1f1f1af58bbe59aad68e4a2135d09d1f5bfd7351372d39aa2dec34aa1279f48e

Analysis

max time kernel
61s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
Size

3.2MB
MD5

540619294401946a3a0bb2efd1907028
SHA1

d5144f616b6578c929a1424bab4fbeeaa6a52498
SHA256

1f1f1af58bbe59aad68e4a2135d09d1f5bfd7351372d39aa2dec34aa1279f48e
SHA512

c545b6f6617db5db43837dd02d7ca7aed292cebfee19f8a7391b2ea0b53aea340d0b370422d8c03cc46c5e8ca5bab656ac2b3cd0bf8cf49d5b3796340654d45f
SSDEEP

49152:q5k1YCdptya507NUUWn043oHS3fTIYwVq1/xT3DDbw0TUqyNgDUYmvFur31yAipZ:kNhSMYw8ykU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 50 IoCs

Processes:

aspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemscorsvw.exemsiexec.exeOSE.EXEOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
2964	aspnet_state.exe
3052	mscorsvw.exe
2848	mscorsvw.exe
940	mscorsvw.exe
1488	mscorsvw.exe
3048	ehRecvr.exe
2584	ehsched.exe
1724	elevation_service.exe
432	IEEtwCollector.exe
2688	GROOVE.EXE
1720	maintenanceservice.exe
2052	msdtc.exe
3380	mscorsvw.exe
3604	msiexec.exe
3808	OSE.EXE
3908	OSPPSVC.EXE
4008	perfhost.exe
1372	locator.exe
1344	snmptrap.exe
3088	vds.exe
1988	vssvc.exe
3344	wbengine.exe
3496	WmiApSrv.exe
1976	wmpnetwk.exe
3624	SearchIndexer.exe
2344	mscorsvw.exe
3404	mscorsvw.exe
3176	mscorsvw.exe
3436	mscorsvw.exe
3700	mscorsvw.exe
3080	mscorsvw.exe
3832	mscorsvw.exe
3236	mscorsvw.exe
856	mscorsvw.exe
3468	mscorsvw.exe
4020	mscorsvw.exe
2076	mscorsvw.exe
3556	mscorsvw.exe
2344	mscorsvw.exe
1972	mscorsvw.exe
3108	mscorsvw.exe
3164	mscorsvw.exe
1708	mscorsvw.exe
3444	mscorsvw.exe
3764	mscorsvw.exe
3600	mscorsvw.exe
1496	mscorsvw.exe
2264	mscorsvw.exe
1748	mscorsvw.exe

Loads dropped DLL 13 IoCs

Processes:

msiexec.exe

pid process

468
468
468
468
468
468
3604 msiexec.exe
468
468
468
468
468
760
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 18 IoCs

Processes:

2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exeGROOVE.EXE2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exeaspnet_state.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f2947356ae4ef42b.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe

Drops file in Windows directory 27 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exemsdtc.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 52 IoCs

Processes:

ehRec.exeehRecvr.exeSearchIndexer.exewmpnetwk.exeOSPPSVC.EXESearchProtocolHost.exeGROOVE.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{32BF15E6-02F4-4CF6-B52C-3F621F8571AA}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{32BF15E6-02F4-4CF6-B52C-3F621F8571AA}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

chrome.exeehRec.exe2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe

pid	process
2780	chrome.exe
2780	chrome.exe
3160	ehRec.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exechrome.exemscorsvw.exemscorsvw.exeEhTray.exemsiexec.exeehRec.exevssvc.exewbengine.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1772	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
Token: SeTakeOwnershipPrivilege	2812	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	940	mscorsvw.exe
Token: SeShutdownPrivilege	1488	mscorsvw.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: 33	2392	EhTray.exe
Token: SeIncBasePriorityPrivilege	2392	EhTray.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	940	mscorsvw.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	1488	mscorsvw.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	940	mscorsvw.exe
Token: SeShutdownPrivilege	940	mscorsvw.exe
Token: SeShutdownPrivilege	1488	mscorsvw.exe
Token: SeShutdownPrivilege	1488	mscorsvw.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeRestorePrivilege	3604	msiexec.exe
Token: SeTakeOwnershipPrivilege	3604	msiexec.exe
Token: SeSecurityPrivilege	3604	msiexec.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeDebugPrivilege	3160	ehRec.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeBackupPrivilege	1988	vssvc.exe
Token: SeRestorePrivilege	1988	vssvc.exe
Token: SeAuditPrivilege	1988	vssvc.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeBackupPrivilege	3344	wbengine.exe
Token: SeRestorePrivilege	3344	wbengine.exe
Token: SeSecurityPrivilege	3344	wbengine.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: 33	2392	EhTray.exe
Token: SeIncBasePriorityPrivilege	2392	EhTray.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

chrome.exeEhTray.exe

pid process

2780 chrome.exe
2780 chrome.exe
2780 chrome.exe
2392 EhTray.exe
2392 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

