3c88ef16b6

SHA1
f5ea84d5dcbe1c46fb41daca7e915ebb9d6afd6a

SHA256
437e54c0da8506cbf81e5efb72b2784ea2c500447ff3001bb332cf15920325e1

SHA512
bc486d220015d98da1ac3957f810f0aa5b7583ef1fb33a581f0a414d3718a76fac90353585a37fe3dacd5af4609e5b1b3d0091758caf37cf62fc12b4bd17023d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
e1142b370a53983237ec5d8302b86c9d

SHA1
98578a83c326463bb9b6e29c3e6e2159495ff3ca

SHA256
655fa5ab78841f1577de20ac4d24caf7ab9e5f07ec697287f1da11a99a4dbc26

SHA512
194a9d08fe75d44aea79c5391f5fa0dca09e5a360765065222e0c5d3bcb7b487b12b46a0cb74e6d95537d7dc1d9ae72e0c45eed02a626ca7b44ca8b40f6eef0a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
a34b337bd87fc000bfe158660e64937a

SHA1
92d1174fffecbe981722029451991765c975f3eb

SHA256
9b5060f6a852de8ecc07a7a08ee055335ef2173aa0ce71d99a35c8ec75b58ca7

SHA512
bd4ef42d7f5845b880d2ded66d38c9eef0e6c5e86d5d64f820ee02bb28667ff0717b35038106437bd8093b4807101df3634e7275fa9e1896dbff2b1a1993ebf6

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\c82891cb-f795-4e73-9991-470b435aa527.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ed715d36c6e1a35718245d163b752006

SHA1
aacee5bf36ae2ed34b5a7b67070af133bf605a1a

SHA256
a428a6d7caa0b2da05d2a23609a8d0b304ed47abfd582c313ab216176079ae50

SHA512
42b5d8146f04aed3e270919381e98d3de6c505572bfc771f1febcd9c26df574bf800dfa08cf1b961798c938c818f6e2ebf494848a63a44a9735096c4a0169159

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\CURRENT~RFf76867e.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
bec2ab755a9528bd7e0c6b6857ab59b0

SHA1
e9b5062e8ca3aee4ee10cd378b9234e44b8d42c2

SHA256
9e9887354dd783c68f9cd166007c7ee2f49b5d2a73d314c6f6703e806f174e41

SHA512
9b831eddcfa9f5cfbc91c0fc59c363d13641be4b8e37090b7aae7f29453cad6d2775db86daf8357b0773c51c6c34156572817c750b55872d0121fcb84461d8b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
6eeae7811830459a42c618fed893f0b1

SHA1
b0ff674f2533f6ca2b76786d6806a940ca181ca5

SHA256
df739766194a3f879a3e9ab2a1099f4e5397137bf08cd7a1ae6b4176c6902e79

SHA512
57d76f2c66da5d07d35fcb5dbd8f957a5c8249b210f718120f48baa141835ad8e25e3426759b729ac2c8c3681ce13c9d943d69e30f089f62f7cf369258a2c54e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
c529bb7a423d6c11d250354a0eb7b1f7

SHA1
b3c523da93080c7c44010ceb26b2a627ddc4c93e

SHA256
4698c5307169b7267a0dc4e738dab3524df632fba6cd1bcb90120e7fbd734d4e

SHA512
6c3dcad0e7b19d5c3dcf7a47fc2a2aa33d71cdb86bac35fbc83f456a9a3d056524a73ca52529fe7256929821d8321146ffe07f31ee3bf0d895ce11623386671f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
c1f1f9f81101f2ad701da25ad451ce55

SHA1
9e4dd353e70a33d6872974f5184e10a453a5f68c

SHA256
734e1c1a15823c98c9a45f78e1f5bdf0d3e43e63a4b4b727cfa6402f44491b54

SHA512
826e816da6b074802092d89ef0d3c7b3d83ca5fb132bb556d4a6017cb21168bf3cbd8e4107d894369f1cbb58d04d13c79b40cbdb055fd9bc1e74f08424fc2cd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
4cb381a83c7b496a51738b5719db521d

