b620a565d18dad40692a6691be155c5f36271a5f45496ed4cf1f5581d6567fa7

Analysis

max time kernel
11s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
Size

3.2MB
MD5

31a2c4e1236c38ae6970c7ea759afe61
SHA1

b2aaa67cd5a5d47c1de0c3ad39e4f0b4c95640d3
SHA256

b620a565d18dad40692a6691be155c5f36271a5f45496ed4cf1f5581d6567fa7
SHA512

1d78f0d2ff98d2fa7daee2a189349626108ada2da61004b1a9226ee5a659476feab8be16e31560a3bdfb71d968bad2948e148c6cfa4d99d95bbc5ad94f71221a
SSDEEP

49152:J5k1YCdptya507NUUWn043oHS3fT8YwVq1/xT3DDbw0TUqy6Cks7R9L58UqFJjs5:5NhS4Yw8ySC17DVqFJU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
464	Process not Found
2648	alg.exe
2836	aspnet_state.exe
292	mscorsvw.exe
1136	mscorsvw.exe
524	mscorsvw.exe
2096	mscorsvw.exe
588	ehRecvr.exe

Loads dropped DLL 3 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1c377217ae4ef42b.bin	alg.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2508	chrome.exe
2508	chrome.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2240	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	524	mscorsvw.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2252	2240	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe	28
PID 2240 wrote to memory of 2252	2240	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe	28
PID 2240 wrote to memory of 2252	2240	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe	28
PID 2240 wrote to memory of 2508	2240	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe	30
PID 2240 wrote to memory of 2508	2240	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe	30
PID 2240 wrote to memory of 2508	2240	2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe	30
PID 2508 wrote to memory of 2656	2508	chrome.exe	31
PID 2508 wrote to memory of 2656	2508	chrome.exe	31
PID 2508 wrote to memory of 2656	2508	chrome.exe	31
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1772	2508	chrome.exe	35
PID 2508 wrote to memory of 1648	2508	chrome.exe	36
PID 2508 wrote to memory of 1648	2508	chrome.exe	36
PID 2508 wrote to memory of 1648	2508	chrome.exe	36
PID 2508 wrote to memory of 1976	2508	chrome.exe	37
PID 2508 wrote to memory of 1976	2508	chrome.exe	37
PID 2508 wrote to memory of 1976	2508	chrome.exe	37
PID 2508 wrote to memory of 1976	2508	chrome.exe	37
PID 2508 wrote to memory of 1976	2508	chrome.exe	37
PID 2508 wrote to memory of 1976	2508	chrome.exe	37
PID 2508 wrote to memory of 1976	2508	chrome.exe	37
PID 2508 wrote to memory of 1976	2508	chrome.exe	37
PID 2508 wrote to memory of 1976	2508	chrome.exe	37
PID 2508 wrote to memory of 1976	2508	chrome.exe	37
PID 2508 wrote to memory of 1976	2508	chrome.exe	37
PID 2508 wrote to memory of 1976	2508	chrome.exe	37
PID 2508 wrote to memory of 1976	2508	chrome.exe	37

