bda264b64178257ee2590c8c3fedeee851322a8f03a8eac970ea3c36c3822524

Analysis

max time kernel
20s
max time network
156s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18/10/2024, 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
Size

4.8MB
MD5

191b51a6c776ae3e80f3d4a4e0fc7c2a
SHA1

99f325838412867a0141c454229fde8de7dc47ae
SHA256

bda264b64178257ee2590c8c3fedeee851322a8f03a8eac970ea3c36c3822524
SHA512

b442c6c3718b3de89afde6e22b0b07c09d4ce3a52d3be92a2b55e0ccfcb9d55023325a30f6996ecb03c2921325358bc662046ba2200e6ec209258ab25020c56f
SSDEEP

49152:Qj8f3jtqiCLg9LK2hIOR+k9jdAsizqxSiZ4K5MZqkL92c6nkdmbD7iIerM1R6ZP6:7rZ4K5M+XD7iIewG+x6xZ14WB2Yyjl

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
460	Process not Found
2976	aspnet_state.exe
2580	mscorsvw.exe
1164	mscorsvw.exe
1312	mscorsvw.exe
2924	mscorsvw.exe
1400	ehRecvr.exe
632	ehsched.exe
2164	elevation_service.exe
1824	IEEtwCollector.exe
3008	GROOVE.EXE
2568	maintenanceservice.exe
2276	msdtc.exe
2808	msiexec.exe
1572	OSE.EXE
3128	mscorsvw.exe
3144	perfhost.exe
3316	locator.exe
3480	snmptrap.exe
3588	vds.exe
3668	vssvc.exe
3800	wbengine.exe

Loads dropped DLL 10 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
2808	msiexec.exe
460	Process not Found
460	Process not Found
460	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\d88f189d5f6c6349.bin	mscorsvw.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2144	chrome.exe
2144	chrome.exe
1592	ehRec.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1628	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	1312	mscorsvw.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: 33	1436	EhTray.exe
Token: SeIncBasePriorityPrivilege	1436	EhTray.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	1312	mscorsvw.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	1312	mscorsvw.exe
Token: SeShutdownPrivilege	1312	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2924	mscorsvw.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeRestorePrivilege	2808	msiexec.exe
Token: SeTakeOwnershipPrivilege	2808	msiexec.exe
Token: SeSecurityPrivilege	2808	msiexec.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeDebugPrivilege	1592	ehRec.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeBackupPrivilege	3668	vssvc.exe
Token: SeRestorePrivilege	3668	vssvc.exe
Token: SeAuditPrivilege	3668	vssvc.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1224	1628	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe	30
PID 1628 wrote to memory of 1224	1628	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe	30
PID 1628 wrote to memory of 1224	1628	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe	30
PID 1628 wrote to memory of 2144	1628	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe	31
PID 1628 wrote to memory of 2144	1628	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe	31
PID 1628 wrote to memory of 2144	1628	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe	31
PID 2144 wrote to memory of 2952	2144	chrome.exe	32
PID 2144 wrote to memory of 2952	2144	chrome.exe	32
PID 2144 wrote to memory of 2952	2144	chrome.exe	32
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1872	2144	chrome.exe	35
PID 2144 wrote to memory of 1132	2144	chrome.exe	36
PID 2144 wrote to memory of 1132	2144	chrome.exe	36
PID 2144 wrote to memory of 1132	2144	chrome.exe	36
PID 2144 wrote to memory of 2360	2144	chrome.exe	37
PID 2144 wrote to memory of 2360	2144	chrome.exe	37
PID 2144 wrote to memory of 2360	2144	chrome.exe	37
PID 2144 wrote to memory of 2360	2144	chrome.exe	37
PID 2144 wrote to memory of 2360	2144	chrome.exe	37
PID 2144 wrote to memory of 2360	2144	chrome.exe	37
PID 2144 wrote to memory of 2360	2144	chrome.exe	37
PID 2144 wrote to memory of 2360	2144	chrome.exe	37
PID 2144 wrote to memory of 2360	2144	chrome.exe	37
PID 2144 wrote to memory of 2360	2144	chrome.exe	37
PID 2144 wrote to memory of 2360	2144	chrome.exe	37
PID 2144 wrote to memory of 2360	2144	chrome.exe	37
PID 2144 wrote to memory of 2360	2144	chrome.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x19c,0x1a0,0x1a4,0x198,0x1a8,0x1403b7688,0x1403b7698,0x1403b76a8
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef8129758,0x7fef8129768,0x7fef8129778
    3⤵
    PID:2952
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:2
    3⤵
    PID:1872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:8
    3⤵
    PID:1132
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:8
    3⤵
    PID:2360
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2108 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:1
    3⤵
    PID:3036
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2116 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:1
    3⤵
    PID:2032
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2964 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:8
    3⤵
    PID:1700
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1380 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:2
    3⤵
    PID:2916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1264 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:1
    3⤵
    PID:2512
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2964 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:8
    3⤵
    PID:2060
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2940 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:8
    3⤵
    PID:1152
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3848 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:1
    3⤵
    PID:2480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4184 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:8
    3⤵
    PID:2832
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:3068
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13fa27688,0x13fa27698,0x13fa276a8
      4⤵
      PID:2504
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:2568
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13fa27688,0x13fa27698,0x13fa276a8
        5⤵
        
