61c18087649ddeaf1755a90b9d63a738b14e85ab9e5b3c9a742b6dcbac438db4

Analysis

max time kernel
2s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
Size

3.2MB
MD5

74409e0f59eb6d18ce1d8862dfea71e0
SHA1

9e82adbb8761c948e6a48ba82ab473d72b77ac62
SHA256

61c18087649ddeaf1755a90b9d63a738b14e85ab9e5b3c9a742b6dcbac438db4
SHA512

3321adbab743f71232246e77aa8c5af8a9282e8bc6cb720d6041c4a438b0c1402ce7de1f4a3fc1b6dab632a50ecb4fd098e0bdf861a8d8e541a812e2758d7587
SSDEEP

49152:T5k1YCdptya507NUUWn043oHS3fT8YwVq1/xT3DDbwwTU+elDmg27RnWGj:HNhS4Yw8OtD527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
476	Process not Found
2492	alg.exe
2064	aspnet_state.exe
528	mscorsvw.exe
2208	mscorsvw.exe

Loads dropped DLL 2 IoCs

pid	Process
476	Process not Found
476	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fddcfaa23d2ec148.bin	alg.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2564	chrome.exe
2564	chrome.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1728	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2476	1728	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe	29
PID 1728 wrote to memory of 2476	1728	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe	29
PID 1728 wrote to memory of 2476	1728	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe	29
PID 1728 wrote to memory of 2564	1728	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe	31
PID 1728 wrote to memory of 2564	1728	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe	31
PID 1728 wrote to memory of 2564	1728	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe	31
PID 2564 wrote to memory of 2304	2564	chrome.exe	32
PID 2564 wrote to memory of 2304	2564	chrome.exe	32
PID 2564 wrote to memory of 2304	2564	chrome.exe	32
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2640	2564	chrome.exe	34
PID 2564 wrote to memory of 2484	2564	chrome.exe	35
PID 2564 wrote to memory of 2484	2564	chrome.exe	35
PID 2564 wrote to memory of 2484	2564	chrome.exe	35
PID 2564 wrote to memory of 2820	2564	chrome.exe	36
PID 2564 wrote to memory of 2820	2564	chrome.exe	36
PID 2564 wrote to memory of 2820	2564	chrome.exe	36
PID 2564 wrote to memory of 2820	2564	chrome.exe	36
PID 2564 wrote to memory of 2820	2564	chrome.exe	36
PID 2564 wrote to memory of 2820	2564	chrome.exe	36
PID 2564 wrote to memory of 2820	2564	chrome.exe	36
PID 2564 wrote to memory of 2820	2564	chrome.exe	36
PID 2564 wrote to memory of 2820	2564	chrome.exe	36
PID 2564 wrote to memory of 2820	2564	chrome.exe	36
PID 2564 wrote to memory of 2820	2564	chrome.exe	36
PID 2564 wrote to memory of 2820	2564	chrome.exe	36
PID 2564 wrote to memory of 2820	2564	chrome.exe	36

C:\Users\Admin\AppData\Local\Temp\2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=92.0.4515.159 --initial-client-data=0x184,0x190,0x188,0x16c,0x194,0x140221ee0,0x140221ef0,0x140221f00
  2⤵
  - Drops file in Windows directory
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef61c9758,0x7fef61c9768,0x7fef61c9778
    3⤵
    PID:2304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1100 --field-trial-handle=1336,i,13136805195459254439,12807974901818127336,131072 /prefetch:2
    3⤵
    PID:2640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1336,i,13136805195459254439,12807974901818127336,131072 /prefetch:8
    3⤵
    PID:2484
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1336,i,13136805195459254439,12807974901818127336,131072 /prefetch:8
    3⤵
    PID:2820
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2072 --field-trial-handle=1336,i,13136805195459254439,12807974901818127336,131072 /prefetch:1
    3⤵
    PID:1616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2080 --field-trial-handle=1336,i,13136805195459254439,12807974901818127336,131072 /prefetch:1
    3⤵
    PID:1164
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1112 --field-trial-handle=1336,i,13136805195459254439,12807974901818127336,131072 /prefetch:2
    3⤵
    PID:2120
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2868 --field-trial-handle=1336,i,13136805195459254439,12807974901818127336,131072 /prefetch:1
    3⤵
    PID:2668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3768 --field-trial-handle=1336,i,13136805195459254439,12807974901818127336,131072 /prefetch:8
    3⤵
    PID:1584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3892 --field-trial-handle=1336,i,13136805195459254439,12807974901818127336,131072 /prefetch:8
    3⤵
    PID:1012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4004 --field-trial-handle=1336,i,13136805195459254439,12807974901818127336,131072 /prefetch:8
    3⤵
    PID:2704
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:1520
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x140357688,0x140357698,0x1403576a8
      4⤵
      PID:1936
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:2888
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x140357688,0x140357698,0x1403576a8
        5⤵
        