C:\Users\Admin\AppData\Local\Temp\2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-20_31a2c4e1236c38ae6970c7ea759afe61_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=92.0.4515.131 --initial-client-data=0x180,0x188,0x190,0x184,0x194,0x140221ee0,0x140221ef0,0x140221f00
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef73c9758,0x7fef73c9768,0x7fef73c9778
    3⤵
    PID:2656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1156,i,7386782020062839746,2852035334265296428,131072 /prefetch:2
    3⤵
    PID:1772
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1156,i,7386782020062839746,2852035334265296428,131072 /prefetch:8
    3⤵
    PID:1648
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1156,i,7386782020062839746,2852035334265296428,131072 /prefetch:8
    3⤵
    PID:1976
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2296 --field-trial-handle=1156,i,7386782020062839746,2852035334265296428,131072 /prefetch:1
    3⤵
    PID:2740
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2304 --field-trial-handle=1156,i,7386782020062839746,2852035334265296428,131072 /prefetch:1
    3⤵
    PID:2452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1376 --field-trial-handle=1156,i,7386782020062839746,2852035334265296428,131072 /prefetch:2
    3⤵
    PID:1560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2272 --field-trial-handle=1156,i,7386782020062839746,2852035334265296428,131072 /prefetch:1
    3⤵
    PID:2376
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3436 --field-trial-handle=1156,i,7386782020062839746,2852035334265296428,131072 /prefetch:8
    3⤵
    PID:1840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3576 --field-trial-handle=1156,i,7386782020062839746,2852035334265296428,131072 /prefetch:8
    3⤵
    PID:3032
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3460 --field-trial-handle=1156,i,7386782020062839746,2852035334265296428,131072 /prefetch:8
    3⤵
    PID:1148
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3808 --field-trial-handle=1156,i,7386782020062839746,2852035334265296428,131072 /prefetch:8
    3⤵
    PID:1540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3708 --field-trial-handle=1156,i,7386782020062839746,2852035334265296428,131072 /prefetch:8
    3⤵
    PID:1068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3648 --field-trial-handle=1156,i,7386782020062839746,2852035334265296428,131072 /prefetch:1
    3⤵
    PID:2632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 --field-trial-handle=1156,i,7386782020062839746,2852035334265296428,131072 /prefetch:8
    3⤵
    PID:628
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:2296
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x140357688,0x140357698,0x1403576a8
      4⤵
      PID:2080
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:1824
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x140357688,0x140357698,0x1403576a8
        5⤵
        
        PID:912
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1460 --field-trial-handle=1156,i,7386782020062839746,2852035334265296428,131072 /prefetch:8
    3⤵
    PID:960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1304 --field-trial-handle=1156,i,7386782020062839746,2852035334265296428,131072 /prefetch:8
    3⤵
    PID:288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3896 --field-trial-handle=1156,i,7386782020062839746,2852035334265296428,131072 /prefetch:8
    3⤵
    PID:2716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=544 --field-trial-handle=1156,i,7386782020062839746,2852035334265296428,131072 /prefetch:8
    3⤵
    PID:1072

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2648

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2836

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:292

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 250 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 24c -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  PID:1644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 258 -NGENProcess 248 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:2004

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:900

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2096

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:588

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
PID:1508

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1656

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
PID:1988

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
PID:2016

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:1592

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:1832

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2140

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:2308

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:1912

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:888

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:1728

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:1264

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1988

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1312

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2372

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2128

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:2640

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
5def7930df82e7dcc53aa9bf7bef7e11

SHA1
f1fddc62eec9ba39e8a0f1197e5d35567a5816f0

SHA256
9c168b7de20a4d83b8fad15f5e1bb06f5efe425151198f9ed350fb9faf9efee0

SHA512
b082e8077cfca427e3aca36981448e47efd4317241cf71b46d023eeeab634e8f55b8d8c10e129bcc63e3a6e002efe38600f8dc0ebd0284053c8ea96b4e6fe4be

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
615c94b28e79d38690b4e16d2fce56a9

SHA1
a9e7800bad3ffba6350ff204c4d41a695525111a

SHA256
294771aae18c02f375fed1c13ea10d341e2d55880254290cce10c0afda709fa3

SHA512
7b9121f9524e3eca197a0c56ecc5bd7d98e2761fec2c1d25662d31921a38b59a8aeceb7d51f0287a80441688097902530eb654fb1e956815f5000ed5e6da1aa6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
d187b1fa6774436ed6878a17662a5d1c

SHA1
ddc8caf88e081d47a5cdfecc9d01c1aacf55df14

SHA256
3cf27d9df93a8255f24f93ffcc7357184a4b9f08d75c9f4cdb7cc3d6844e744c

SHA512
052d6c4ebe365ff91b2878d02b0e2aab64cbc5eb85ec8ade7ee87ad5c09002135034d75caefc736feccd5fe896b2840b938c9ea33c173dcea61c6e06842c4e32

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
f1d61813aa6317515e27834e306b280a

SHA1
046b353f1ff8b03a4ca735656b41e0fd48a7e9e4

SHA256
1e8b4be87b18d77124d9d51a21fd1b807abc8d75df037a407a527dbcf3971bc3

SHA512
bdab951886d87e0d06960cb7d7d1c7dbb536419931919cbc8fd62014ea236a985887553ca2ccaf9726d634bc54084796dd2e429f492e45054641bc4ba86ac4d1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
fd0648f9b07117e9ccf21d4bd40b1ddc