2392 EhTray.exe
2392 EhTray.exe

pid	process
2392	EhTray.exe
2392	EhTray.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

SearchProtocolHost.exeSearchProtocolHost.exe

pid	process
2788	SearchProtocolHost.exe
2788	SearchProtocolHost.exe
2788	SearchProtocolHost.exe
2788	SearchProtocolHost.exe
2788	SearchProtocolHost.exe
2448	SearchProtocolHost.exe
2448	SearchProtocolHost.exe
2448	SearchProtocolHost.exe
2448	SearchProtocolHost.exe
2448	SearchProtocolHost.exe
2448	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exechrome.exe

description	pid	process	target process
PID 1772 wrote to memory of 2812	1772	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
PID 1772 wrote to memory of 2812	1772	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
PID 1772 wrote to memory of 2812	1772	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
PID 1772 wrote to memory of 2780	1772	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe	chrome.exe
PID 1772 wrote to memory of 2780	1772	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe	chrome.exe
PID 1772 wrote to memory of 2780	1772	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe	chrome.exe
PID 2780 wrote to memory of 2792	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 2792	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 2792	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1208	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 2368	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 2368	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 2368	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1440	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1440	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1440	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1440	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1440	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1440	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1440	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1440	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1440	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1440	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1440	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1440	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1440	2780	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772

C:\Users\Admin\AppData\Local\Temp\2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=92.0.4515.131 --initial-client-data=0x184,0x188,0x18c,0x180,0x190,0x140221ee0,0x140221ef0,0x140221f00
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5a89758,0x7fef5a89768,0x7fef5a89778
3⤵
PID:2792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1112 --field-trial-handle=1388,i,10528728104499705384,2964814458481614738,131072 /prefetch:2
3⤵
PID:1208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1456 --field-trial-handle=1388,i,10528728104499705384,2964814458481614738,131072 /prefetch:8
3⤵
PID:2368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1484 --field-trial-handle=1388,i,10528728104499705384,2964814458481614738,131072 /prefetch:8
3⤵
PID:1440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2316 --field-trial-handle=1388,i,10528728104499705384,2964814458481614738,131072 /prefetch:1
3⤵
PID:552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2324 --field-trial-handle=1388,i,10528728104499705384,2964814458481614738,131072 /prefetch:1
3⤵
PID:464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1672 --field-trial-handle=1388,i,10528728104499705384,2964814458481614738,131072 /prefetch:2
3⤵
PID:1184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1104 --field-trial-handle=1388,i,10528728104499705384,2964814458481614738,131072 /prefetch:1
3⤵
PID:856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3268 --field-trial-handle=1388,i,10528728104499705384,2964814458481614738,131072 /prefetch:8
3⤵
PID:672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3284 --field-trial-handle=1388,i,10528728104499705384,2964814458481614738,131072 /prefetch:8
3⤵
PID:1808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3436 --field-trial-handle=1388,i,10528728104499705384,2964814458481614738,131072 /prefetch:8
3⤵
PID:668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3864 --field-trial-handle=1388,i,10528728104499705384,2964814458481614738,131072 /prefetch:8
3⤵
PID:3024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3444 --field-trial-handle=1388,i,10528728104499705384,2964814458481614738,131072 /prefetch:8
3⤵
PID:2100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3708 --field-trial-handle=1388,i,10528728104499705384,2964814458481614738,131072 /prefetch:1
3⤵
PID:2572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4004 --field-trial-handle=1388,i,10528728104499705384,2964814458481614738,131072 /prefetch:8
3⤵
PID:1924

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
PID:2828

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13fdd7688,0x13fdd7698,0x13fdd76a8
4⤵
PID:3100

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
PID:3208

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13fdd7688,0x13fdd7698,0x13fdd76a8
5⤵
PID:3336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4064 --field-trial-handle=1388,i,10528728104499705384,2964814458481614738,131072 /prefetch:8
3⤵
PID:3264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4060 --field-trial-handle=1388,i,10528728104499705384,2964814458481614738,131072 /prefetch:8
3⤵
PID:2316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4364 --field-trial-handle=1388,i,10528728104499705384,2964814458481614738,131072 /prefetch:8
3⤵
PID:4036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2612 --field-trial-handle=1388,i,10528728104499705384,2964814458481614738,131072 /prefetch:8
3⤵
PID:3200

