be8df84d9f11832440bbf7aeb68d7bca6620e2e058502692680aac6450dadf7e

Analysis

max time kernel
7s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe
Size

3.2MB
MD5

88a0f86ca96a7b6abc8cec54a06abd39
SHA1

1d3c2471764a9a3390fb8a68567fa56ee343c891
SHA256

be8df84d9f11832440bbf7aeb68d7bca6620e2e058502692680aac6450dadf7e
SHA512

858484ff9927917864b3a4a2967b05c59842168e4bf6f615785becc42b2d133708fde4a00dd03ee584f3aa37f50376e96270b856b7b46463cf8affd311d48575
SSDEEP

49152:X5k1YCdptya507NUUWn043oHS3fTIYwVq1/xT3DDbw0TUqy3/snji6attJM:rNhSMYw8yvEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
468	Process not Found
2656	alg.exe
2028	aspnet_state.exe
2280	mscorsvw.exe
1160	mscorsvw.exe

Loads dropped DLL 2 IoCs

pid	Process
468	Process not Found
468	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\716b3df4ae4ef42b.bin	alg.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2948	chrome.exe
2948	chrome.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1556	2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 2820	1556	2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe	28
PID 1556 wrote to memory of 2820	1556	2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe	28
PID 1556 wrote to memory of 2820	1556	2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe	28
PID 1556 wrote to memory of 2948	1556	2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe	30
PID 1556 wrote to memory of 2948	1556	2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe	30
PID 1556 wrote to memory of 2948	1556	2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe	30
PID 2948 wrote to memory of 2476	2948	chrome.exe	31
PID 2948 wrote to memory of 2476	2948	chrome.exe	31
PID 2948 wrote to memory of 2476	2948	chrome.exe	31
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 2448	2948	chrome.exe	34
PID 2948 wrote to memory of 1576	2948	chrome.exe	35
PID 2948 wrote to memory of 1576	2948	chrome.exe	35
PID 2948 wrote to memory of 1576	2948	chrome.exe	35
PID 2948 wrote to memory of 944	2948	chrome.exe	36
PID 2948 wrote to memory of 944	2948	chrome.exe	36
PID 2948 wrote to memory of 944	2948	chrome.exe	36
PID 2948 wrote to memory of 944	2948	chrome.exe	36
PID 2948 wrote to memory of 944	2948	chrome.exe	36
PID 2948 wrote to memory of 944	2948	chrome.exe	36
PID 2948 wrote to memory of 944	2948	chrome.exe	36
PID 2948 wrote to memory of 944	2948	chrome.exe	36
PID 2948 wrote to memory of 944	2948	chrome.exe	36
PID 2948 wrote to memory of 944	2948	chrome.exe	36
PID 2948 wrote to memory of 944	2948	chrome.exe	36
PID 2948 wrote to memory of 944	2948	chrome.exe	36
PID 2948 wrote to memory of 944	2948	chrome.exe	36

C:\Users\Admin\AppData\Local\Temp\2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Users\Admin\AppData\Local\Temp\2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=92.0.4515.131 --initial-client-data=0x17c,0x184,0x18c,0x180,0x190,0x140221ee0,0x140221ef0,0x140221f00
  2⤵
  - Drops file in Windows directory
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5fe9758,0x7fef5fe9768,0x7fef5fe9778
    3⤵
    PID:2476
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1124 --field-trial-handle=1340,i,4490863261024524476,2036806240326392559,131072 /prefetch:2
    3⤵
    PID:2448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1428 --field-trial-handle=1340,i,4490863261024524476,2036806240326392559,131072 /prefetch:8
    3⤵
    PID:1576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1372 --field-trial-handle=1340,i,4490863261024524476,2036806240326392559,131072 /prefetch:8
    3⤵
    PID:944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1908 --field-trial-handle=1340,i,4490863261024524476,2036806240326392559,131072 /prefetch:1
    3⤵
    PID:2000
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2304 --field-trial-handle=1340,i,4490863261024524476,2036806240326392559,131072 /prefetch:1
    3⤵
    PID:1124
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1764 --field-trial-handle=1340,i,4490863261024524476,2036806240326392559,131072 /prefetch:2
    3⤵
    PID:2864
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1204 --field-trial-handle=1340,i,4490863261024524476,2036806240326392559,131072 /prefetch:1
    3⤵
    PID:2020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3420 --field-trial-handle=1340,i,4490863261024524476,2036806240326392559,131072 /prefetch:8
    3⤵
    PID:1344
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3740 --field-trial-handle=1340,i,4490863261024524476,2036806240326392559,131072 /prefetch:8
    3⤵
    PID:2272
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1384 --field-trial-handle=1340,i,4490863261024524476,2036806240326392559,131072 /prefetch:8
    3⤵
    PID:1628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3584 --field-trial-handle=1340,i,4490863261024524476,2036806240326392559,131072 /prefetch:1
    3⤵
    PID:1900
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:2628
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x1400a7688,0x1400a7698,0x1400a76a8
      4⤵
      PID:1860
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:2156
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x1400a7688,0x1400a7698,0x1400a76a8
        5⤵
        
