56acd0b3078ea1bf520d3eafc9a51a53d0bc01429649dbf723115ca9785ca1ec

Analysis

max time kernel
21s
max time network
154s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
Size

3.2MB
MD5

93fd029b34d01f7e6497fc1dfd51065e
SHA1

1435172d10a930d552d34e25fd305e3669285d35
SHA256

56acd0b3078ea1bf520d3eafc9a51a53d0bc01429649dbf723115ca9785ca1ec
SHA512

52de4f2c6d20d773e6cbde523c6f5dd4d9f92c1bdfe789e4870c9f56d4aa9a686378cb026cc215be47d555188ab985d195e0145740c7edbf4bb8ff22facb07ac
SSDEEP

49152:x5k1YCdptya507NUUWn043oHS3fTIYwVq1/xT3DDbw0TUqyjkQ/qoLEw:BNhSMYw8ynqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 14 IoCs

pid	Process
480	Process not Found
2624	alg.exe
804	aspnet_state.exe
2080	mscorsvw.exe
1868	mscorsvw.exe
2216	mscorsvw.exe
2112	mscorsvw.exe
1860	ehRecvr.exe
2292	ehsched.exe
2636	mscorsvw.exe
2860	elevation_service.exe
1316	IEEtwCollector.exe
2936	GROOVE.EXE
2856	maintenanceservice.exe

Loads dropped DLL 5 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3f516f16bfe435d8.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2652	chrome.exe
2652	chrome.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2932	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2112	mscorsvw.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: 33	1868	EhTray.exe
Token: SeIncBasePriorityPrivilege	1868	EhTray.exe
Token: SeShutdownPrivilege	2112	mscorsvw.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2112	mscorsvw.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2112	mscorsvw.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2984	2932	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe	28
PID 2932 wrote to memory of 2984	2932	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe	28
PID 2932 wrote to memory of 2984	2932	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe	28
PID 2932 wrote to memory of 2652	2932	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe	29
PID 2932 wrote to memory of 2652	2932	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe	29
PID 2932 wrote to memory of 2652	2932	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe	29
PID 2652 wrote to memory of 2720	2652	chrome.exe	31
PID 2652 wrote to memory of 2720	2652	chrome.exe	31
PID 2652 wrote to memory of 2720	2652	chrome.exe	31
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 2616	2652	chrome.exe	34
PID 2652 wrote to memory of 1968	2652	chrome.exe	36
PID 2652 wrote to memory of 1968	2652	chrome.exe	36
PID 2652 wrote to memory of 1968	2652	chrome.exe	36
PID 2652 wrote to memory of 2700	2652	chrome.exe	37
PID 2652 wrote to memory of 2700	2652	chrome.exe	37
PID 2652 wrote to memory of 2700	2652	chrome.exe	37
PID 2652 wrote to memory of 2700	2652	chrome.exe	37
PID 2652 wrote to memory of 2700	2652	chrome.exe	37
PID 2652 wrote to memory of 2700	2652	chrome.exe	37
PID 2652 wrote to memory of 2700	2652	chrome.exe	37
PID 2652 wrote to memory of 2700	2652	chrome.exe	37
PID 2652 wrote to memory of 2700	2652	chrome.exe	37
PID 2652 wrote to memory of 2700	2652	chrome.exe	37
PID 2652 wrote to memory of 2700	2652	chrome.exe	37
PID 2652 wrote to memory of 2700	2652	chrome.exe	37
PID 2652 wrote to memory of 2700	2652	chrome.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=92.0.4515.131 --initial-client-data=0x17c,0x184,0x188,0x174,0x18c,0x140221ee0,0x140221ef0,0x140221f00
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5d59758,0x7fef5d59768,0x7fef5d59778
    3⤵
    PID:2720
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1116 --field-trial-handle=1240,i,6170862208047755156,7900879994350367474,131072 /prefetch:2
    3⤵
    PID:2616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1476 --field-trial-handle=1240,i,6170862208047755156,7900879994350367474,131072 /prefetch:8
    3⤵
    PID:1968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1240,i,6170862208047755156,7900879994350367474,131072 /prefetch:8
    3⤵
    PID:2700
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2232 --field-trial-handle=1240,i,6170862208047755156,7900879994350367474,131072 /prefetch:1
    3⤵
    PID:2100
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2240 --field-trial-handle=1240,i,6170862208047755156,7900879994350367474,131072 /prefetch:1
    3⤵
    PID:1320
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1096 --field-trial-handle=1240,i,6170862208047755156,7900879994350367474,131072 /prefetch:2
    3⤵
    PID:2152
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3124 --field-trial-handle=1240,i,6170862208047755156,7900879994350367474,131072 /prefetch:8
    3⤵
    PID:2524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1344 --field-trial-handle=1240,i,6170862208047755156,7900879994350367474,131072 /prefetch:1
    3⤵
    PID:2516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3532 --field-trial-handle=1240,i,6170862208047755156,7900879994350367474,131072 /prefetch:8
    3⤵
    PID:580
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3656 --field-trial-handle=1240,i,6170862208047755156,7900879994350367474,131072 /prefetch:8
    3⤵
    PID:2968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3772 --field-trial-handle=1240,i,6170862208047755156,7900879994350367474,131072 /prefetch:8
    3⤵
    PID:1416
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4024 --field-trial-handle=1240,i,6170862208047755156,7900879994350367474,131072 /prefetch:8
    3⤵
    PID:1500
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:1436
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13f477688,0x13f477698,0x13f4776a8
      4⤵
      PID:1476
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:2412
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13f477688,0x13f477698,0x13f4776a8
        5⤵
        