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3052

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 244 -NGENProcess 1e0 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 264 -NGENProcess 1dc -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 26c -NGENProcess 264 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 25c -NGENProcess 254 -Pipe 1e0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 25c -NGENProcess 26c -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 270 -NGENProcess 254 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 1dc -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 1f8 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 23c -NGENProcess 264 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:4020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 264 -NGENProcess 270 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 278 -NGENProcess 288 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 250 -NGENProcess 270 -Pipe 1dc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 28c -NGENProcess 25c -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 264 -NGENProcess 294 -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 25c -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 298 -NGENProcess 28c -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 294 -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 25c -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a8 -NGENProcess 28c -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b0 -NGENProcess 278 -Pipe 2ac -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 22c -NGENProcess 230 -Pipe 218 -Comment "NGen Worker Process"
2⤵
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 268 -NGENProcess 290 -Pipe 274 -Comment "NGen Worker Process"
2⤵
PID:3248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 24c -NGENProcess 244 -Pipe 1e0 -Comment "NGen Worker Process"
2⤵
PID:3164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 22c -NGENProcess 260 -Pipe 268 -Comment "NGen Worker Process"
2⤵
PID:4080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 27c -NGENProcess 240 -Pipe 248 -Comment "NGen Worker Process"
2⤵
PID:868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 22c -NGENProcess 240 -Pipe 200 -Comment "NGen Worker Process"
2⤵
PID:3236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 1f0 -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
2⤵
PID:2584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 254 -NGENProcess 27c -Pipe 290 -Comment "NGen Worker Process"
2⤵
PID:4132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1cc -NGENProcess 240 -Pipe 260 -Comment "NGen Worker Process"
2⤵
PID:4220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 240 -NGENProcess 1f0 -Pipe 21c -Comment "NGen Worker Process"
2⤵
PID:2960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 24c -NGENProcess 2b4 -Pipe 1cc -Comment "NGen Worker Process"
2⤵
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 2b4 -NGENProcess 27c -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
PID:4420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2a8 -NGENProcess 240 -Pipe 264 -Comment "NGen Worker Process"
2⤵
PID:4480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 24c -NGENProcess 1f8 -Pipe 2b4 -Comment "NGen Worker Process"
2⤵
PID:2728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 1d8 -NGENProcess 2b0 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
PID:4624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 2b0 -NGENProcess 240 -Pipe 1f8 -Comment "NGen Worker Process"
2⤵
PID:4752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 254 -NGENProcess 29c -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
PID:4928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 2a8 -NGENProcess 27c -Pipe 28c -Comment "NGen Worker Process"
2⤵
PID:3516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 294 -NGENProcess 29c -Pipe 244 -Comment "NGen Worker Process"
2⤵
PID:5084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 29c -NGENProcess 24c -Pipe 284 -Comment "NGen Worker Process"
2⤵
PID:1428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 254 -NGENProcess 27c -Pipe 22c -Comment "NGen Worker Process"
2⤵
PID:4276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 27c -NGENProcess 294 -Pipe 240 -Comment "NGen Worker Process"
2⤵
PID:4284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2bc -NGENProcess 24c -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
PID:4028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 254 -NGENProcess 2c4 -Pipe 27c -Comment "NGen Worker Process"
2⤵
PID:3204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 254 -NGENProcess 2c0 -Pipe 24c -Comment "NGen Worker Process"
2⤵
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2c0 -NGENProcess 2b0 -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
PID:3240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2cc -NGENProcess 2b8 -Pipe 294 -Comment "NGen Worker Process"
2⤵
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b8 -NGENProcess 254 -Pipe 29c -Comment "NGen Worker Process"
2⤵
PID:4240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d4 -NGENProcess 2b0 -Pipe 278 -Comment "NGen Worker Process"
2⤵
PID:2892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2b0 -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
PID:3068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2dc -NGENProcess 254 -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
PID:4472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 2b0 -Comment "NGen Worker Process"
2⤵
PID:2740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2c8 -NGENProcess 254 -Pipe 2b8 -Comment "NGen Worker Process"
2⤵
PID:4640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2bc -NGENProcess 2dc -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
PID:4872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2bc -NGENProcess 2e4 -Pipe 2cc -Comment "NGen Worker Process"
2⤵
PID:4952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2e4 -NGENProcess 2d4 -Pipe 2dc -Comment "NGen Worker Process"
2⤵
PID:5104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2fc -NGENProcess 2c8 -Pipe 2ec -Comment "NGen Worker Process"
2⤵
PID:1212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2f0 -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
PID:4064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2e4 -NGENProcess 308 -Pipe 2fc -Comment "NGen Worker Process"
2⤵
PID:3040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f4 -NGENProcess 2f0 -Pipe 25c -Comment "NGen Worker Process"
2⤵
PID:2720

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2788

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2264

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 23c -NGENProcess 244 -Pipe 1dc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1748

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3048

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2584

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1724

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:432

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2688

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1720

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2392

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2052

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3808

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3908

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4008

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1372

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1344

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3088

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3344

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3496

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1976

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3624

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
2⤵
- Suspicious use of SetWindowsHookEx
PID:2788

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
2⤵
PID:3900

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2448

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:4740

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.6MB

MD5
242a8fc688b11aa8661ed6c173b6a90f

SHA1
a75aafbc53e131ffa50ea24f34cf61d7a9a04c5a

SHA256
3bc44487fc4c6a0e51690531de08cb9acca45b421a9dfae554498e7203808ca1

SHA512
62ceb16ffc1b2f6c806bbaf245279c7cbdcf57a2d5ff8d6d9bebffef22af1dc0735d3cab992a579df421daee68d37e0becee549321bd21b60d095428b8a6bc16