        PID:736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3836 --field-trial-handle=1340,i,4490863261024524476,2036806240326392559,131072 /prefetch:8
    3⤵
    PID:2520
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1204 --field-trial-handle=1340,i,4490863261024524476,2036806240326392559,131072 /prefetch:8
    3⤵
    PID:1876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3860 --field-trial-handle=1340,i,4490863261024524476,2036806240326392559,131072 /prefetch:8
    3⤵
    PID:1156
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4204 --field-trial-handle=1340,i,4490863261024524476,2036806240326392559,131072 /prefetch:8
    3⤵
    PID:2220
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3056 --field-trial-handle=1340,i,4490863261024524476,2036806240326392559,131072 /prefetch:8
    3⤵
    PID:2140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4216 --field-trial-handle=1340,i,4490863261024524476,2036806240326392559,131072 /prefetch:1
    3⤵
    PID:2672

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2656

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2280

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:320

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 184 -NGENProcess 1ac -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:2764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 254 -NGENProcess 240 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  PID:3840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1d8 -NGENProcess 1ac -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:3404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 268 -NGENProcess 25c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  PID:3444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1e8 -NGENProcess 270 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:3732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1ac -NGENProcess 274 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:3844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 26c -NGENProcess 278 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  PID:4008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 270 -NGENProcess 27c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:2924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 274 -NGENProcess 280 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 25c -NGENProcess 284 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 27c -NGENProcess 288 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:3448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 280 -NGENProcess 28c -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 284 -NGENProcess 290 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 288 -NGENProcess 294 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:3936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 288 -NGENProcess 270 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 278 -NGENProcess 29c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:2076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 27c -NGENProcess 294 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:1136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 270 -NGENProcess 2a4 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:3164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 29c -NGENProcess 2a8 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:592

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
PID:2828

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:1600

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
PID:2148

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
PID:2264

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
PID:1504

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2232

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
PID:3068

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
PID:1020

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
PID:908

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:2620

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:760

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1560

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:3064

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:1656

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:3100

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:3168

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:3240

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:3348

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3428

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:3560

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3676

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:3812

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:3928
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  PID:3748
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:3912
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
fcaebb771465ac29071b195040c56ae7

SHA1
3b751fa6795693abdddc54635d28eeb35ce14c42

SHA256
9e218b7220c1107955fccc72cc7d1ac2730d3a0d9751f42916812b55d2e48b00

SHA512
3031c471592a0c7a9b1f8b8672f7ab9eaaf2ddadb42b6a8561253f81345e4951dee590235f42fb7e1f72038b6c01184c29d02f59dbe2364a967780225073395c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
b64187cf10323fd5d92683ec18097b99

SHA1
4d160072e5a3b954a90b90065a21c6d3a453ecdb

SHA256
396f281be225bf2acd990e2900300b7145f8c40c1a2d2f5cf63d00320f9159e0

SHA512
643ab8ae3b23ca464d08a8e5f913f2775c31bc2fa434b955ea52562609392f2ce223f881c9fde4539e65ee3546ee5db5e8c5e2acb5c46c2ff859280577a6687f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
95a6e6ffee9b0d71cc5a2f7fe8d5224e

SHA1
abde83221c7535dbe98b7f665e2abfd70e02108f

SHA256
109a8e4cd52827e5b6bfd829f990b7f16ff3db0bafbdad1f1599773d2b899994

SHA512
4ae9f7572fec41fe5b7625a3e9727ad6e945a91872e5fac8703fd3c4af2d6309e2d82afc7d4c5b5ad0398c7da3c6cde542dba8eb31eb3e5825de1f42a965f76d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
101d89b798dc58fe0fad42eb300fcdd2