        PID:1696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3980 --field-trial-handle=1240,i,6170862208047755156,7900879994350367474,131072 /prefetch:8
    3⤵
    PID:1936
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3728 --field-trial-handle=1240,i,6170862208047755156,7900879994350367474,131072 /prefetch:8
    3⤵
    PID:1628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4084 --field-trial-handle=1240,i,6170862208047755156,7900879994350367474,131072 /prefetch:8
    3⤵
    PID:2920
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4064 --field-trial-handle=1240,i,6170862208047755156,7900879994350367474,131072 /prefetch:8
    3⤵
    PID:1924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3912 --field-trial-handle=1240,i,6170862208047755156,7900879994350367474,131072 /prefetch:8
    3⤵
    PID:3392

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2624

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2080

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2128

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 254 -NGENProcess 23c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:4064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 180 -NGENProcess 1d0 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 180 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  PID:2816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 24c -NGENProcess 1d0 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  PID:3916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 244 -NGENProcess 264 -Pipe 180 -Comment "NGen Worker Process"
  2⤵
  PID:2760

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1860

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2292

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2860

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1316

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2936

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
PID:2128

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2856

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:2668

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3936

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:4084

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:3112

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:3268

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:3332

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:3496

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:3616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3728

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:3012

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4012

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:1612

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:3232
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:3612
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
b29a306fc4dccd355125d76c581eb422

SHA1
13992ac3f7c5c52fcff9d1907407487652c9d829

SHA256
9128aadce6cd79aeef378c83ffa8331e4ec845c945a5b0f6f8c72486c8548020

SHA512
c894494170f21fb0a358a240d7cbfe9cdd094dea6749e79911e6b3e4f0c8a3edc6c96660732093a0311700f10253b5505c61aa3eb5c3b44cd90754babefcc125

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
adf096d2cc4bb7df77c385479557ad3a

SHA1
b953f00b75b5833edd18af7a4f5e0dd2f825e36f

SHA256
dc6e1af41b1d7030d3313cc3863d35d7a27155634fb58da4d5c52ac96fe50e62

SHA512
5cb2a8efc6245d72ab332fab7705fb088d53779c0cdca13b7962aa4ca072eaaa3fd78da29c7e337f599c2ed636a2e0c2fda77ff6856786f53bf749c4a1af8ffe