SHA1
cadfa598c9193e44f5696e1df96f1aef3cd2ad78

SHA256
10d13cea9f8af6784dbe91e99e8e26ec3acc15a16de8bc14bd93b0ab87aade3c

SHA512
73661bb7b4adee238dd330bd48b3419adf49498377dcf81a4de67f8aa5f0f3c4181022a6e64ad6992a2b6a9aa6e16b4431bac9a56cd25b4cf5a298249dd7fe6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ecd8ebd0d441c0b49b641fbcd5444d17

SHA1
75760164655f0e440880cfb868a10a01b67b6c90

SHA256
f46d8cdf1812d342e3b49ee242fdba78935d597ccdf86989d165e28696cf62b7

SHA512
99913f343bc9df93bcd6d789c4ddb2378e7f49778836e844bee55de79a98c39a9793331a22c2e6b6f171fd3289c77586a4e32b9d9bbcefd68a0029f6d11d2256

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
d897082f3aa09da560d5ce763b734bb3

SHA1
79b2a92ea4c404b91c54b304272baec5494be8e1

SHA256
ba5b16ed42aa0de4096702f8ae8a261a21ce62927dbebc8afc2209cf8d9939a3

SHA512
77b169d903593b988cd2acef134404bfe4d6956f7f474c58e9e583fcfae8c7e2204f49331451227e09e8600099b2f9089e11e059c8d1386d953732630d15159a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
193c98cfaba1e5169e0d901d12207198

SHA1
8104cfb0d1ad63bdd73e1507185cb81428647858

SHA256
452e82995a1550df713d6e14ac104027c12516de18f0904cd67099391556885e

SHA512
e3cd0778fe0e81896a02e17fb1cf96e93d9ee366a9d0d89aa86bbe96b7c6b5a4367c30c925b90f07c4923aa5a4d2ccdff982a16caa260e867196f8b3d8ce8f66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
8e8749cb9cfc8a6f9207099a0e19aec9

SHA1
1cd038719bf3aa3df8c87b5becc68b2647f5bc0e

SHA256
8e5bccce3aa2a556d28d18983a4505805b80107bee4f3eef13f818eef381ff0a

SHA512
1397963800e438360e0ec9b132f7df98cd1205bff71b202a088e578b562944473b88077cdbfa9a4700ab9d2c9a821b6431da3c8b7ba01178e0086ce6a1676e5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
3KB

MD5
095c28807b9f2f04bbc611cd334be259

SHA1
0360403c05544bc7acc5d4f0b5dbd1cad7740ae5

SHA256
36249e80596c9e11c531e55b28989fd004aeb8139ec85a95bf0ffc8a63728cf9

SHA512
c8a9e5f7352130974c4300c79189116e582abfca5bbe9b886ea1a1760dff4e3971d7a10cc3dd33083be35267595a40427fdc5c6fe4fd9a07317c88761e77e9b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
5KB

MD5
869e5303c958a3c2c5a543b0208f3b0c

SHA1
9a1d0ccfebb2ad3e672f3ea1d696f62d44a8da8c

SHA256
76e7a5901abff7e06acf3676fa2cac5c333c2d8c25be45176f1a4181497f51f2

SHA512
1dddea740552baca793f923dbf04c44d0da643840e8706d84b5eb2c9caf03453a90756ad206c3853aac589ad638dde83fae382e6b42799b8a65c7f20d6943d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
89fdb716c3341df7f82a58c6b4818a67

SHA1
5eb63fbf05fc3059613f244c8574ee4c6b4a4fa6

SHA256
628a11bc53f800be60ea3e62ff30ac6116c281c8a18568eeabb8f59ec259a1b4

SHA512
48269f448882b77fdeec18bd7ee489db1ffb66dba50719cd173de2be14036ae06c35958ac4dbc0b1d003ee9ca48a556a7c08bc3dd6845bcb4fc386f21ca12f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2508_1185554870\0986f7de-12cf-4f05-95e6-fce9b2197009.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Roaming\1c377217ae4ef42b.bin