SHA1
aed71510ff94fd0e253c30588f036be55c90dc7c

SHA256
4aa587faf363728e6bc5de1978440bdf133c2bf820a238dc78cfb0ec5fd81c36

SHA512
64eedd3a2adc72a2dad183909803d51b78be71f0e01f76be220f12bcb70fae80022d317664feb2b3a8d3be5b85c6079b871c414deab4fd9048a935992eba0d14

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
25076bc3cfe9e0757ee8f55ed18f2817

SHA1
f0773c3ef30ac520697ef1e03464da4b9c37eb80

SHA256
8556f118bb15d4ae3a735a376aafe7cc862991234ea490032d4c6210061cbc3d

SHA512
ceb3d6fd4af5303718c36574c6d75656e2dbb32ce9796df83561ffeb592b422ac225929d380faa56d7c3818df77500336857488426f58e7468f1404011859c96

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\f79b53d2-5505-4181-a52b-9a3f7fe074af.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ecd8ebd0d441c0b49b641fbcd5444d17

SHA1
75760164655f0e440880cfb868a10a01b67b6c90

SHA256
f46d8cdf1812d342e3b49ee242fdba78935d597ccdf86989d165e28696cf62b7

SHA512
99913f343bc9df93bcd6d789c4ddb2378e7f49778836e844bee55de79a98c39a9793331a22c2e6b6f171fd3289c77586a4e32b9d9bbcefd68a0029f6d11d2256

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\CURRENT~RFf771989.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
555b59d6f18c972b35e7b700f5a14efc

SHA1
ae2b733feb30168fb4314dc21905923bc5e880aa

SHA256
88385ddf4fa1481933bf45df56f0076db6639f7668ce6b064d8c34c6e52b3b1e

SHA512
a1de5333f5c47ac56800ce834f810ba0e95e5ed23fee1c779956e6cb6796a195bee83fa96a1566661ed1e8a72bc0c0af3aa4197ba27bb98b33f16891706edba2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f5e1812f6e673ccf68f14ddec2ec11d5

SHA1
e36e0a399b813bcf49410afaa0d12a89f2aa67bc

SHA256
0751758d2b5ef63370a2f7d0d15deedae8b8d1f9aec2f6bc7eaf93069ba3d6fe

SHA512
614c4a0b1d622dec074d79f5e742d055fd1f1bbe8cae0871be34f2193089f5b83a84c0c98ffa85f0dacf4e176ed897a879b1654cc286ea09507ccbb5439811e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a461dceb367727af86b95c6c2afbe020

SHA1
3f24b526b474c58e629ae2f2e8401ee95956c37e

SHA256
0653c1fe52b252977caeb3de5353736de911ae830db28c55b0bc77884b72375b

SHA512
ee2be3e0c0028072e16fa26a74c795240a032f126be71d066a6c5a1cf275c067973880d4c3ff3b6a1bb8ad07c8958c6ca9e0bab9cfca768084d2bc8ba8d722de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
97a109dafb520a2d748e3553f2a51d5d

SHA1
feb01273d92f08c03e8e10ceb09d85d6d19f3313

SHA256
4a0c4e13b725bbba29bdbc86ccfad3fa7bcafb7756b0ee661a61c45083731aed

SHA512
8c47d4863e876381374f153ba210571ad186cf147fd2347f7b06876bcfc95eb670141bd76465480c6b6ec03f0c90c377fb5eb70d4a6947e1194725c9c66a15cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
5KB

MD5
1558d0bd17ba49d4394b2e0638504252

SHA1
e579f4494c4b066b472e734c3496af8d4819dc27

SHA256
800f580068f0deca8c615b83befca8fcc3e21e67095c45f489064f8273be5eaa

SHA512
ebb4d416fdae5781087272a0966ccb742729e8251654c5c3fef0f2cf578e7dc3abee459d59b78f8bad9d774d2348b5cab55c2e89e58e1761462c14674741ce73

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
213e1393f8bd088eecf92b2b0e824361

SHA1
904b12a9072996b0a73b07e4b174742d95676391

SHA256
20ca8cac15b089506b9202909846d153379f5c2e31789a3686e1ff9262d0afd4

SHA512
c3cf551ebb9e834b923f84a928b52572d031c20f2931f3fec07df23eb9cfb5082a11a589aed144e804519e14c8be6f29840d686b32b45756546f2e0d46f03e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2948_718627870\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2948_718627870\f2153398-b8d4-47fc-b7b5-9de970296ba6.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Roaming\716b3df4ae4ef42b.bin