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
2b88ddcb2e0a0abe0c53b487a58a7cf3

SHA1
56d9e5cb2bf7ab8cc6e778a48d43ecb7905702ab

SHA256
318cb614dead480bfbff199a4b013bec5c5ddd2a765e0fc3d03b09424a80343d

SHA512
df27a24cfdfd412189d72749c77c775619c8dd81347ee5f12f81f75c76d37143ccbe9f33440716861a396006d56c984abb423d2f3283e41e4476564de6db0577

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
e91d3b2e1f25bc9e0c1e916872ff166a

SHA1
68b691d1c010079e22dd321c5647da066c857fe8

SHA256
2615f323edc9b99a044d62298bfcc5c202ce2f46051275b1862ab0dedb384b9c

SHA512
83c4eef85ed63927f485708de28044a4501554212c4126d326c8e0c0dbbcd354a00068e39674eaca5ce639cb0735312caadebd96fbb3ec1d541e775b9c86414f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
9f5abf6deb3236db20588c1d8d706ee6

SHA1
0dfb6345f6c7a4e657d04a9c153911f99759bfe1

SHA256
08a32452de1840be9ad8d50bd15f2f4b9021adeac52cd4057fc2bd5689069a56

SHA512
a434bce71abb5f432726f29d0006cae0eedd218f0574d39baf93d34a68b34e226d7082aa5029be20424b1420c724725c674ad6078ccf627cb832a1df76d401c6

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\177478ea-9ece-4f8d-8565-aaaa6f6e2ca3.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
86f9ea1f543ed9ad5c957988a75bfca9

SHA1
cf70699e5d2d14385b9e194ed8e4d97ae9fae718

SHA256
fc48be2f19f2a58f4628ceed62e509aa14a84cfef15a9f3170e85202c9f96001

SHA512
24066285e1fa84bf59b0a4a6757660c102451a525edf057c28415f43f7abec2fde2b30346a661e19fdc4f83468c85ee43db80a196b2ed452b58e259f53984b94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
98839058218839f994b8e103bad863ad

SHA1
231dc87642c3cdf4a41f4c21233c120f87e7b076

SHA256
236861e6339353e02901dcf56d40d9b09ea1070f1363b4a76f2c9fde294028dd

SHA512
399ecd3a4654a815e9f5275a9c59282bbc3b096809d2d322a6aa04f932924a10a15d0f1fb3b3944193c4d6a88f0724e11faab8ec21bc57d09ebfe9cdbfb34775

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
a1b9d3ffbee1647668fc2758545695c4

SHA1
79e2da446461d0c63d2fd33239140f27a90fab9b

SHA256
395d095539c3b2f9228902831b291bcdc7782a2cb5a102c595abc31cb5a7a790

SHA512
66e19d465b2ee8f91a430bae37bf80080d9b0ee8c656f9d63ba84bcb6393503b55178bd5459ca07a64d6bbaa9065cfc68368209a61044734075b92c856938f9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
3KB

MD5
846d4a3267781ce839ae3c464d33e0e5

SHA1
e40490e81a1712005acba11538e37194cc2f6ff8

SHA256
42b2d2bb3fd293234fdce595faa8a720a7048366e9b2b0f4b39a8e672a3f4889

SHA512
d54d28a0d95f471453d4b9e9ad77927e6f7934cfda74507c14ee7a9d37d385ca7ad4b0dfdbe1e660c2633c1ba7e0f46344f72e24fe65e7c65cc2094e72cfca0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
49b10e2e14bec9b8f20b88594d33cc3c