SHA1
809687c98d6e2d7ca9fc66ff1b3e58e6c6de2819

SHA256
dfd5013a48ed12377044ccab240dbcd15fbb463b226bfe522b1398c09a077501

SHA512
9e99605b2a556312c757de17eb8f4c1b8c7614bef55ee6d9611b2e97487f892aa2baebd1009f8ea936de0d5a28235a640d0289f453385b5c6e4db2c78badd81d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
5KB

MD5
237d5476b08300da2c9faa6b5cc9f7d2

SHA1
2107080a6f8f7597729c1e658e677aaedb856812

SHA256
c38ba3ca21a25d418715f5f3564e6f3f5750307e492e581862759ae9bb3cfef9

SHA512
894639b0a5c3747d87b242923a7b7bee9a528be3af129b6d0a5aea8c2c9650a2ea593bdea140899f0912b12e533bbbaad42e97aac1b416f2cb3e5c43f5d405ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
762afea7e81f6591e86fe5c8d8aa516b

SHA1
aec83d4679f6424f89886001d91623ca98d8b6d6

SHA256
1d6c9291314fc66250e10b7f9f596cf96d044e1af5d4698c41e39a61e63faeb6

SHA512
ee3f9ff833da48f13d3a61c774675eb9d5df9677fc010a20c712cd623072cd0457db798febe41496a3cb8529c6a10e0a73ba881ff1d637066ae5289c75cf5b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2016_353597777\491d5fe2-1918-40a2-88f4-e4085306b80d.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2016_353597777\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\990a719c78a61a12.bin

Filesize
12KB

MD5
bf086586ff60e7a409719af905ec6078

SHA1
9156c2ba74d61678b6874f5fc85a1070d217236c

SHA256
47c6073111b97f43af87f4949799eab14efb7e7365fe6dc8f76c11780ceb91f3

SHA512
ec23eff3c40467269ca14775181a9a4e8421ae416a526aac279c9c17e4be6f60b048acf55ea8661b3666aaad34b9eef33c8602b825bfea3323f1c3a7f223e040

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
f66cf8fd8c556652a6d448000db63fa5

SHA1
e3511b7263c9972300d05ed7947fc7f412a658b2

SHA256
1952fcc5a1c0c89b5ce2351734be530ee18a6b77e908a4327fac7a3620d944ed

SHA512
1ca991817b60f6696862398bccc0ac0d88b55374304ac181ef849e158b39078019e3eb4b03c8cee91e1001c26477eda71cce8a78680c434079fdd5ef2fc971bb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
921ee1d658d62329ef2c8dfac361b7a6

SHA1
91381eb75406c9a9a9c7b48230fea3ef0f812fdc

SHA256
1a26f4b0cf490bf6a47a6677477c5b4668a59b2dd4284715bb17adf1dfe72bfa

SHA512
9ceb0de1c237e099fba4891e6b0cbd780313ea5bbbd54b5f356403f8f75533d3e60f7d06608584dc3196427970e62a43bec8d03f39d360b7e8ada6f1a0aebc08

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
539ce58610af8f57d1d4177ad84a26fc

SHA1
703db6a51a69724cafb7fe94451af95f1bcefc47

SHA256
1619486658b7ecb574de4f7654308f1cb3a5f14f73050c4a82bbb1611c39464a

SHA512
f2d5a6542107b78d5361d9332f41febe4bd2cced698fead36424d4f0f2ce3c3fc2f5832c455d430e2115f1ea2b31dc5ea32daf3f2e150396cf7a5a9c6413e18b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
291c99bff0cb6dcccd70ef634c901215

SHA1
7f8fd3926f9adc179a6d72b07a52548c5d05ced1

SHA256
932ff5c319aed0a74339efb0bf66d04156db722ae7ea8ab0f28e48d88c8817d6

SHA512
397aeea6755f7f14903ef4d1677568dad5b352e122c468f5e6f2a2360e77a28aebd26fadd71a9c0bdd8dd96ea6ac268fd9c963429e6e513afc3e44d166d4ced2