Filesize
12KB

MD5
aab948610cf929f003323870d5538f8b

SHA1
374c86dabb1244a3873f2ba965a5a4daf77e0fa7

SHA256
90dba7c48f698c02f473ec114c9e07b65274d381a078966a310308f895d21fd9

SHA512
0738e57c7038faa8c3ea2166dc933ddf65e283455384e4408d6803fd9423e1112d707b487e176d41175f7fc8e054cd7f523c7000a12aa9fd5689108927c56e67

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
c3eb4f3775e0aff02ada03688c3d9fbe

SHA1
4647f308d745ce5285339ecbeaac229cf8be93f7

SHA256
dbe64dcee366ae53d71c89ff9c0ee6141b09eb16362ec3bff97e19b07780bf73

SHA512
d5775a258a36ea9e54186e46a0a4ceed113c78f18cbde05acbd8e50d335ac22f8d6f728a6333ef48ef95de0e475a58f49a731e90144fe77609fe74ea201ad263

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
a2440989910f5ea04425d17e1e386e56

SHA1
c79d2465635c464fa7974bec25d6a9599b87cc23

SHA256
d9e446ba417010828acd38e3760ae9290d4ede217e4a032e59cb35ba272d25ac

SHA512
7b9c7e11ce7af7d7292872ee4286267731af4b9b19d16e5cf84137b88c6dd1b176a97bdaff38057a7fe9dd72825cdc427ebb41e8a05221a43f0c92f55e047b22

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
d018cfe2345669d33d384408e74fdc8d

SHA1
d8b6727961a88721ae0bc2b1a27d0bd2ec9015e3

SHA256
5eb9168561d8cd6a42564b6b27cc002d79661a27001c89a80339774bbff2ce7e

SHA512
bfad5e19f3105ccb2d5527fdba53059e718a4488326dd3f6d5fbb2977b20d818923cb03a89c4f3a475f7750b6d7228393c2036d7e8fc60996af70ffb296ff91b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
3ee02d63afb4c4b9789e49d11407cce9

SHA1
d49296ae906ed8b8071bf899325b75e2da8e4f17

SHA256
fa4c2cc479db93794b9774dda502a38209fe38d3c22274c4a90e0abdb172f3f6

SHA512
3000b75cf3e705c4968cb9f710ea9913597d2310db160a8115c8496933416cc18839342d732f19b6ecb094e36d470b1208f0e9ea04bc36722726995b4efd15d2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
bf3abd944a7a5585e76bb4602448538e

SHA1
15957cd0dc88dc958e86c7f7d816a4abb1c222d2

SHA256
39c87622da06832c941509d37be74e20039f5f968dad124cdbe71603a3c401e8

SHA512
14a6e6788c5acc1714b275e0b8ba2fdfa4eda40069fc7c422bfbf51ce58b9a3151c213f09189fa723e204c375aa2f188a5dcc30cd1372c0e6e759dc341c54157

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
005d0e91f182b388a87969dd59cad389

SHA1
b42ded3bd5d4216e6209dc0147d3cd87b054c9b0

SHA256
fbaf825dd065e17f8151a25a2828458878fac9cd6a2c8b555771a0f1c8a06661

SHA512
2c4bcc6fc4cf60c7efad49ba621ed3dcf5e6c6bff2e60774715a8e4bfe7cc05a70a2e20e551fea6da2d70b9d5f45d246a11377357f1fb7977472a560ebb36b37

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
2a9fab2e2f733c74bb401052e9a54b81

SHA1
280e5bf81fcac85c442023687e6397311b8e0258

SHA256
56a8b52fbf7d122eb6a39a17a79bc6b175606b185c85947498fadcce8249bbb5

SHA512
db09b165374f361bb9e7fa0a519b680a94716caf82474ccf20c102767d26a23c25e69a46b40cbf3774bba5c625510912bde2ad5daa6415c4018b2748a07ad668

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
eb15536afa41235ec9a8a0adc9558c93