        PID:1584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3584 --field-trial-handle=1336,i,13136805195459254439,12807974901818127336,131072 /prefetch:8
    3⤵
    PID:2040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3112 --field-trial-handle=1336,i,13136805195459254439,12807974901818127336,131072 /prefetch:8
    3⤵
    PID:800
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3180 --field-trial-handle=1336,i,13136805195459254439,12807974901818127336,131072 /prefetch:8
    3⤵
    PID:2008
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3332 --field-trial-handle=1336,i,13136805195459254439,12807974901818127336,131072 /prefetch:8
    3⤵
    PID:1720
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3160 --field-trial-handle=1336,i,13136805195459254439,12807974901818127336,131072 /prefetch:8
    3⤵
    PID:3192

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2492

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2064

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2892

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:528

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
PID:1852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:1020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  PID:1888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 248 -NGENProcess 254 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  PID:3292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 25c -NGENProcess 260 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:3284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 254 -NGENProcess 184 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  PID:3312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 264 -NGENProcess 244 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:3604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 268 -NGENProcess 248 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:1888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 25c -NGENProcess 270 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:1924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 25c -NGENProcess 23c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 26c -NGENProcess 278 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  PID:3320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 270 -NGENProcess 27c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 280 -NGENProcess 278 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  PID:1260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 260 -NGENProcess 288 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:3232

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
PID:1664

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
PID:2240

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
PID:2020

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2596

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
PID:2024

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
PID:2272

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:3172

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:3364

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3592

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:3788

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:3924

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:4060

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:3356

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:3664

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:3832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2740

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2232

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3496

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:1160

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:1724
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:1644
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
00e750464ec1d670df9d640d51d1bf81

SHA1
6fdd0cea0ae503e4fac90b0547f9aa0055b0a5a9

SHA256
60e8e13b5d888c57d4e7307dd51a745a345bdc383b515254f4eb74a44ec18d48

SHA512
6b644253ee11f05463cd5c45f4fa1ae030c991aad42841bb25f075e1b1850a2478c2490f71efe3514c63e74d962fe75c85b2df189c558a56cc2b00f4ed0ba0d3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
72c8dc1c1d2c352f58261881322037c2

SHA1
1a285020d9945d1ec0542d3a46510aa23b8dbfdb

SHA256
67c4006541e011da0ef9c17964e40ced1d222bf2e036977d8c503d4121a6c965

SHA512
b158661c0ff6ac85df22c89be76ac08298910d5bb11848239ad0d85a9e74090aecb95f663f5e921b0656babeb41e289ae9afac07774b9d7780131e8da2cce5c4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
0cd7863d5a077f9e5e66d13910997221

SHA1
44758a6b72e19c1ab1e815e0e7e189e13fb712ed

SHA256
d5db6ec27ee4fea717b39ea55b95247231f5b74456495ab72b3b48910c458aca

SHA512
7c2933d55947ca5aa5a266e3d80342f984c9225b2fdd2a79ca689ff1adc2a2486615326d7bdc37c79735f7523f833224ff42144ffd997bd3ceee4b214d32f238

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
d764b8a4420e33b60391486eb8075d1e

SHA1
ccc357b2d749958a79661275d72eb64112672e0f

SHA256
d38f148f81e8ddf953cb564a2996f6e2af5bf8043d0ef5608c2383d4c6cea423

SHA512
49481f3fa6267e154c9f30f55e34095fb2a2c8cc3eaa8776ddec22e62f1192e3a9d52852c08ab127cc98f8e3ebf72211b3411a625cffe0bbaff50d2bb5eb6c81

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
5ad8c3dcb891555b35387930b27b1934