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
765d9971d8d32f798d465df2599d7e1d

SHA1
8fe26f7fec9f58428a69c0cac0c44ee3453978ac

SHA256
36bed5c5bef74d1e94ca0319da1bcc19f1573a382dc0504db6e68a60cf44260a

SHA512
52f42192977cf46b99cb6598ffc71f52d7ac5fd69ff8617507190b94c1d72d1e04fc61d19137d19b36ccd70a42abb49e40081a048a30907d5d11146e5014299c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.6MB

MD5
aea6f04380dcb3e627c2358808083b09

SHA1
3efb5a58b9ff076802de646a7e3f0b61531b7bd8

SHA256
3afe0abe4da4bc9ad18b32fe06407318d8dd9680f5c85dfffe2a9889120c05ab

SHA512
8fedaf5adfd6b1f0bdd54f0159faf3c915c82c8ceb594d4e6417f992a881895df0578f90b28d3810ef3b94a1dcd2083a5ad5e2c0f992d5e774384cc0419eb883

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
071946fae9843d54ea2874627997f9ea

SHA1
5d57ad2b16777b3b1b4bfc08505c0624039c5782

SHA256
0ad80bed47cfda1541edc94eb1a09ccd2a0276a159b7a4a204a3214b3ece23e8

SHA512
d6ca396d1b22adad539809713c8dc4c23736800c3566fcdfde1d0a22412e7aae1882b39ff3e2710ef89321be9f5ae76d870d0d362cd2e7a37daf5bdd5da1581d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
3f77351325f22b69a9709a458a628c05

SHA1
fbe3c60cb770ba0a1548b27cc6f825d871e90f66

SHA256
6ab8c8deb359186ed99939c2f1f0c54a783636a4083b8694b791473ccd0519c7

SHA512
964d6619bd4925287421695d67b3fd95995500c4f2bf043ad163a09845a06648f4c485c1057baac919db4f16765022f29dbc7b4c830a167144a5c4a44958a8af

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
2.0MB

MD5
980448ffdbdb43283e8b458b782ba6c9

SHA1
88cb8fe5319631f3b20d17422f2d4792b29a6d85

SHA256
c1d5ad8bf5a2e0fb5b35954cef5c15a2c9674a186dc75fbef08d3818b8997012

SHA512
a3b1af7cc95b30510486d4f49eb167f40c7439802ea5c10b457cfc5e9ee44c83350ca85ec4e42312cc617bd32229650db33045d938afe3314815ef271aaf2031

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
ecd8ebd0d441c0b49b641fbcd5444d17

SHA1
75760164655f0e440880cfb868a10a01b67b6c90

SHA256
f46d8cdf1812d342e3b49ee242fdba78935d597ccdf86989d165e28696cf62b7

SHA512
99913f343bc9df93bcd6d789c4ddb2378e7f49778836e844bee55de79a98c39a9793331a22c2e6b6f171fd3289c77586a4e32b9d9bbcefd68a0029f6d11d2256

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
34a24e4b00911fe530464744ad83a679

SHA1
e571bac3a364fb0dbc47674d092beb8d8a667a60

SHA256
f43d8a96e5a356eb58c2584e1c9152318b718918a476c6d75da8d2193c1cce75

SHA512
8635c60b3ef16371469fd4fd73550a7c04f3faff1258423a5ed62500d241032f2d73e3cbe6abea78a7e218de6ff13600c70671da95795d091a6aa70b4407597c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
4f71dbd2da70d5efe785a4c8784a8a64

SHA1
21c47b2661860582dbcfbee4cdb6c5a8329d35e0

SHA256
ecf423b407a93f75d1fc864544b3e74f5bf61e6646451cdc519d4223d3d46228

SHA512
421ff0cddf6f00a328dca7084afe74e5604b731fe77754224d755d66753cf940da82784744d36d436b29c14e2c5803b8a82ae9593ebff4e69096b3767c943bcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
5KB

MD5
37f67d1f4c54c7492acd214cdece0991

SHA1
624aaa64da5aad1efc93dce5180a4e85bd3d17f5

SHA256
96771bb433245ec407b50ca5e8dff3ecf2ea8bb78a58947870befa5c86a8d32b

SHA512
f215c57ef2c136235aa70aad47cebbce3444032ab5720bfb48c6402b383e70d26bd44f2f71b39f845e014e0723616a44355e3125128d491831f01230165a721a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
6KB