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
17bee4e705bed91f0b6c7050dbd57c3f

SHA1
00000a1cb90d2175eb4920d49bef9228335447e0

SHA256
86669f73339be76c5e226ca27f5064bc9b05c13b45918fafa1baae8fb7ead1d0

SHA512
4b966bc0b13034528fad997a7ea246021e4a4046eef263b24c9201e77375a2053b20064252e7b934739a75fdcb56f6616475f563b1cd3af08ad9f6f2c065d732

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
629431288d62d6ce0d05f5e16a2cfb22

SHA1
b5557ac989e9ac8fda1729a7f72eededd3a206e6

SHA256
f41a698cef3204e38b74f4e6a4fdc7cb511c1d82252bf7dbc68c7099e752ecd9

SHA512
0d471a832f3ca26629a55a3680b898312dbfbe80dd87a3ea0d5edc41532bfa279d060ea8ac14073846a2d4dd604d6f0af28c48bbc4dfb5e756c0c4ff9787643f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ee3748407e7768edf9927908538cc101

SHA1
075aa50085205d37ec4ffec53afdb174ad02baa2

SHA256
2fdc691cd410a05e7932e1ec7235b58272cd83e9b2064bf4957b88412712a802

SHA512
0fc17100b32429568813d8c962f6a552e7d442547a9bece221940491a41d193e81eb14a9a818a8f7671ad515c3bda6e1095bbb94a640517d03207805fa7aa3a9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
14fc702d70d0b80487fe63774a7541ac

SHA1
cfda3477406fe18a80db82a001d75f00dcbfde84

SHA256
c766380d6abd5685069742b091307b0e2995770765895b71a5aac140185ca460

SHA512
967e6545864faa8a4612980bef252a557533a8f36afad2136c6a9f13314811b8ff4ef86cb8dce440f50aee9a39c44a14573d6d5d43bd6cf4e2b736201dc245ad

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
d360de928ac2711eb3c4a2b2ca4240fd

SHA1
54b728b8a10ab7dc297473105a76d00a711cc052

SHA256
70d1e8e21eb1d5246d794baeb903481dab90d2e79ec6320cba453c8bb852e824

SHA512
05ad234837941cce38879de129fa721b350918b3a8cb183b7b81be0c91eee91789ca8ac01a916924efe652ba684cd8686bd7a361a4fe0a6e46c86e343f841b6f

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
2decc6e53f6f459341068c82750aa7e3

SHA1
b01cc8e078207fe130b5f9c30ef01c878b4d52d2

SHA256
0e1558a633665d9fb9d9ffbf2cb3b392409cd3e0f7a53054a548c056ff5c56b1

SHA512
03fff7012d84f7ba0767328f143ff9bc5eb9a49dbc7d71e3b1632f3292c187ba6947ae59a2c4b047ed81bf632c145a7a4bbd4be8da4de05b68c203bb67d98752

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
82330b6268063431cc74d8e3dfc860f8

SHA1
ecb69e8b51654befb1264cea306196901d4e74a6

SHA256
78ea3fec07cdbf51c0a1fe25dbd6164e40c77ed9e7fdb0611e94e3341338a056

SHA512
e8765efe5a331fd57d2bfcabf31c5fd740d6f07fee51041819ff79cf744b3f2e0d6618950b6473d38715bdab3075fdef8d87f1ed492c0dab25ec73d88eb721a0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
5471dce5e2f18294677d99d401c67938

SHA1
07313ed09620f44fb3dd3e62aa04f1c94c4bcb71

SHA256
806ed2208b7e5fb145241127ef1b8471c0e068276b0f68dd06811523aec29498

SHA512
94467f8f0d81b28faa02fd94a85922b8c56d844e45551e652325ca3991a868bc02aec0f4e5f3f5eb68671e98ff590fe79dcf69d2f5b036d90199e07a25396e6b

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
8e57bee7d9964ec378facb472998af9c