        PID:1828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4184 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:8
    3⤵
    PID:4072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4272 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:8
    3⤵
    PID:4088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3972 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:8
    3⤵
    PID:3176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4256 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:8
    3⤵
    PID:3516

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2976

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2580

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2476

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 258 -NGENProcess 25c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2dc -NGENProcess 2cc -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:3896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2dc -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:3680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2d4 -NGENProcess 2cc -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:3992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f0 -NGENProcess 25c -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:3760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 26c -NGENProcess 2d4 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:3724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2ec -NGENProcess 300 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:3292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f4 -NGENProcess 2d4 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:3820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2d4 -NGENProcess 2e8 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:3488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2e0 -NGENProcess 2d8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 30c -NGENProcess 2ec -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:4036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2d4 -NGENProcess 314 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f8 -NGENProcess 2ec -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2ec -NGENProcess 2e8 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:3684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 310 -NGENProcess 320 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:3696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2f4 -NGENProcess 2e8 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:3352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 2f4 -NGENProcess 310 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:3556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2f4 -NGENProcess 324 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:3744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 330 -NGENProcess 310 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 310 -NGENProcess 328 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:4080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 314 -NGENProcess 338 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 338 -NGENProcess 300 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 324 -NGENProcess 320 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 31c -NGENProcess 340 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:3932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 3b0 -NGENProcess 380 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 3a0 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:4072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 3b8 -NGENProcess 31c -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:3880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 31c -NGENProcess 3bc -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:3716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 3a4 -NGENProcess 39c -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:3988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 35c -NGENProcess 368 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:3564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 36c -NGENProcess 310 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 3e0 -NGENProcess 35c -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:1492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 310 -NGENProcess 35c -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 3ec -NGENProcess 3bc -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:1396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 3e0 -NGENProcess 3bc -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  PID:2968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 39c -NGENProcess 3bc -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:3216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3bc -NGENProcess 3e4 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:3796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3f8 -NGENProcess 3cc -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:3896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3cc -NGENProcess 35c -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:1064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 410 -NGENProcess 3fc -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  PID:904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 35c -NGENProcess 3e4 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:3496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 3f8 -NGENProcess 410 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 414 -NGENProcess 410 -Pipe 424 -Comment "NGen Worker Process"
  2⤵
  PID:4044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 438 -NGENProcess 380 -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 380 -NGENProcess 428 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:1764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 3fc -NGENProcess 430 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:3360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 440 -NGENProcess 430 -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:4072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 42c -NGENProcess 444 -Pipe 43c -Comment "NGen Worker Process"
  2⤵
  PID:3964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 444 -NGENProcess 428 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 44c -NGENProcess 430 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 430 -NGENProcess 42c -Pipe 448 -Comment "NGen Worker Process"
  2⤵
  PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 450 -NGENProcess 414 -Pipe 438 -Comment "NGen Worker Process"
  2⤵
  PID:4040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 414 -NGENProcess 44c -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 458 -NGENProcess 42c -Pipe 444 -Comment "NGen Worker Process"
  2⤵
  PID:4044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 42c -NGENProcess 450 -Pipe 454 -Comment "NGen Worker Process"
  2⤵
  PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 45c -NGENProcess 44c -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  PID:2020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 44c -NGENProcess 458 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:3352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1fc -NGENProcess 430 -Pipe 45c -Comment "NGen Worker Process"
  2⤵
  PID:3168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 450 -NGENProcess 460 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:1688

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  PID:3156
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:3968

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1400

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:632

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2164

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1824

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3008

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2568

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2276

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1572

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3144

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3316

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3480

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3588

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:3800

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3952

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:3392

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:3640
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  PID:1360
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 600 604 612 65536 608
  2⤵
  PID:4000
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
b993eb36cc8ae1dd85a12f856af3d71a