MD5
55eb231cf7464612d3ee9edda8543486

SHA1
c955ccc5a9c268b02947f453f0a5a716fc7f9d43

SHA256
5e60d3d7493b0236078b426bf79f03bf51f00dea51ba8f8ebdc582508d338df4

SHA512
193135b6c247bc466c2911d70f490f94fb05caa151a18dbe7ffe6d2641285a3c9078ed28c2314ad2cefec476ac3e84de10b68e3e9c3c3b84c41a64bf4e5a708e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2780_659050062\300890c0-b476-4516-b104-50b4840eb1db.tmp
Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2780_659050062\CRX_INSTALL\_locales\en\messages.json
Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2780_659050062\CRX_INSTALL\_locales\en_CA\messages.json
Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Users\Admin\AppData\Roaming\f2947356ae4ef42b.bin
Filesize
12KB

MD5
0ab6e9c2fe12febd180ff60185bc8504

SHA1
d59a5d25f0745588cb7fbac6ebed758d6be30c50

SHA256
dc522ca18d514da9fa1b343cc5d7405d74e8e5dd76785eb13029f4e2c434bb35

SHA512
0d12cab6dcfe541f7f13f2ba667e3fa5f1f2ecdaec3372842f24671a6d6f703240974f742a3736d6c846447b333288d80beea723ba91ec4c5bfaeb89004f1bb3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
1.5MB

MD5
7c591feb507d6ace3b9631ff6c796b9f

SHA1
4b14c9fdcf63ef62ad2660860e9d1b65bbfe1e8c

SHA256
27c11bf9890934e43ce58009c781d1120188e7f37e2b0159a51d82b212718854

SHA512
f500a51ac5b80e5ec9e6b121b5c080317935a83be961087b44273593f9fb17943cb8f6bd542dc0a03b231a4fe68b616359792e122f388f1e7c7e7b1a8a69bd82

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
450b53829e7389a535200694552cb4f9

SHA1
75c2bb7a1e5cc1411e5601fd17fc27cfe833fd77

SHA256
fb8cda6a29d69cf7a96f5159f8235ad2fc67504625fd78864f35b16371d7b45f

SHA512
6ecb0de0bd96952d716b4fc6ac8787fddd9c09d4757dabe081959d034c6d61702ff7cfb1571ad97a1ac5c19267281fd470751471da2c3f0f2185a2ccfb37e76f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
1.5MB

MD5
a374d88fe070ab5ba9d8b5349f081dc1

SHA1
73ffcde0dbe30c1ff44c8738e459e4af65fef54f

SHA256
8671ce250d26be62ae6c89d754dab6401507638d5fe40966114bbc4f9eca172f

SHA512
188fc80cae9ec1a84465734ac7d10d00fe93837372a3bbb31b404122194f06ad4cf9cb3d9941519026f53978d49b7f06b9b343235b5e350bf81d2ba5bca58f17

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
1.5MB

MD5
e09e5d91eb37c9b9c6cb12ddcacab7c2

SHA1
13c3e43c40d8f06e804c3f306226c2e12618e516

SHA256
99377324a0c4f2a6cce6e6d54cd5c6b0daa590f8eebe2b2e308dcb646261354c

SHA512
67083c2e63e85a4b08dc9da18cdcaf370752734e2756315e57fc9445cf5deb69616200b049eb81c431aa8aa8b9cad8ff5e7064a70a26ec15f03c6fcff2f3d4a5

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
1.5MB

MD5
029d52f8ab510fc43215ff4259180a2c

SHA1
837e1da553a8d581106f29d155f3552bd5965473

SHA256
a4758eb49957da8abd048080429adfa5e73ac1e6264852046a2baa8ae44c6da0

SHA512
b464e7000dfdee65f87ed02074dd606e9c865f691aa5598a0c2a11c28fc3041fc89fcc5d2ca5aa01f40fdb86cdf3a2bf67744275ace11bbd68c697353b633a06

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
353d5b5c33f3e46a71f79e0a9adac6ba

SHA1
654ceaa01b6f143e07905361039698cc70195067

SHA256
83f446e33a1d47101a68a6c2e0f5ebe6f29dcd07d7466d2d1654c167b36baa12

SHA512
c2da593b9fdd1512d34e5b8652500d1a207f3cc327b4a27c8791d8c4bbcd8f8333eaccac06f04f783e6b8fe9dd21ffc3ccae2d0b78edb5ed0cfe6acdcb37d43f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
1.5MB

MD5
d5fb705b57a9e8f9831117002ee2259c

SHA1
04b755559d3a5fa35996e85a46ff2c2e372f6b63

SHA256
81f1afa9431b76810c3729e0914182f8524e1342e1aab76773b9b3f0624d2ee8

SHA512
d0e6e647aceaef19efd2004c86698638e92c19dff4a3bfa3694d7c91a54a392832045fbba7d91d0f3115e88ab1d9330c1d8ea8403492ba2a7c943a520007d887

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
7c91b8366e07d4f4327baa069f4442b9

SHA1
a2ea3e705d8398e0a28e304e426043837351d6c9

SHA256
181926fcba58c79631310f4a55cfcf4e75b06ba0f2d51ad2a11ea97ea929133e

SHA512
0aaff18d0e350b308ea0e958965c5e014142c2b8bcf863660650e9e285cf9f0414f1d1f14d8a0c40979386fe25ea63d588d046db01f6c9cc04f9db74f1f90d2c