SHA1
fc9baa8ad83593abd2f00276fa14883523ca6785

SHA256
ec905f89d39684db3a4b29b53b75d947eabc2e50789cdc895afe794f1471256e

SHA512
69b87578f7ac50db210146f247315a3df4193d39c9c2afb5f6073c36e4acf1b97ab3ca42551fe6fe01122d5593bd907a7c9d89ceee18f5064c6cc64762f6f15c

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
3ef1ed7f683d70525237ab8e97b12609

SHA1
e2c672ea9b5b97b1559cc22dd5ea0a8f893dbcf1

SHA256
1d46160e3a412322bc3975d1796d6d10052597da4e40fbfdbac51c5b8bcdcbc0

SHA512
aadd96d1353446841f0661c60c3e0576c7ae8ebc7db735eac37ae56db4bae6f2c7198a3d767ab8dad96aff8d88ef0587184ddcb3f1183e366777d6e1282bfe4b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
3e081f0aa9ce45a2dc6d9ce2566ee4d5

SHA1
9838081364cd40f73f807d3a68c1682c9adaf3bf

SHA256
03d71655aeafe82f1022167702836357a2af1142f91da5f99bce9aa06c173cd4

SHA512
2dfddf0f95527b64ebfcc3500bb14736588a9b069533a12486e41959f9a27db33140658c4940f3f3d3730f1d6ab81b654629b98b8386d37d18c738786a3b8c3f

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
bc60db18d5846706aaf5eafaa4b44219

SHA1
d8b47fa28262e888e2b30869a8c965054b0955b4

SHA256
d52729945d95df7359794646745525f4e9ec805b44e4d1b534694e3f7095def6

SHA512
5af2e051a19cb8dbc10612f6e43bba90b3089b70520f5522d85cf2e40cebbb18deee55ab0ed062ef926a6079c71b9504f0cbe48459271d6d7dc0c728c204fbdf

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
c053d74c5675c8338f381370b6b3c5aa

SHA1
9a99eb9ae971f5d76731f83f3cded98a96dc437c

SHA256
71b89f86056ef07e3e3fe946e316d730baca979e71488cd21707abf3f42b64fa

SHA512
296e2704b40d17c82bc9aaab5b084c31ad4ae00bda6e744111cc145da56623b8b1dca8d9da87e4bce9e163571b38bfbf23827a874e29e8aeb72c1a78e107afd0

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
8c102ecd0dc1189e34efe9a82b415aa9

SHA1
d3472a825038b2d89f96524a1bef67f22d9f581f

SHA256
5483beba4246f80337e4657986e2bf24a9a336d82526de90e4f32102b320ea0e

SHA512
15a1bb5ce8b65a4f9d0d5df6fd33717c451a91166b7ce91a521f3532048c5ff3a677281599cdf048e7a5abcada23cbeb85e9354681eed481984824a880bc04c0

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
f4870d190257eca75d01e3321dcb8b21

SHA1
dc4229e72157c9ebc15b0bd041aa32a2397ac8b1

SHA256
38a04242ee04f298b089bd04d19eee82510370982cb0fbe693905e646d51a878

SHA512
f8f3a88f19223b95f61fb4b7b6e185e6215c2747be15552505a044261e1fd84b0a397281bc0c14d153639464bc8736b9e58afb378b8932eceb5cb2eec9ff93e0

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
f88e7f09ca560049a3ef30a2d6b07113

SHA1
6b24e1b4e573356e399806a1ec8004b26def675b

SHA256
ce8d30bba22ebd823e53e17aa3f8b0bb9d1e298d1166cb725c71649d355eff39

SHA512
d9895532aa50dd5fe2ae99d4447a13dda5b36dd18b691740cd0e142de7b3b4eb85d3ef32c46dcff7ec8db025ad6a5e702872fb5e64d162d81aa139d08fb01313

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
75193c7362900f88840febe59c117d75

SHA1
fde28abef78432fea629616cea98094562ade0b1

SHA256
ef099c22ecf3810813a0c774ed9ef25e2469d831c6829431e57f6dd8947ada99

SHA512
0f44e4603a4b485f95f02bc2b205751ad8dd62b22ba747a8deb36e5ef6f7b474f148d5b91ec2084727d8b728370d94d7a120a08011bc0b0a376a60c1ab1ba18a

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
0e36884f7d63eff153b41696c3e2e5a0