SHA1
c6fb9fcde6b36d2badc2f88fa48fe8df28f8a2bd

SHA256
679edb3b1210df0c4106c40bff268c3f9adcaa5f53d5f96c7c7f6da46e427662

SHA512
1710068cce6d50c3bbd7c901ca0a6cc521c2271cbbdac89f9ffde69e62c6ee7cd85d2ffd674585623dc1c889eb070f9a7181208bb47b860ac71be9ced40ea853

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
39504b6a40fb9ffd1af1c63cbd9f1569

SHA1
1e69005b3598fa6661c3b31ce4baf004ed3e5921

SHA256
4ada83633c470a7ce40f487958e4b19b14043e9874fc5787f395272bfc35bcfc

SHA512
08c56d1a4e4f3a78fe7c8fa84d6e296b678712806350a12b4a8a85f89213301f6c42fc946e1e6c611231906476eb833ed1ef6ef510d8a397912e78406d8e19d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
5KB

MD5
d12bb32a9cdc65f321121f2a87973826

SHA1
a5b41518e101ce0ff078a87c4a45f2a988beff86

SHA256
ff7f0ef0a30292650f1fa4ffe50261edd1a9b00498c7e1554fd3c614c38a1ce3

SHA512
4735e1dcb83aed9f366c2e8254a23c67dbc6af7bef8d88db70021724100f2c692facc7c0a09d8aaa79958d42a4dd4411f9da4f680386bb075dadc810cbe1f809

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
463035fdf151fc6fdee4be8e395146b4

SHA1
b793f0db9d434c38802125244848fc25bc9a5fe3

SHA256
b36f5d336f0ae74e8c59b98e2fb9465669340150e21e01d4df038aad285d110a

SHA512
2515aff9431aabf44fd103ec52c770e82f860428fa46430a2c826fdce5d1559442add34de23575ff423b0581e17b59499b05d1f061138e06354bead079b2db86

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2652_703356279\52ab0fdf-0230-44d0-a421-b39aacdfac9f.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Roaming\3f516f16bfe435d8.bin

Filesize
12KB

MD5
c899be419b881095194a6c9d60c4362e

SHA1
6e7be438d5d13c4cef388c2d47b47674504d7f4e

SHA256
a979b351c15212e7aa44f71c9487c28b6976133c1a731ea25cfc5c29f7c38b12

SHA512
6ee7f3b29d016311905c010eb0d1fb25858e6c976ce6983328493f8b66a2cf9b1b458715332d0e86b95af3c4ab4c4dfee36ce623548aa2ffe9e5f10fd3b17fb1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
a904428ade6c98dbe843568666d398aa

SHA1
7bcb55f4d53413d3bdfc94eae221d8ea23d29587

SHA256
38038b0dd2b429f783a5ebbf45fa508b23db4d91f18c74f99ba745b13419e91c

SHA512
65de130176aaa843bd2fc792d4d8735617a1f1e9f6a0d7dc3d8412d4b9414fefd1ccf79b02aba9f48a561517601627ccc220e8a2d79fbaabf2826de906995b65

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
6508ff1a66fd7667f73f85599b30a327

SHA1
d439f16ebee78ee3a910da0c66963df629fb434f

SHA256
ff18916e6a34ed0c72a9a24a292a25ec4ce5a75d0b5c8b5a68e9d2684818a8c7

SHA512
8c6caf36091e318673dce7e561b56694192d9c64275ed6bfefea409a06eecff027cb0f4f52070c7cf52fff74db36e84b5dcf67b369718d9793c72478ca579c36

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
b5d03d18a6f3cf0433aee8ea56eeef98

SHA1
b5a89b71b689c6cbee1600582cbc4655a60ab196

SHA256
ad02cb8cfa8e5a9d7ee9919e75c4154a3e71aa1d47e7338a12ed1830f85bd503

SHA512
de241d0d5cc46f99a906c119e6d4515f03abb965262444bb667a755ee0ecaa4d5dd7a7b7315a5ceaece8d71cb5605c5fe4cbd2215925f8e0445719e6508f1426

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
c8d398889d3585ecfbdb66f242e8e4de