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
163ad6e251d025eb7e16e55bc2bdf850

SHA1
93e2e2d3b17ab3294cc78b53ccb47eb6ec8a5e82

SHA256
d91ed5638d71dd50394c13eff8026356bbe434a8264945a016966d2e7659d3af

SHA512
402be510fd0be73f26286ce99c45b6a201003aadc49744260d2780a0d2fd909f16cf45ea1ebeea0bb95b1fe638830ecf3d9640239eec4a803092941294e97df7

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.1MB

MD5
f17f35854adeb4444adc12b0cccfb1ce

SHA1
d339f506df0a3e5851c501d246c628af46c4b147

SHA256
134f07127b1a6c6aac9148af478df9837fd805718e620714107f862dc25e9aaa

SHA512
02486e813207391f55841bbbf14745cba789d3f87ba07c42ffc9df29731ba46fea1b86acd4e7944521d5bb6a87fa1c8adefeea347622cbe6cc87130bf4df2520

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.1MB

MD5
3991cd577eb1fe1e1ff57168529b0a33

SHA1
99d4bf880de74adf3bf50ab5039ede461d5a79e6

SHA256
89264310a76413ce665572b75bf444c9d8245612762601e3ed3220e51aab99ff

SHA512
e2d37ce5e2f59137a39bc7cd762ee6b20322838a5e1b256a4b956bb409082b26e97fca746f8266f9f32be93f1c41934bed2cca1440002a9422345f3aa1b8a262

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
49815dae4bc44df24fbbbe4ff6395028

SHA1
964689cde576e66a187e7a30901b96b11040fcd1

SHA256
c4e74e29b54701aa12d71be9bfaf5d1f51d3a2f2cad042069ff5320437b24626

SHA512
ea0e7f2da702c59b530bfd66b895a90232f9f957212869ab0c68de34cbe80acc33d596ed28fc79e3ddf6312d2cf241873949512b3768e6205f976633a97ae9d8

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
8d395a3683175e7f4406c500c6aaf33a

SHA1
887f4fd36f3f84f81ef74f9883f8f8a65435f79c

SHA256
efe7a2b063e8cfee90588c1b472c7ca7b38a6535e9bfe3ee7505f522ff63c8fd

SHA512
2d3dc9e462683f78075964e7d9289792ff69a9c4af15ece0a93ed115dd0cef2f2c1775ae68e0edd51d53e3a665d56b34e2a86b7f96baf5f17cec2bbf0610d205

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.9MB

MD5
f87c482e5565a33025ac7d1d285c67af

SHA1
79c0b316aca698711a1bec8a2559672008dc1932

SHA256
69f147ec505b1068f9ccd174fae39fa3b40a937e7d1e6106177edd44891801e8

SHA512
d2b9499ee0c59c04542f0afc371ab633b17f89d0bbaaac75bfbc6baf59b37fb930357fb76753e0ce554582c072d0b63b06a2b7abee0a69fca93023e9ec7628e1

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.0MB

MD5
a44e9895de0c85ea244eff90a87a48ac

SHA1
4b0b4773dcfd72e3b68cb131305f76cc7631505f

SHA256
d9f5921d22cf63c74928bc46c0ac5471238994fd43cc03873ce41952e3fff85a

SHA512
c7cb2a0b52ae128c0dce630dc7c26c3e0679e7c36c1600af32490b3633cb408e0e3ce083479dd73b6d01c555cea3879bd6bea063e63b198d1cf1197593a095c9

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
bc60db18d5846706aaf5eafaa4b44219

SHA1
d8b47fa28262e888e2b30869a8c965054b0955b4

SHA256
d52729945d95df7359794646745525f4e9ec805b44e4d1b534694e3f7095def6

SHA512
5af2e051a19cb8dbc10612f6e43bba90b3089b70520f5522d85cf2e40cebbb18deee55ab0ed062ef926a6079c71b9504f0cbe48459271d6d7dc0c728c204fbdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\44319ce72930a9962348e86e3b604133\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
83KB

MD5
12e77342fe384eab3289f88f55400b75

SHA1
101f1c6a2df64fbde22f3eebd62a967f42ee7d88

SHA256
45bd440cee0cf09629928c8ad2a492e9af9cc4dfc88175f35046efbd1693bd95

SHA512
dc3c336b63fdf1fb24a390ff6d7b407a52ae00051200657644c19994668d17cca0a4c43b36540a251780aac0c6e68a17a5d76f3ecdc7dbf7a127615718cbfc8c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5476f51cc1b1ac11285dca96a73dcb58\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
187KB

MD5
5a19b9322e50302503a82a44de3cd38e

SHA1
f66d2707f09799a44c13735566d2115b634fbd70

SHA256
e9db72851687e3c7076c23650ae0be4fb35effff87a10cb45ebc435566e93939

SHA512
bb9ed16abf1432208f5f3a337e16f11ca72a277579a7a89e9985c1d5830199337a6ad83997f106483228b98bf64ae97e494ca31252eef3421f329b916195fce1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b399f8e4541b21c5a57bfbfc6486db2a\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
180KB