Filesize
12KB

MD5
decfa07197ba34a68d26bd311af677c6

SHA1
fd0e8784353165f26a5a4f40902c83e4dba790e9

SHA256
46b981beae5093ba192d1bb371b0c02f8ea5d492f8c5e7f2a87e0d9248c5c8c5

SHA512
2bf7901316981bfd1496e05655768481dcb2664c07c60447c9c3c6b2444dcd6bb9555792dbe1ebccecb5492258911c84b5e4d71ceea0c530efc3dc4698e10971

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
848f23300fc08b93414a57889bb3ee5d

SHA1
2365bd7b1d19eb540323b10dca706e486c9c447d

SHA256
0f61caa626ba0964e9354524231aece141a8fc3f12256c155a3f5fe3b7c8b812

SHA512
8a8c7d4afc07b514a12ab06b974195020776001af2e7ec694f99f857fc3a3d616d3e7c3edb82ec66c6d4821011f7f66284b13c256229a7364b2e3738b3a19148

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
91d4e8dca5f4efbc5531e193bcd70c0f

SHA1
7c64005cf7218dc7258aec5a561e0eae3098ad89

SHA256
9b0f2a8186828277cc495ba48b8bcdc9aa33054e8fc7419c0d4f48dbaeb8a450

SHA512
1af3e1227ea6ac806f1b2e338d77301808fb0bd5844fefe529307489f5d9eace320fcca05f2670d5516f5944acada97ce234813857ed92891e51502bf0c2dbef

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
59e43eaeb73571fe02fd7461e55da5a7

SHA1
35ae7f3eebe402cf9dd41cfde27a658df65d8674

SHA256
174a424e310dc4fa5884c2c8294d35405a8d6e038223bda2a9c169548b980a43

SHA512
ce519c4db8c7d883ce574f49f8ea67f5e2a0a4d892db9150d5b337a6959e481214272d7e47ccd15453021353558939bdd71078437e074d8a08635b6b0c65cdf9

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
4fb18d93d9014be764f8985f072f3099

SHA1
ad9cc6ba3b7373d2497703dffd73b31f360f7174

SHA256
7ace165fbb0e586c0af55d8dceb8a711a5de0f1fe9e70bc2ae58cfcdca7ff27a

SHA512
a551776ca280eac8fb64f48da3034eeb763ec841d8fa3b0875debb43679fafb16fdc613b872dee6d11fff5832abd280a365f9e22df8aac242ae2d20ed6509ad3

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
c2896760285714b04ce39da360211a40

SHA1
397e64f51a7d2eee7a725528b9af2728be134f7e

SHA256
185c90f2b3633b2e19c988109e9b829c0e28730f74c96c463dad768612872aaa

SHA512
7d4e183f55b16b5b438757a19c03fd8ad85b7135d639c1e5e1e47e2e9084a11d8c03951531fd673cad6f40f3fbe08370600e994fc11d10b97eb7c5c425fa1ba2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
808a08e9482864896a3b1cd6792075df

SHA1
42851f4eae7f99431a33cfb84cdc3b30ff5549f7

SHA256
57c0283f4fde37ee30177cb88f2af5bb8d2b8f84fa5d54d5e963d8b796ec35f8

SHA512
eae44646d1dbe66fd83776b3e6a229ad54a218861617debc29315929bf4b5b91e83a57ed724221cd9d9b281ef49ff8168fcd629b7d80f07f4aae1d8b5210554c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
bc5f144fbd887c2ff4898a45e329e2a5

SHA1
863fe3f2f30f842ac4ac6a0ecf61e8569b5072da

SHA256
8b327831bbcafb88e68e8565eaf1ae1142f72c7b13055019204c88ff0ee1dec4

SHA512
5e67a9a71cdea5e32646f0beda2f8024bb1c70b2a78bafb99b1a1401ca02d5a1a392d92720ed279d8ff12f68d7497742dc6844e72e0b8760a176ff1ac585c055

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
2bc9bbf1a04d32d7ceea39ee33742564

SHA1
5358777a900f7af273ccbb929c3dd8a235c08459

SHA256
0aeba609401b1d1d088803195f9fb8ceed61599a7a66f15300c08f3d13a0d8a9

SHA512
81aacdb3f8e3f6a05bcef58777375eddfa40c05c252fb8288e13a28bce0f34a8986d248d0ced99b492cdc12dc48933c1997edf812af5a3a6aaa99a609e644ac2