SHA1
bd188fc3bd9e5322f3b778ac1dbb4f51164769a1

SHA256
1ce9826b97a31ecbe5916bdc2e93cf9445b06b727c6f462d12a0b41efd5be013

SHA512
8610d379db4589fcef18fec5af991ec1bce5316209238023d2a03af05927844ea8bc7c733f538e93517e960dd6f05e4f2586a0ca07ceadca5b3105e175ebe02b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
044efc1ce89f58ceda1e45967c7d0eb5

SHA1
959bbe7d553491efceae03b318fd121592538ac0

SHA256
0de07d3068efb4bc713cd49698cc8d2cf936bd6e6b6a4d9bcca00d7d3efd3188

SHA512
ec01a2e782307ab10ad38b88e58e2f9335553c449cc278513407c412119c4ef1fbe176ec0381badbe5f8084bf8f0370f8609bced0b28e35852dc442a1f5d91cf

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
e818cb4c219214a86b9cbec3df1881cb

SHA1
8abbe8f6723030e57b60f001a4b9ae0bdeeb83c4

SHA256
61642e84c24b9fce7ea50ea9212e86d15d6023a88d876c474f7210670b6ecd2b

SHA512
8f18d937c5cab275acbb620acb034c990dc35ec9f71ad6b10590e14a8972e745da3fbd5b6c33a4a8c226b92b140da417637b0b482c788ecd08415442513e256c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
cc93115b0cf6b41aecf5053006cb4b82

SHA1
e84e586ad3c17b1296fd2f9268cbc4b5f7420cb4

SHA256
f2c522cee11777c8155898d403abebaf5f5be8a8943d5d8dc23a0310c6386d0c

SHA512
9d6855ce78857307f98ea015bf0d64845b55f1e461ee8241c529c0f366aaede1fd9ce348ec9463ecf4cc6918266c342aa648c41e76ac49f11271debfa0d645fe

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
6fb426f9b0e5b32a9c4833a5f1444ccb

SHA1
7132bdb56493e4e20130f83326192b230cf67c87

SHA256
81cea906339eddbb8b9b24b43725521121d4e9f6f6175882fa7caffc1d349046

SHA512
bc6cc01734e7d6bb6ce8a53c70d3eacb740e668c237bce706ddf2e32141755eb88d7411df9b597643e160df35038832f0b98bc99e1603251edfb43f0f39adf65

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
22fdaa8408e296864389b884895a9313

SHA1
aac9df2d37fde45b4cdd8575caf9237bb2c7f3bd

SHA256
a83f854e144feebcdd68cfaaa87a5358160651653b8854c64fa689593f0eb18c

SHA512
4e064f601cb659dd0e8b6f5d356536904f5d1feb5212d81a10f532b0b6d11ec96987e744e5c24e7ba672ac1761e1d02355e458395a6443077bdf94296be6214a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
3605af25625d0e2a3f172d3e547c2e67

SHA1
ac37a40180536b1d440948cd1324308b7837509a

SHA256
724a112cce617d26955a38ef17e2503e89f01f2199dbd59d29128df43d3b04b5

SHA512
5e2d9a30f7484de35863f7de73b0f8e3c02ba332da14456798f59fd942f52ab61eefd36b6f4b88a50a6cd1a6df0aa04730b3242dbad4808e6cd62e4b65f3ea41

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
cf701fb3757aa3f475bd45d1eaa1037b

SHA1
9975d3021825b0b5e1e2142e52ab1d187b4f39d5

SHA256
f8e81ae7ffce90677ba90924b79b812fffae15d5e1bb7a22cd698de0d57c2b6c

SHA512
2340ebddc114c817de22b085fe33bd1cda02da8f52118d5694cf5371e2a5c6e113e11d5f2b52d3378070269e3f1c510ef0935b4d55cb568b54edeb18fcc6af34

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
677172e5b2a228f5b7e4f05e52ad66d6