SHA1
8dda968073cb27b38117598b0b0afc6deffda73f

SHA256
838f1613fbe94becfdfa66509255347d84cdd4a2b58ed6268ece807a41319c99

SHA512
26a6f5b80c146baa0ccb68f01ba52549ee21219468668bafcab7b45b28d916835e8c23bb2062a72f555aedec3c1a7bc9f874bdb47520d853c898bf35b4a39532

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\8bffd6f5-e705-46a4-8495-5c20b0bf4093.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
10b29ab6a20f00bfb34f115d114c9f3a

SHA1
12fe0187e6ad0382241bf272f4c876d5cfb84cda

SHA256
618d9073b5daaa227bc665901cb63eb5399f5e7c6a530fd298dfe8f90f4acd65

SHA512
8dcc96c7a2959f07cb9ef87ae512a84f00cbeaa50a9a92b121fe5557664b3ec6b36c49e443ad654fb1dbd06f6f9147913805b821d8b9e025e89ca9ff28c61f35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
39e40b362bdc1e121c6c6a234cf5a7d0

SHA1
e7d46c8386bad51ab8b775c828ece711ef320302

SHA256
e593936454d92cdc9ca94e2ab9a6ad6fcce1b336d57adeb62c2ab0a23a938192

SHA512
b4250429c50a73e4d72e6f54008bb29cdd7bdd016096d9de8e4a6ee79a9cc2b9b39125b004e5d588633510615724ca4a11a96d32b540433927acdbb58e26b8d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2898188be65fa21d2c1be2a9fcdb32b8

SHA1
0c3f1e7e5e4a35948e9ff917a4841b3708385b9b

SHA256
f49cc5dd6657dfeb915b34a064536b29812a7cf28d833f9f54f5b30e4eab7e1a

SHA512
2485d98c7bde2c1e1b5190e41bc93735cccfdd5fce18ee058f7cb8e31f11c2ced8a463b22ea6818f7cf5c2eadec33ba6f35b19b1cc2c111f050706e7d08ab738

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
986B

MD5
fcc443f86340d53123787f47e12a5769

SHA1
aedb8edb6bb8d04e2550cb6bf2f5d070d3862a28

SHA256
c7f61295f2d38012565037c806cfc15db9f31ea1f8f4d847c36efed77ff5fdcc

SHA512
8dce6a63994e9f1eb55731b6d75e5a493a57f651fb033606e2f916f3dac8241eea0098f006bdb91ea2ddd05c3b2780e591eca324dd48989eeecbe926abe1dc38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
814684bbfa079134c9219caffb46c230

SHA1
20b8d3413a4d68f4467a53e0eebec684b89149e4

SHA256
03314d97a07dd253f2d1c627067b8a10c2cad745598d9d453ee54b0ea88a6037

SHA512
070adbbe8d93414f0b3439dfd1c995311d5c029abec21b606c2de29ea5b850cf44d094e9bc56b6b55fcf1d36b13505afdad2fc8d7db5dca7a60a7c8b9aa3b68d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
3KB

MD5
8cd8acb92098cd3e497a34f4758ba7b7

SHA1
8ab24a9281ca66eea34d615e764c9af7c57ec744

SHA256
d7b9af61cc858a6b09cb7639796260feb32c664dd2d4a686b86618cb74ca59cd

SHA512
7fa9127664c9060db276959477e389efedc93f1fe434dc22aaedbf9f21b0708391cb36a6dc7229a78f16d01a633d769e558cc076222792c039b42d36344808fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
d39fd26e91f37277d1a17b679c536c0e

SHA1
5aa169e8516121d6c3eb5db3de5bcef3d703fc77

SHA256
de180d65f17202f03c749e1025aa7f77aac141651cebd1585e2997e9569d59e9

SHA512
7273e9bc2fb62fcdde4d843d497d10b97a0ab58d3dc82c7e530da91b88ae38a1e02c143e2c84c002cf8bb517d276a541d23a63214c310908890cfa572a0bcc3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
26767d3b7f86ba0997da124815b9e7b4

SHA1
a8f33a76f0b0b5126aca457059df12d1937ca695

SHA256
0cfba59767792e9404e9c48da50b6c2ac426971f7c8acc8756adbf18ac2cf11a

SHA512
3c6783f9a9df9e2b1f8cbe220601305389a63502d3bcb0e167c7c069005596d0258eea1d721061571411c2a5b768a8c10e860c11b43432497bad579e0b947e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
9KB