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
ce1714d03da4e11a8c3565f5babd5b5d

SHA1
4e5191d7c973824b5bd5864e6e6291d1966aa103

SHA256
e96e4097fd2a91a76f87fa8b1d2ed63303346f8447e137b1c513c436233d482f

SHA512
27ef6d25422dc6a52bd22e526498377604f7724fb28283a140e22e59d09b11727bc2e471bd4626b7791617a133bd683141b56bd213f42eea11261eaea2675fa8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.9MB

MD5
a76e908edf8dba1eaf3df8bcc9fd32d3

SHA1
b6b913cd68e6b0da6ba63788b23762cf0f1a776b

SHA256
8e5952ba9ab6897d9c07fd89b2ad46369a46882d4b8becd05a69bbf87de7e69d

SHA512
68e606d71b872e1a68f4fa6d870ecf89a6a0085f276bb13d5b764ee042d3aec004a472d6a81d3e2640d89ef2284b2081596b94d0ce2ec1c29b3a746da9df8905

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
bc60db18d5846706aaf5eafaa4b44219

SHA1
d8b47fa28262e888e2b30869a8c965054b0955b4

SHA256
d52729945d95df7359794646745525f4e9ec805b44e4d1b534694e3f7095def6

SHA512
5af2e051a19cb8dbc10612f6e43bba90b3089b70520f5522d85cf2e40cebbb18deee55ab0ed062ef926a6079c71b9504f0cbe48459271d6d7dc0c728c204fbdf

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
e3422a31215a99e36630bad478c78c87

SHA1
ec8c1c5a5b5339ef795c770c05c3dc6a3ffaca81

SHA256
79061b74e93d69263cec71d4753342dddad67da7487c8c57097df2610df07b3a

SHA512
6ce22c7e2bcc3b6afacf06dcee26ef5a48c4b5c7fbd1f8ef4d040f622faed7a77e14ce97f82724929dafd146e4ceff0eaa298d9d227ccb4c0f6b51bbafe5b6e0

Download Submit
\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
d31a616fd303438989801242dc9a86ed

SHA1
b4e4abee495ee941bda996fca5a032bcad467847

SHA256
525515004a56bff6bc7ab9e9838cea6046913b09845904c06005b5aa49f13ff7

SHA512
1b05025c48407c9d975214dd24938d43af3ba29353574ce48249b45b6df6fde70fc702996a29e218e65faf7ed8b062db3d510d61f5f46bb19e7ac02cd4d9cd3d

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
75605dbe9285db6daa2f03ed02a89d04

SHA1
b6f8a62c6591d41863f3417e8da7b684adae8ac1

SHA256
192b3b629de7f1675164cf1bcb0f8874521a0be334f7f1215a7a50ef3459480a

SHA512
c2b9df53df4fbc3dead45f5108d33c271096898c7850332d2c5a141105f67f064394fc702136a64a6af63097d4c287cc29700435efe73dae7a038a7f5d5c32a9

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
0c1860165eeb6751d6c9c558c892b805

SHA1
b4378cfc30623a00e7e480cb0b62d812fd3508a7

SHA256
7c951b2515d6ea739887525a07d3776ab84982bfc0d1d517fd7c217c9ec86298

SHA512
ccac1e098fd056223e433530fe2fe7d69ddc43d33d61b154f856b16ccc851372ebe0c5ebad53ea933d4fa6c78097b8c05ee01479b6085fc1852001a492e168f3

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.6MB

MD5
0264a3fe0258ebd1d9455c8d1e662fa5

SHA1
3183e1420befdede1618cb30318d2e7473ea0946

SHA256
4d1fab7f4a4b2608205ceb6bbfa1486a0c724dfa89190d07952092b329a1ea96

SHA512
e79ff8ba8232d5ccf0215db2d4dc4a4e682c124d91fe9aa1268d08f820149ed3e883bdc0c8ec94571ecd0aa388016758c87932d487121d8990efc7d596b15fe8

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
7a10fb40befa1d73c2752ba82863854b