MD5
1d9717a25f9edbcdeb6f96ae007a984b

SHA1
5b8a47d1e0dbc5e59a8e8536ff839e75db4f8176

SHA256
4bd221dcdb8344268c012c6768b7ef56f45b49f1f8afe190689043fe492257d3

SHA512
357ebd188206133b255902fccb8c8686993c34b17dc9573b684184b952618213d613115159b7532f023a6f7d3fe70c9dd3c3466f461495d41331c38f5a7acdc1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
143KB

MD5
f786ebe6116b55d4dc62a63dfede2ca6

SHA1
ab82f3b24229cf9ad31484b3811cdb84d5e916e9

SHA256
9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

SHA512
80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
e73d80e7954628a040d9cfb981fa789d

SHA1
9579b7bed7344c4f748892ce2945a684c252e705

SHA256
de1689fd4315c896961f382a071f3484a3edd3a0d8b8b691f051add2a58826cf

SHA512
4cb0e51ad598f630cd46e54065ff947f8860cc260bddb02c5cd59acc5ca71edd0ff78450d08eb7c46b74dac2e095bd6569eb653aeab533a7c3bea0ab822a04af

Download Submit
C:\Windows\ehome\ehsched.exe
Filesize
1.6MB

MD5
9c46a2bd354d6646b4ff1b02c9f9ddcb

SHA1
873e0b2c138b5bba9b829d74724fb4f4c92b62a9

SHA256
e9b51a287a2a74d1e115660ba9e28d76fd614f66c7b1c3581baf7d9cbd472606

SHA512
a94bc5339c862c9cb761ec3302d70fbe803a02852eb1102a5daebdec48c758bfb84f9e7d1b4c19bc3e7ac4fd69b84d9d45ad061a0c89a94e1d6bf9c1d15ca53e

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
6ba25fc07eba085b2e6e5aa2bef71af7

SHA1
858f5534156648aaf677638e8f55992bc65df178

SHA256
e4183eac4af75276e6dc82a0566c150b5fdb8d39e6a4236e469b06ac306480eb

SHA512
a69a5c2858a6508e1e71c3e8e9894f5cf090a4936c44bd495f9e0b68f3eb24abb46672dcb89d43e06fc059e223920b6b203325d0594c4915f595710ee46db049

Download Submit
\??\pipe\crashpad_2780_ILVJCWDFZGNEMZAM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
68577bcfea14da24cd9538e3e765e3a6

SHA1
24cd48f9c7f331b900ad252b4246bb48df035434

SHA256
eeff16a5d3d70455c8aa9fd9eb4afc1db243dad95035c8db3467c780ca051f37

SHA512
b89dd7154942124c79c41be7ebcbbb07800fdeb39870f73a1b12959344985c9e112d0efdbc523e271329d9d8662311fe821b0fee64fc399abbef8e806553c22f

Download Submit
\Windows\System32\ieetwcollector.exe
Filesize
1.5MB

MD5
28f10ea2d0f36c3a944664d5449e4d8f

SHA1
bfd62c533e88f0fc16db0ca5987059290e17fe3f

SHA256
4ef30ec6e60bf96059d40d76e1c4d79f012c679b7531a6e77aac49c069163c66

SHA512
56e89260005d24e2c6cbdac65453b4c243079415ca4e5bc310e45ce8fdc92d87061846914c691029146033f0c873bbc535f64f9896146976e7834899d7ee539f

Download Submit
\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
fc4fa0cf98b83d1d79a7f31d9a34c86f

SHA1
f9ec0a228d5e03ea3570c4f39e4c3c2a5562c0ab

SHA256
ae592d3c78347084ec2ac32a0d19b261889e4411ac1afa80e8ac4bafdd186b7f

SHA512
3126016e8910f06438d96c7d1a34b2f5fcdeda216d2ad7ae720daf52cd7a135e73bfe21517276ee95a4a3ad14b5d2b7d94f4c56c861c02782a8e14d2e6bf351f

Download Submit
\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
16cea678faf97c9e2cda7fd05c8a41f5

SHA1
37bf19ac2c18b690b3f1a01dd942a2b404bf4a51

SHA256
8858f1b0eef3be6dc3ce87bd4e34b1d4303472f057f5c7d0f978042e238c7760

SHA512
e11020d4e19b8d0c4803453ff4dd8b2b50a4892ed5776b701ea13dfcd456dcfd356eb8f7ecb13fca972fb10d8fb0d1eb758c0a84b1ca9d3c9c82cc48c25de806

Download Submit
memory/432-225-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/432-488-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/432-1048-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/856-1035-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/856-1020-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/940-429-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/940-1778-0x0000000000F60000-0x0000000000F68000-memory.dmp