MD5
4f9abb5cc5c350e08154c05a574e3d0d

SHA1
8d3671beeea9d8f49723e5573ede090027305c73

SHA256
b3d5d15fd1f452286c140507d19608acf8aca48cc3d4537cbf289fcaf8fdc372

SHA512
d28349140c8e928c7e7149d699306eafad968a97be93908f7ca7a34d3d7fba7f844f9c586f0e06c88827f3ea26523ba69d648dc6a947299730b43fd639cdc6f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2564_1200577195\50d3d014-ce98-402a-a297-7523f6d68a5c.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2564_1200577195\CRX_INSTALL\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2564_1200577195\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\fddcfaa23d2ec148.bin

Filesize
12KB

MD5
94135f240b66fc0d16b2f75a8af39148

SHA1
7f31ae82f43a399ef03e1d93a660560fa793e1bc

SHA256
3cb4c9c97485ca689e6aea1089e17e326ca0e7372e74bf3ebc892936ead7b02b

SHA512
a022f51ee028467ea52394116c6d70c6d814ba834613b771b0ecabcebd612843f8bc30b6bda2d5089c00cbfed0271ca97bcaa512c90e048b26e351c6f82a770a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
398a5a3f17e050883bac64eec4b0a03c

SHA1
6f1102f3b615f4b793b6bbeb504140749a232bd0

SHA256
4635596546b2f4547a5b664267251493632ec3bec6d4477275914bf4a09ae086

SHA512
f8595360e3608da5e5ceb7a4aa8600dd1af7aed7cc86fad7da24780ebe7e22a2d0e81ad2f8d500ac89c8e607786e5d05323309abd521095f64309f893dea50ce

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
7ea63de06d3ef0fd95b62754bfed4ee2

SHA1
d0186fdbf388cfe7965fc241ddeadc6ad3b8b02d

SHA256
f83c727c0af5cd0562eb1ced02867c02a7ec9e2dcdef9e8ad3b560479019399a

SHA512
5e2dd745ba50aca65b8583527698150a73b8580a92814340f74c2be9d51c69b304841b06ac9effa1166c9eed92e30f5570503f311d81a2072bee25270ae698dc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
cb14d66ece9db36aa1ef24ef7e925749

SHA1
df3be743a2745c0eda3349425223d73402ace76b

SHA256
6e0dde016656f58d8e274af3b8bb4e9a21113440b611cab36293071302ff28d1

SHA512
4fae7436f665f5fcf73af49c22e5e8cd7b0ca73f13ae39a9a4daa26c6c2232caed6e2afe17950318bb200615416b11ae613f1eda2c5ea62a7f3bb8cf6bce0108

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
db8fb9f95e2163956ce2cd5578aecc4e

SHA1
d7755f6c4cf30638de236f8bc3820b75652d814f

SHA256
71381e8e7708720516c5a8411580852812345c56677090ca92008a7fa232786b

SHA512
01f93766a9bfa47f303742698e8d338489cf1e80b42795e023fb7969c0d4fc407fe302eb76ca9f5cb6a94f9576457c27e0cb7f71085a15f9ac21412f9e13c06c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
dfcce74eadb6f8aef17a59fae8b04408

SHA1
d042d1912dff2caf13ebaa5d2909ec03c19a2d82

SHA256
fcd18f739263b2b9216764cf62d746c85fbc87887150f5ed18e2cd2f0dedeb1c

SHA512
f8c5e9801503e68dd704773ce31468eac2b42fe40a62224a9e52042f3a92aa76718d36b9a99ce25f377120b1fda23fc23a1c67851f61ec1e50dc8378003d00f8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
fdb4aa1e6087cca9eefa070623ab9e22

SHA1
e6e7217db40e146020699bc8294e35660e62112e

SHA256
aa13949ed2bca91eb9b1d3016a5b8a194dd2d32e0dee9581f1222ca8235883fa

SHA512
ad3f479b5ece70400c8dff6363124702762d91ed0a0dec3506f66f70e42b51bd76732f3ddc782e0db04758e01fa009f773f6dc064a9a76c6566ecd69cf61f269

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3672834d3841cf4f58cd0e1b5500a16a