SHA1
cceafbcc5eb6a7942a8c1e9973532fc6c0f5c13f

SHA256
e75ac549824be89b65315458008e2e3071c57e90e09b5e94ba412b534788baf4

SHA512
85d4a69fd4d136eabc0cf0833ccbb4c86184acef12072eb08aaa6464f586f96bfff46abdca1bc3f64eb33f7c040f30765e35a4b07d9ea54ea8e43269d7481f88

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
6187b7be717e00f6789e24434366b88b

SHA1
8828fe9b6c748aabb87eb1b685deb2e56e8bb6e6

SHA256
d7c170a30d45220f52a2e7ef6eef5efa4f6981e2026213f1b5a7f7d0a44ad52f

SHA512
2cf10f090573b3f6cdc88b07b7906eb7838f1d595a6c326d1d2608448c78d5cc48f8a06bf7177c6daf3d5101f670ff1fcd40550b38bb9360d3baf795fc157e43

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
b5b4bde90a57fbfd57ebd1a43efab0ab

SHA1
6f76550ea042391980fccf5781a7b8d56d4ec149

SHA256
82449e0d88ad55773c1636a811818adda56d160757ace240cfaee655deb386f3

SHA512
12ef70ce6d5d86353542cc1d451f800c89e4f2ae47b0c811f1320fb46be576194aadb8c78d5b0ef6d02d6a15a06e962b53e34fbb7b67157e80508fab5ed2a899

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
447af7e9dd4f8467018ff4ddbd24d416

SHA1
612bf9ac98289a48023edca675b668c4ad30c63d

SHA256
1be540f44251cd9a2bca0aa309f7cfa12a2963da76c442c606944d4c5ec0e3ea

SHA512
9efa03cdf03b593b3bff825033a6cd982909cca7785d163757a6ee6b1bf9d2144c41a61661c9981a4adcf9bec289db8330dc11ce3be9bc1af4d96761575f5ba1

Download Submit
memory/760-847-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/760-837-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/908-827-0x0000000000500000-0x0000000000567000-memory.dmp

Filesize
412KB

Download
memory/908-844-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1020-823-0x0000000000D90000-0x0000000000E10000-memory.dmp

Filesize
512KB

Download
memory/1020-826-0x000007FEF1920000-0x000007FEF22BD000-memory.dmp

Filesize
9.6MB

Download
memory/1020-821-0x000007FEF1920000-0x000007FEF22BD000-memory.dmp

Filesize
9.6MB

Download
memory/1160-121-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1160-122-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/1160-673-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1556-1-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/1556-7-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/1556-38-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/1556-0-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/1556-32-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/1556-8-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/1556-13-0x0000000002700000-0x0000000002A3D000-memory.dmp

Filesize
3.2MB

Download
memory/1560-862-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1560-848-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1560-854-0x0000000000210000-0x00000000002C2000-memory.dmp

Filesize
712KB

Download
memory/1600-698-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1600-699-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1600-706-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1600-790-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1600-782-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1656-936-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2028-490-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2028-49-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2028-50-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2028-58-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2148-716-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2148-736-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/2148-839-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2148-756-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2232-872-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2232-768-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2232-759-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2264-860-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2264-741-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2264-852-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2264-749-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2280-80-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2280-98-0x0000000000280000-0x00000000002E7000-memory.dmp

Filesize
412KB

Download
memory/2280-662-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2280-103-0x0000000000280000-0x00000000002E7000-memory.dmp

Filesize
412KB

Download
memory/2572-833-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2572-933-0x0000000073C40000-0x000000007432E000-memory.dmp

Filesize
6.9MB

Download
memory/2572-829-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2592-667-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/2592-666-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2592-755-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2592-672-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/2620-831-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2620-835-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/2620-843-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/2620-842-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2656-37-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2656-332-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2656-26-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2656-39-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2656-24-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2820-143-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2820-12-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2820-15-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2820-21-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2828-682-0x0000000000470000-0x00000000004D0000-memory.dmp

Filesize
384KB

Download
memory/2828-683-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2828-689-0x0000000000470000-0x00000000004D0000-memory.dmp

Filesize
384KB

Download
memory/2828-766-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3064-866-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/3064-874-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/3068-784-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3068-775-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3100-939-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/3100-941-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/3168-943-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/3168-945-0x0000000000260000-0x00000000002C0000-memory.dmp

Filesize
384KB

Download
memory/3240-946-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/3240-948-0x0000000000150000-0x00000000001B0000-memory.dmp

Filesize
384KB

Download