Filesize
32KB

Download
memory/940-1772-0x0000000001D10000-0x0000000001DB4000-memory.dmp

Filesize
656KB

Download
memory/940-1774-0x0000000001D10000-0x0000000001DFC000-memory.dmp

Filesize
944KB

Download
memory/940-1771-0x0000000001D10000-0x0000000001D9C000-memory.dmp

Filesize
560KB

Download
memory/940-1770-0x0000000000F60000-0x0000000000F7A000-memory.dmp

Filesize
104KB

Download
memory/940-113-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/940-1769-0x0000000000F60000-0x0000000000F7E000-memory.dmp

Filesize
120KB

Download
memory/940-1779-0x0000000001D10000-0x0000000001D3A000-memory.dmp

Filesize
168KB

Download
memory/940-1773-0x0000000001D10000-0x0000000001EAE000-memory.dmp

Filesize
1.6MB

Download
memory/940-1768-0x0000000000F60000-0x0000000000F6A000-memory.dmp

Filesize
40KB

Download
memory/940-1775-0x0000000000F60000-0x0000000000F70000-memory.dmp

Filesize
64KB

Download
memory/940-1777-0x0000000001D10000-0x0000000001D34000-memory.dmp

Filesize
144KB

Download
memory/940-1776-0x0000000001D10000-0x0000000001D98000-memory.dmp

Filesize
544KB

Download
memory/940-105-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/940-101-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1344-507-0x0000000100000000-0x0000000100176000-memory.dmp

Filesize
1.5MB

Download
memory/1344-868-0x0000000100000000-0x0000000100176000-memory.dmp

Filesize
1.5MB

Download
memory/1372-494-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/1372-855-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/1488-154-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1488-148-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1488-160-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1720-387-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/1720-263-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/1724-212-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1724-473-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1772-26-0x0000000001DA0000-0x0000000001E00000-memory.dmp

Filesize
384KB

Download
memory/1772-11-0x0000000002720000-0x0000000002A5D000-memory.dmp

Filesize
3.2MB

Download
memory/1772-27-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/1772-9-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/1772-6-0x0000000001DA0000-0x0000000001E00000-memory.dmp

Filesize
384KB

Download
memory/1772-0-0x0000000001DA0000-0x0000000001E00000-memory.dmp

Filesize
384KB

Download
memory/1976-1019-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1976-578-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1988-539-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1988-896-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2052-372-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/2052-538-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/2344-639-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2344-800-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2344-1078-0x0000000003CC0000-0x0000000003D7A000-memory.dmp

Filesize
744KB

Download
memory/2584-192-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2584-462-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2584-1109-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2688-251-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2688-506-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2812-211-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2812-13-0x0000000001D40000-0x0000000001DA0000-memory.dmp

Filesize
384KB

Download
memory/2812-12-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2812-21-0x0000000001D40000-0x0000000001DA0000-memory.dmp

Filesize
384KB

Download
memory/2848-68-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2848-74-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2848-145-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2848-67-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2964-36-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2964-45-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2964-247-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2964-37-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/3048-177-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3048-442-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3048-171-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/3048-1705-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3052-50-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/3052-140-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/3052-58-0x00000000004D0000-0x0000000000537000-memory.dmp

Filesize
412KB

Download
memory/3052-52-0x00000000004D0000-0x0000000000537000-memory.dmp

Filesize
412KB

Download
memory/3080-914-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3080-897-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3088-886-0x0000000100000000-0x00000001001F4000-memory.dmp

Filesize
2.0MB

Download
memory/3088-518-0x0000000100000000-0x00000001001F4000-memory.dmp

Filesize
2.0MB

Download
memory/3176-871-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3176-856-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3236-973-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3236-1023-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3344-552-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/3344-910-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/3380-550-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3380-649-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3380-403-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3404-859-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3404-809-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3436-887-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3436-867-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3468-1032-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3468-1047-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3496-961-0x0000000100000000-0x00000001001A4000-memory.dmp

Filesize
1.6MB

Download
memory/3496-557-0x0000000100000000-0x00000001001A4000-memory.dmp

Filesize
1.6MB

Download
memory/3604-431-0x0000000100000000-0x0000000100192000-memory.dmp

Filesize
1.6MB

Download
memory/3604-432-0x0000000000620000-0x00000000007B2000-memory.dmp

Filesize
1.6MB

Download
memory/3604-555-0x0000000100000000-0x0000000100192000-memory.dmp

Filesize
1.6MB

Download
memory/3604-556-0x0000000000620000-0x00000000007B2000-memory.dmp

Filesize
1.6MB

Download
memory/3624-590-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/3624-1031-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/3700-900-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3700-888-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3808-581-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/3808-443-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/3832-986-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3832-911-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3908-466-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/3908-638-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/4008-810-0x0000000001000000-0x0000000001176000-memory.dmp

Filesize
1.5MB

Download
memory/4008-476-0x0000000001000000-0x0000000001176000-memory.dmp

Filesize
1.5MB

Download