SHA1
a26c0d2df224ee03c932687292044e201b2eae27

SHA256
04bf8255e5ec7c87815de706265124103bbeac1ef6f46fb2e2ef4c6d3abc15ed

SHA512
a8721d78deb80d9c1d2fc31fdb70f3f0e04e70817f344fa461cd42e385d7024877cc0d59a10f0f7bdca5905135197235d1f230bda37812fe074bb12d7b8ce54c

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
95b58ef22488831f729c0523c1517fdf

SHA1
236c2bbc1c62795cdb930bf3036ec5ab58b22f8d

SHA256
4d28d758e48a39d190a72570ca462545c3a6f879fc9c6b552f68d3eaa0316063

SHA512
ef6beef19ac854f2fcb6fe31411d0bc0e0a0020c0544159783335d762dfaddf7f316d00bc2f911de50c300e18a0ce633ec678cb88bb1eee9186650b9005e494c

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
bf2c2ee7f3ed9d1f99842a72d2171a44

SHA1
dc09b74c83ac0012b956403f231b207d1afc9824

SHA256
25fc93d3a1abb29fbd008752417c3526e008e38bf214520640570dbecd7772ae

SHA512
f777d9ec243437d97d933611b1954101780e9c258c6f73533bf69306f0065355fdf9e4cecd9fcfeee5cd3239a78b7175f659cf664f4ef08994ab8569981a4de5

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
2ee83ea77e6f76e501427f705d7f52cb

SHA1
2baeac12eab7436d7db091a61a529020305eb706

SHA256
889193a62dbd6d55e37b35f072be36168e60b27fa90dbbee65ab50c0563c3f89

SHA512
fba44c7b3e1e94e6bea3bd7359ecffb0af4d019aef1bd259e1066b3a0b8f34beefc68d9137636448df17e2db12d828c03450290212663cf015b2c536c033164e

Download Submit
memory/292-53-0x0000000000A30000-0x0000000000A97000-memory.dmp

Filesize
412KB

Download
memory/292-52-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/292-141-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/292-59-0x0000000000A30000-0x0000000000A97000-memory.dmp

Filesize
412KB

Download
memory/524-100-0x0000000000AE0000-0x0000000000B47000-memory.dmp

Filesize
412KB

Download
memory/524-119-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/524-118-0x0000000000AE0000-0x0000000000B47000-memory.dmp

Filesize
412KB

Download
memory/524-224-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/588-164-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/588-163-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/588-192-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/588-194-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/588-273-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/588-418-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/588-386-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1136-208-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/1136-82-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/1508-225-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/1508-212-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1508-213-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/1508-407-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1592-558-0x0000000000F90000-0x0000000000FF0000-memory.dmp

Filesize
384KB

Download
memory/1592-615-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1592-550-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1644-720-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1644-541-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1644-546-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/1644-730-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download
memory/1656-420-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1656-556-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1656-413-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1728-390-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1728-537-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1728-422-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download
memory/1728-395-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/1728-612-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download
memory/1728-607-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1832-603-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/1832-609-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/1832-735-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/1912-726-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1912-734-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1988-687-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/1988-435-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/1988-427-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/2016-533-0x00000000009D0000-0x0000000000A37000-memory.dmp

Filesize
412KB

Download
memory/2016-524-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2016-700-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2096-149-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/2096-153-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2096-143-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/2140-686-0x0000000100000000-0x0000000100193000-memory.dmp

Filesize
1.6MB

Download
memory/2140-702-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/2140-694-0x0000000000510000-0x00000000006A3000-memory.dmp

Filesize
1.6MB

Download
memory/2240-1-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2240-0-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/2240-31-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2240-26-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/2240-8-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/2240-13-0x0000000002860000-0x0000000002B9D000-memory.dmp

Filesize
3.2MB

Download
memory/2252-151-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2252-16-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2252-12-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2252-20-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2252-21-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2308-710-0x000000002E000000-0x000000002E196000-memory.dmp

Filesize
1.6MB

Download
memory/2308-721-0x00000000004F0000-0x0000000000557000-memory.dmp

Filesize
412KB

Download
memory/2344-337-0x0000000000B70000-0x0000000000BD7000-memory.dmp

Filesize
412KB

Download
memory/2344-430-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2344-423-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2344-326-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2344-367-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2648-30-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2648-161-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2648-32-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2648-42-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2836-191-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2836-48-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download