SHA1
c136046f66a5e5c71d659d8479629815b1b687ee

SHA256
45830e500e29918338454e2a9b8a034bdc59b80430a8e65048819b74046dbba3

SHA512
3f2b161f364b6964d8f83b72ecd5da305413033a7aee24c75d246d08b840972cc417996f9491ef59c68bcbd7063fa1bc4338745534b7eb86769d13dd4801d593

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
67b6e71f9c8172417bb185c5e70f3d3d

SHA1
7a1417772757379d2a9ac8ea5fa4c78c3a1d3258

SHA256
5d4568856f0aee8e258c939b88bfaf834a570c6aafc9cbcab0c86e3a341d0a57

SHA512
164827936ac5a091945fc7a664ae5dcc866ad0833ada9532c59938b1211866ed589c263eb9a1020eaa49d21637445e56e5fcd3bd4fc989f32a44f5f33c729249

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
480567aacc9647a42a27b7272743c990

SHA1
bebdd8878bafd425cd1ff927996720f1c6115d67

SHA256
9341e4c0443aef56db4e0a17f7977f87aaff8cd78860319b0c8d157ae5ed1e92

SHA512
91ee3dd77a8d365779c2c816c6f701c05afffa76c9f33028c030e71d2a05b849b77b2d637d8f63b10e6e5060844b718ec5942f83a0f0e22050b7b495eaebf4be

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
6729c4f61fcd6b6075c6d58219fce4eb

SHA1
cb1e1bed38c3cb21a16fa4ced541cc8f54fe309b

SHA256
cbbe2d8d21fd8965184f660a66f3d7bc10c335959df0542429daebe48f67dec2

SHA512
43e488a3b954f491697e0e67e3bec5dd168a0661367109361b6100d50c321597239e76768037fc12d63aa13e6d24006d1bd7d5cae8d0f0d998b9087688ec89fc

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\186f328d-3cd3-4acf-a137-c6e39ef58df4.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
51da34a4f22540e7676f7e66bbb3d544

SHA1
963a8594079797affc9f8761097d2923fbdaaa79

SHA256
9f28ece875b6bbe68f45aa53fc6d82f4891ba8112988e67c9d09c564ff6fced6

SHA512
33cc454adcbf59703a93e68a0523ff49a6e5dea120cfb16f4e5b74417b0bff426e8cf6c6adca7cc92c2a7f65ce626e7eece84b8f3f5c4199afce2a7a6c6f524f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
9b1c99d5245940563e9e81e95c4832ec

SHA1
1bc5970a797d7160879f1ab93559a23b736a2ce7

SHA256
5e5e2d6ab15529a13c5f6fddf4908f82199df64cd0fff65ec624e324f6f20a45

SHA512
6d270d67927d391ddb39f5f2c3bbcbe36add45dc5cbf35099b0876b1b1c91f7ff23389e564bdf583fb4245984cd0a8af8f75ef87695296a8dc1d91269763b957

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3f363e591f7d1b14a41f6768194dd641

SHA1
e831e7dbf296dcbc532ec9d818e097cb2a7120ec

SHA256
4b751e54995c791a7fd8f60c946d7b9ce840d4eca161ffecd58d3b647358776e

SHA512
6aed1efb3ea9acfa580e1d0b89db30e51936d05d1925cb38b4edbf4158c50180d72dd4ee086e42dcc8f5c47306dacac51cb3e96379e5b0357099e917e46ab4af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
b521a55802a5eb386c048a82c74f95e0

SHA1
aa2d778750c2285c71dd118e55b2daca13fcafbb

SHA256
b22ce1c7c90e94a06eae66b1a16112a0f7761228483f756295cd1cc85ea58246

SHA512
2721d1b41b690da60bfe0536bf38e435612793a66fb5e52623043a4ad80572f82aa71dfc5ad61937f3338724b478504abbcb012356a4e1df42616a730a9ef5ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8a215d5fb9c5b0e56ae35c411ca48b6e

SHA1
588bbb042270d93a27ad4b44c3892f98d394095e

SHA256
89fb8d51798220d2cb46d144bb362075fd836486d2b26b3315945170b3376413

SHA512
9a578e8064420b0968de4b540561f88502deef92887d3b7e2a8f301c4e86694808a5075d2c41cc0a908a46a818bf01f80b3f3f9aaa3801332bb76415ff08e4f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
5KB