SHA1
b6a4729c7e03bb8001de780d35e56397446f6a25

SHA256
452150b8d455f00832a6926bd5d6d85bfb91ae2f9f5b106db1de1aeaaf91573d

SHA512
a97233c24510a02c11a304e3cee9865511901ba6302ca4579db155f5fa9c5d4346834be3ca33c54ee0c1a86615966b6b74ccb70ea0663f7cc7a85e6497945b0a

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
18b684b2bbb331a05b739399bbf07a38

SHA1
b45c083b7b100ca7ea5c4707f5f05054506c55d5

SHA256
f87c47419bdc4fd2fb3b81aa9e387daa437f93b75f852cd32d3e2eb77d054384

SHA512
3622a7d86b39c710753e47e16bbb133ba39656577eb3e35d02abed9409a60571de984bc40bc4db484a652f8c3b29f5d34cf262304e4e6ca1ae9ab7a2675d3e84

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
6a0e6f04d6b7dad73700b7b46f38bde3

SHA1
6899ce9b53bdf78247b92f7ef9b757345b76d386

SHA256
1a327c3358bd85786b728cd1f0ee19f286238d1147f2b967f8ef2538239fd5f1

SHA512
257cf8399987622dcd3b22f24c9f48c91bf4d12bc2badb13deee6da611cd53ed3d3c35c6ff326619edb394e9791906981ab20f33bd8d8eed0249437913a7518b

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
cb9ae0612487d05e08c9af9aab464a0d

SHA1
d303a54eca9888e9a46035e01ee3f6387e2475b9

SHA256
dda7c6ead5cc6dcf48deac34bf8820efe35198e5b013cf64fb88750097ef7dc1

SHA512
7f6cb8a15d86ff33ae34e25596be039b83411d43efd2b88576e95d32b2d93cbd90566934806bf16f091a3cdc54c245049eca80e7b412ac8dbf45c24a38c8c43b

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
e31959d0e861eb0a08cec5c586807916

SHA1
ce8d616a221db9fbfb994542acee01644c49dbcb

SHA256
e608c50b010e2c586d2c1c99c08b453ad816fed00ad421e4f20b1d25279e81c1

SHA512
f20836cf753f3fdcc257c512ceea9e656c5fc9cdac52a228e28867c51116c1b5debb95c32b95351f0f9075fd9e6de1ea02454ac7340f2df7cadef86e212f5eb4

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
35c42504f7a202ed038c04f0f1c35130

SHA1
6a6787541f575ca5de8a93cc84834e33d8f1b28d

SHA256
e13cbef1cae074246635919e30abd2a09ab6dfb9456afedcd8f58c9e11001b0d

SHA512
5dc49891c8c13abc780c30616035784afbb15cbaf2b1096b9d08e249dca6f0080ce18b8f77989b956682eb29f0ba1c714853ff5f871dd067f0a04227592182fc

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
4cc03d3319eded3ff6d82c2c94cb53d5

SHA1
e7fe90090a714e707f9a2ab6febed9c4b4b6d6b8

SHA256
9ee47b08be5bf8a3493da3025f57f95b09902a086cea93e89de398b3c35e7216

SHA512
a4fec871d5ae826e55ae452c964e6e17f4ce44d2808fdd62b06341caa179df40ecc7ab1af96d5cb51c1d7334700eb1dfcffde4aa1c9c9d81e2603e83ce81a48d

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
13f2306ec20424d42feaa28dacc52226

SHA1
ad53a6ac389a7527a40b1964e27c3c46391a78e4

SHA256
3f7b73a27ca962ffbe0a21d97966d2802930d70b096f37e11110cd50e1fd7345

SHA512
a3c0b44288fe2df2c1e2df8497cb7549656f3ac3792735ab68037ded16c86e4cfb1f0730678edc59e3a9c3c3d52b4e2205302a6d395b4661b99a0ca746a461ac

Download Submit
memory/580-681-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/580-755-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/580-672-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/580-714-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/688-783-0x000007FEEED20000-0x000007FEEF6BD000-memory.dmp