SHA1
03c99a8763ae84080af5e32fbbbf56188892fc49

SHA256
9ae14faf60593e187f04b6b98f5e4e2de625a09a108823ac96d366b2e1751811

SHA512
40f1ac96eb41735553b779d9d0b5177cb3f087ca4a8909f6d7234b03c0422feaae34047601889790fd30a0826361aea6607adef1ae412bba17216a26a4c5f1f6

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
21bca1b0d820b6a46c147ac33b0f2c74

SHA1
0c6d928745b992076b28230b57375d03439d3af6

SHA256
0b62ecf0c0a13489a06ff75665c0cf90a1db5adff697e34855cbf206c0bf8a7e

SHA512
4a6002a12c9ec31c96ec091986c9306f0c13afe34d7c79148fc3a158ec55ef1b226504542a0cb00b3611599ba6d13331529aba610bee758773cf5c10a939d487

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.2MB

MD5
376cd74412fe9ae546392ce3961ba5a6

SHA1
97a0102f4e29afb24237e18053a477f29ddc53b1

SHA256
e7668b9cde91ededf17534d85c5e2a306c8b15d705bec83933c169d7036425dc

SHA512
46a99925ea434e7a154959acd34f1858490774433c1c41460dba801596a5861c954172f81fe9f8c359ba1bfd525f38bbd65fe0560441f20cf2c418a9b9c4a023

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
b5e94c404d2cf34c11724201fda9349c

SHA1
93386b37e0a0d6d024452db259b0c41bf3c96d9e

SHA256
757f61389d7ec07fd8d935ca2bfed6978ed6d1944725445f93f052883468f004

SHA512
909d9d7a37ccf0e7bb1c92eb6ebd888ea3a7327dc9e36cd15ef40e7256ec0a97718543f1ee327028368f32119627be888b95f660d5214947972fef50aaf3d1c0

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
08f2059278a2abfc6b3b80ac9d1813e7

SHA1
9703d8621d29685a067d93db4c0f754262ec59f6

SHA256
bb1b7a91ea13733f0549e5aba7e880191d4f63c3a1bc03f42229cbdc778194c2

SHA512
457258495307e4de2e48b4a6fab6cb16b82794514a6f67b3a82587464d3666746fe3ff7527285ad2b4d44418eaf4f3fa5c60ce06f5513490b42aa7aa0ef8c5c0

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
7cc7f1877a2d830c854930dacd48842a

SHA1
7cd83b8d5362360e31fd10e6d1b3fce30cd42ce6

SHA256
dbd8abab8316e3ca0d85a1c1ab616633e041ac380b450cf499a694aa0cb541b0

SHA512
4b2de24b5ac969de5ac874bcf48c5a4aff829454791843ee93f1226dcc22b99b7156542a81b68c9d6daa4a989cf7bc3fd89518979d4e635844b0cadc206239d3

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
d003f5a8fc394040ed0e99303406a714

SHA1
515f0089770dc81f275badb7578f69c6dc27be09

SHA256
2aa7c389c8ab26d0f9ce7ebd9530faa550402fc6e83bdbbe27787478dd6d74a8

SHA512
96c33e7d9a1f70d509a26eccf4510f196c02b0586fe675fd10d3918509dc68749a27a7f3507be733d51dc24a2de34a41e22420bfc6b9fbc18b0c0a3b9cee99ab

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
2518fa0048f2d605b48a562fcb84b6f9

SHA1
9d891b1508c8c2355172ce1170acf3532a21c698

SHA256
f813a0362c76753cb51bfc488300a1ae4a1e02b6669e27735f765cc928a2459e

SHA512
c5af4a8e2e4bc3333221662b957e03d9fa96f690b2f3a6c9b568666535c8c4b1d90b1b63d2cf8043aa5c16969ea439bed913a16819c335de71659a89dcdb026e

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
1e18154c1e488565cabb69a42f89815c