SHA1
f82d2066492b2ecd0c63fb04221278db161e050e

SHA256
2941956e3b04212bbb2fae16a45245a70ebdd6020b5e722a232a9ca01279c629

SHA512
a572e2a8adf8a5a6e9185fcb0f15b957cd76f9eb88174406d2b9e53e63b365ee99eee2f1007d4f3d5a2981c78ae8bc9f76c41c6976a756e9ed7b9cb829c0a8d2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
a4bf6f5195e0eda36f4676fbdba61275

SHA1
b9f40edc239a13d3fecfccced271e5e9cb7a3694

SHA256
3ed61ad1f83caa6fa261438991bc48dc6fcaaebb3054b5c775c313c01b3998be

SHA512
d268ea8c18c11d31976571eb69c07a2397e816094ae70abc2a24ec64f23bc03ee36bd721e645ae7ccab523f6098e4f069acbf813b6f1c48cec511668b715c918

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
eb0be5fe4b7432cfa107a1ae672f2426

SHA1
55f49cd662a1dc47d21fa5198f7bfd9800964c2a

SHA256
b6a8c213b4c658f9572ccef131d095207ce3fc359aef6b14376bc19deb24ac64

SHA512
92d92a03e6079e679dc12726cf09f917a99839ee7f87cde6a47ba835a0ae03fe9e3f94cc97a2eec2d9a3b964dc3b42a878a86eb7e8bdedb749face6b5514affb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
7d0577b6b562f0bf6965f65a00074d90

SHA1
e2ef0fc098463eb6483c238a59ae74e11cf3b711

SHA256
af10fc48b0d2f7c351b4a1df3b30596e646adef6276f8771638aff3ba1f9c2e6

SHA512
ebfeded60f4a26d16edf237624248c15ec6d7698b60cb216bcde66dbaeccf7548c232a54891fcbdc9a1ead4aaa29756a288c74aaf0b17867a7dae00c27858998

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
47e929c27ffd9e834f4456dbfcbd43dc

SHA1
ae69bb5637c6b128787da7ee44f219770d9db798

SHA256
c0de86be8bee68d57b93269d28e95aa3d62e79b9f4488c00cc986dc4c61df79e

SHA512
b7e8b56f2a05940ab667290b148d6f68a309a4e33084bd1c1c01078e4df38a7d7bf4ed465c47eafad77702880fa9e737b88edc152000cc64dda1210cd4c88bd6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d60132af8092dd18c0eadff5509f7b21

SHA1
ef515067668b88ffce9ee2003cbecf0392664708

SHA256
9c7da63bf77b543cf62fd80202bef6db63651b0e5b5b8e1303525f3f23a49a9d

SHA512
8648861c4b3de60edc4d4095b12d8fdf868e2267909346c2582210381fb72e57b8752b2647cd5a64e90dda44cbe86ff256e3c8dc11251ae268cc40a0204e595e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
939c20826b3d5d5db6aa45c44f24bec7

SHA1
49e9f0531af1d65022499f9cde50e0a8f921a118

SHA256
3c2f13c48f8889249e22f132b56e6aa6734476f29af9ebd46a5b2de588d44b62

SHA512
66c9fb2994ef6539173e0bf092bd69aa6d7d1a709fe6a93f0b3f1ee716cebef1ac908d0592e24c099c1cd2f2980373cf7986e76c5fedffe18fba94a22d2071ba

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
8fa34bc0d70f64535b7cf3ef236bca1d

SHA1
5eca8192e8c6e1dc1c1417871705f7ef1dd7578b

SHA256
20bdf30ff2a0a984caae341136c19ee09c01c0856831dce157d327e65ab7d915

SHA512
1c45d019b5e15a4261c029609f5b0b2cce2bf24409d08a4454c2801d591f65f15d0620202e01de050086d51169b4ce6857473928437ea7076045f1d1f1070d92

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
ef061d988fb30fb9f319c30337e0314f

SHA1
f952cd8727d3a1b722d2b072243465375d334623

SHA256
ed592ad25317453fb17833a40221cd793f063a7c6f257981ee56dac841ea24f4

SHA512
7e7aeea865f8db1f27cd44561259030728b1504d9daf6d37d313ea52d6caf071fe3849b379024b64ccf294bf080e4e331f6c903f33a8e8ef20a2946d3f279ce0

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
ec596ea252be78e4c61e3edc555060c4

SHA1
8994f06e77af71ff23c32494bada6590336a62df

SHA256
a74ca84af95820552241b64b362836ccaffd702143ebc876dd0427aaba705571

SHA512
5b3e3baa12c7c2547d62710375d0e47c6aa297f370305622aaa07aef4e6e317975b69099dc15653ad8ab5a29437f8110ff0c7593fc870667965c518fc0a3e97f