Filesize
9.6MB

Download
memory/688-782-0x0000000000BD0000-0x0000000000C50000-memory.dmp

Filesize
512KB

Download
memory/688-781-0x000007FEEED20000-0x000007FEEF6BD000-memory.dmp

Filesize
9.6MB

Download
memory/688-846-0x000007FEEED20000-0x000007FEEF6BD000-memory.dmp

Filesize
9.6MB

Download
memory/688-853-0x0000000000BD0000-0x0000000000C50000-memory.dmp

Filesize
512KB

Download
memory/804-811-0x0000000000F90000-0x0000000000FF0000-memory.dmp

Filesize
384KB

Download
memory/804-805-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/804-785-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/804-784-0x0000000000F90000-0x0000000000FF0000-memory.dmp

Filesize
384KB

Download
memory/864-176-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/880-122-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/880-124-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/880-166-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/880-131-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/880-130-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/1420-831-0x000000002E000000-0x000000002E156000-memory.dmp

Filesize
1.3MB

Download
memory/1420-839-0x00000000005A0000-0x0000000000607000-memory.dmp

Filesize
412KB

Download
memory/1468-796-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1468-788-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1468-723-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1468-717-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2068-815-0x0000000000620000-0x0000000000773000-memory.dmp

Filesize
1.3MB

Download
memory/2068-813-0x0000000100000000-0x0000000100153000-memory.dmp

Filesize
1.3MB

Download
memory/2068-827-0x0000000000590000-0x00000000005F0000-memory.dmp

Filesize
384KB

Download
memory/2084-172-0x0000000100000000-0x0000000100144000-memory.dmp

Filesize
1.3MB

Download
memory/2084-33-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2084-36-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2084-27-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2084-26-0x0000000100000000-0x0000000100144000-memory.dmp

Filesize
1.3MB

Download
memory/2148-661-0x0000000100000000-0x0000000100135000-memory.dmp

Filesize
1.2MB

Download
memory/2148-667-0x00000000004B0000-0x0000000000510000-memory.dmp

Filesize
384KB

Download
memory/2148-739-0x0000000100000000-0x0000000100135000-memory.dmp

Filesize
1.2MB

Download
memory/2208-34-0x0000000001CB0000-0x0000000001D10000-memory.dmp

Filesize
384KB

Download
memory/2208-7-0x0000000001CB0000-0x0000000001D10000-memory.dmp

Filesize
384KB

Download
memory/2208-0-0x0000000001CB0000-0x0000000001D10000-memory.dmp

Filesize
384KB

Download
memory/2208-1-0x0000000140000000-0x0000000140333000-memory.dmp

Filesize
3.2MB

Download
memory/2208-13-0x0000000002660000-0x0000000002993000-memory.dmp

Filesize
3.2MB

Download
memory/2208-8-0x0000000001CB0000-0x0000000001D10000-memory.dmp

Filesize
384KB

Download
memory/2208-39-0x0000000140000000-0x0000000140333000-memory.dmp

Filesize
3.2MB

Download
memory/2244-741-0x0000000000260000-0x00000000002C0000-memory.dmp

Filesize
384KB

Download
memory/2244-800-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2244-732-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2324-150-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/2324-109-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/2324-108-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/2324-66-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/2324-67-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/2492-789-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/2492-799-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download
memory/2536-12-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2536-21-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2536-15-0x0000000140000000-0x0000000140333000-memory.dmp

Filesize
3.2MB

Download
memory/2536-153-0x0000000140000000-0x0000000140333000-memory.dmp

Filesize
3.2MB

Download
memory/2664-58-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2664-50-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2664-334-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/2664-48-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/2724-703-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/2724-768-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/2724-708-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/2900-825-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2900-757-0x0000000000AE0000-0x0000000000B47000-memory.dmp

Filesize
412KB

Download
memory/2900-745-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2948-701-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2948-160-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2948-161-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2948-152-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2948-155-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/3068-769-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/3068-761-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/3068-836-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/3068-810-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/3108-848-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download