SHA1
e5e6f6d117401a04fe553022d106e0983c55d82e

SHA256
fdc327eef4f00afb4df7ea10abfbc7fd5216b800b970ec82dad0224a4e269296

SHA512
957f595871fd6080bc604fa812a31bdeeb0436ffa747cef2899eac6008313c6f03d35b846cfd577dc1a1576219ddadb780565ac4579ede4aebaf395266ff69c4

Download Submit
memory/804-55-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/804-49-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/804-47-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/804-184-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1316-478-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1316-606-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1316-282-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1316-270-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1316-605-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1860-236-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1860-316-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1860-187-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1860-194-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/1860-291-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1868-121-0x00000000005D0000-0x0000000000630000-memory.dmp

Filesize
384KB

Download
memory/1868-177-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/1868-135-0x00000000005D0000-0x0000000000630000-memory.dmp

Filesize
384KB

Download
memory/1868-122-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/2080-81-0x0000000000260000-0x00000000002C6000-memory.dmp

Filesize
408KB

Download
memory/2080-82-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/2080-206-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/2080-102-0x0000000000260000-0x00000000002C6000-memory.dmp

Filesize
408KB

Download
memory/2112-267-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2112-162-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2112-166-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2112-171-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2128-329-0x000007FEF1750000-0x000007FEF20ED000-memory.dmp

Filesize
9.6MB

Download
memory/2128-622-0x000007FEF1750000-0x000007FEF20ED000-memory.dmp

Filesize
9.6MB

Download
memory/2128-330-0x0000000001090000-0x0000000001110000-memory.dmp

Filesize
512KB

Download
memory/2128-624-0x0000000001090000-0x0000000001110000-memory.dmp

Filesize
512KB

Download
memory/2128-479-0x0000000001090000-0x0000000001110000-memory.dmp

Filesize
512KB

Download
memory/2216-147-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2216-152-0x00000000002D0000-0x0000000000336000-memory.dmp

Filesize
408KB

Download
memory/2216-250-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2216-144-0x00000000002D0000-0x0000000000336000-memory.dmp

Filesize
408KB

Download
memory/2292-309-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2292-225-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2292-209-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2624-37-0x0000000100000000-0x000000010013B000-memory.dmp

Filesize
1.2MB

Download
memory/2624-163-0x0000000100000000-0x000000010013B000-memory.dmp

Filesize
1.2MB

Download
memory/2624-36-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2624-28-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2636-360-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2636-649-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2636-640-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2636-253-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2636-335-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2668-347-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/2668-348-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/2856-331-0x0000000000FD0000-0x0000000001030000-memory.dmp

Filesize
384KB

Download
memory/2856-351-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2856-312-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2860-243-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2860-255-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2860-342-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2932-2-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2932-8-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2932-12-0x0000000002700000-0x0000000002A3D000-memory.dmp

Filesize
3.2MB

Download
memory/2932-23-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2932-29-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2932-0-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2936-296-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2936-594-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2936-301-0x00000000002D0000-0x0000000000336000-memory.dmp

Filesize
408KB

Download
memory/2984-20-0x0000000001D40000-0x0000000001DA0000-memory.dmp

Filesize
384KB

Download
memory/2984-145-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2984-13-0x0000000001D40000-0x0000000001DA0000-memory.dmp

Filesize
384KB

Download
memory/3112-642-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/3112-643-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/3112-635-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/3936-601-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/3936-598-0x0000000000580000-0x00000000006C9000-memory.dmp

Filesize
1.3MB

Download
memory/3936-596-0x0000000100000000-0x0000000100149000-memory.dmp

Filesize
1.3MB

Download
memory/4064-626-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/4084-629-0x00000000002B0000-0x0000000000316000-memory.dmp

Filesize
408KB

Download
memory/4084-613-0x000000002E000000-0x000000002E14C000-memory.dmp

Filesize
1.3MB

Download