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
5d475d6d8f75e60d361d28f17d8c2141

SHA1
d82101928f2761eb4266f6542d1c3a9971b8baac

SHA256
4891165f4d854edfee56f618d83d7622f671715c53565a5ed26b571271f652bc

SHA512
c6994438fb87cf52fd768b03e0b0f379bd8b59bcc6a9bee86278124a0089e061dad39ffde60d9a7ba357fb787f2e7b85709591d1b6dc22dba11cc17f66f1dca7

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
8e0616935726087b63d7f145d73d0e9b

SHA1
a16b9b384bd36c51b242dad271120183f5e2e25e

SHA256
2d4f5e8877a5b79472a177a8d04db63c609c2eb847fc8ccd1c2ffdcc8ed18ac0

SHA512
6199fe687d5d922166603da28520706154baffb028328549d03613cfac93182b6a40ef5920140c3def1bf56f80004016df1be378b00013ac8f17ba654d14204e

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
b19a8a1b4e977248ad601e51a4cb407f

SHA1
ef0180270fd5c8543ade3d95492e5774ed85e166

SHA256
433059f9976fdc65f5a3ac7c5de72c06df73fbf651eed986f004971c8baddbb8

SHA512
02b5f3f5a4535315663fc085b952964ccb1c66755470d5e905249804d361fe97fe90450c3e548805803eac8607779b24976ee59363ebbb5cf6f0169350a767f3

Download Submit
memory/528-96-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/528-122-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/528-102-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/528-97-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/1020-284-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/1020-305-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/1020-304-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1020-211-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1020-212-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1020-220-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1664-258-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1664-147-0x00000000005D0000-0x0000000000630000-memory.dmp

Filesize
384KB

Download
memory/1664-156-0x00000000005D0000-0x0000000000630000-memory.dmp

Filesize
384KB

Download
memory/1664-153-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1728-36-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/1728-13-0x0000000002830000-0x0000000002B6D000-memory.dmp

Filesize
3.2MB

Download
memory/1728-1-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/1728-40-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/1728-8-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/1728-0-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/1852-124-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/1852-130-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/1852-126-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1852-226-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1888-307-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/1888-475-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/1888-289-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1888-287-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/1888-524-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/1888-457-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2020-184-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/2024-316-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2024-324-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2024-492-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2064-182-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2064-48-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2208-133-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2208-112-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2240-313-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2240-172-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2240-165-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2240-292-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2240-185-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2240-177-0x0000000000E60000-0x0000000000E70000-memory.dmp

Filesize
64KB

Download
memory/2240-166-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2240-180-0x0000000000E70000-0x0000000000E80000-memory.dmp

Filesize
64KB

Download
memory/2272-415-0x00000000004F0000-0x0000000000557000-memory.dmp

Filesize
412KB

Download
memory/2272-331-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2272-507-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2272-512-0x00000000004F0000-0x0000000000557000-memory.dmp

Filesize
412KB

Download
memory/2476-24-0x0000000001CC0000-0x0000000001D20000-memory.dmp

Filesize
384KB

Download
memory/2476-12-0x0000000001CC0000-0x0000000001D20000-memory.dmp

Filesize
384KB

Download
memory/2476-148-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2476-15-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2492-23-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2492-32-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/2492-22-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/2492-150-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2492-31-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/2596-300-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2596-294-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2596-463-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3172-468-0x00000000009E0000-0x0000000000A40000-memory.dmp

Filesize
384KB

Download
memory/3172-467-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3172-422-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3172-448-0x00000000009E0000-0x0000000000A40000-memory.dmp

Filesize
384KB

Download
memory/3292-449-0x0000000000870000-0x00000000008D7000-memory.dmp

Filesize
412KB

Download
memory/3292-534-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/3292-455-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/3292-461-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/3364-521-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/3364-452-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/3364-462-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/3592-479-0x0000000000550000-0x0000000000741000-memory.dmp

Filesize
1.9MB

Download
memory/3592-471-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/3592-494-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/3788-509-0x0000000000430000-0x0000000000497000-memory.dmp

Filesize
412KB

Download
memory/3788-498-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/3924-525-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/3924-522-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/3924-515-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download