MD5
a9468cf91e7ed394e2c44a6a027d8d44

SHA1
a2f550912a89273bdc24ed3c3d42fd8431ed37fa

SHA256
aa6bd7af41e4798aaad3595079b2dbd3d644d7b15864848e7fea25b1ace4e27d

SHA512
80b47661349b9ad52ce09b0591041474b732c0fc03669671735b2660dc781a3f55b7fcc796166a0f9db061913e065620ef6281395591cd6a789f9a4d033c8419

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
56f4b00a455b03ed179f8f316004b0c9

SHA1
5fed0161976d8515b681ddecdad327e95d5fdb87

SHA256
4d16f9456a975933d302977cf9e85f4e2a6cb2a0fb9e3f29bc0df37fbde4e73e

SHA512
b2a1acad8783ac6fe9056637e7fbe9f3ecf054b2c76cdcdb8b47016de45b33bbee2d537b907757cd65746cf3b252679e5ecae783e78dc7042b89dcdeb31476b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2144_926015457\1cf5a2f9-d307-4bdc-a140-7d92895b05d3.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2144_926015457\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Users\Admin\AppData\Roaming\d88f189d5f6c6349.bin

Filesize
12KB

MD5
23ede2d39ceb98bec66a942182e67698

SHA1
1a63c6f6845a266762cdc41abcedb050d82d4b75

SHA256
5535ca1d7120aea49c899a4b287fa16d8db1289eba943be58621f3daa18014a2

SHA512
d1abd1040687edaca240ca9d40dfca341a0199bc881fd571991a3facce5c43ea3f3b465a94dc9d5740b99aa1563bdadd463b9813e576a938b59214bf28cd1e52

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
fc81deb4aa5fef2db90e86ef4c1cf211

SHA1
65bd24f92371269b192a62f7e51ed6a10913bc90

SHA256
350dd8919e0dffa885c3bb2c207dcf584f93605531bc07e0faad5a1a4e74eece

SHA512
2ed7db8af824bad8d6794b929e05da59a4147cb80b33344f6cf8b93ba1bfff9def283e48904eab8d00a07e2d037d1079d9b0046cdeab44197fdc60fdc501481c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
2f55ff1749d5cda51e708048bbe0d1a7

SHA1
01bff54ecfc72d066a9ff6048a9d40c4ea689863

SHA256
620644b1765a84f47a78b1dd754c2edc19859c44fb401afa599d8888840212a5

SHA512
ef068d8c13f9aaff63c168b60daf3f5cb6e2fa49c56f307d3ea6f35648019c2dc660256307c40aaf345090ba77d98650d5bfc054305ff91f812b47b8053d7d07

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
44642fc5ab06005005e273c87c67431f

SHA1
2fba64858193ddb344ca1f797ad7b6489070c89d

SHA256
8cbee22e1194c7bb1b3d26506450b332ed6dd9b5f2e63bd11505b78c64807ddc

SHA512
7476080366d7ecd3451ae90ea08425eb4c55ccf6527736f5a4320f37c5bc86ae5de9f0276c15e9651eecbd93bf6073a0aeec8792cdded706919cb2a87066b39b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
d4f67cda99cdc406665c021038b387bb

SHA1
e279816aaa9e58306d6341a7593104ae2e90b7c3

SHA256
2e540ea82649a062141b4f87bfce5c7849dd3261c0569bd0b27cd7c585b141bb

SHA512
e8244e2ea8d9ca29ce13313fb1c9492e58ff6dfb28c9d6a03b31284933bd0b7568d8b1731fa3fa28e559ccdcef597dd4dd877c827b96b7140042d501470c3744

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
50d76ba1b7ac0818ac9903a86000b018

SHA1
80cb9bd14ee7b20c0b382c39bd180e636f2c340e

SHA256
a3f2b2a903c7006d365ad3988cbaa739a9e802c2b69206e6bab4ae1480158338

SHA512
4d79c0093150009c33aafc742d14706e911b5f2e11ea4000ed6002e9d6a0add64dd593af7c2cf9c8989bdf123793717b28871818a1bbf1a7fa9ef19eb4d4e163

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
eeeb1dacb88871d6a5baec7c35ab76a4

SHA1
65e4534b7fd7248d9aaefbd9a68ead9ff005f04f

SHA256
26d6b2805a04656ccb1f96f0b7146c93f734f30f35652eec4d45d77116f49a97

SHA512
e9a320f188a0dfcafe2fddc08e307ebcff498db81c8fa7c9bd32a0bef25cfca1ae3238941add5ac68e3c0f9598d265603ffb87ed255667cf2f6207f86ca99832

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
a1c2fc5505508f7957e92c3411b32997

SHA1
71a2d0b108d6370761b43e8f0d785a8cadb6aacd

SHA256
3a5b7634000d698e625ec250f016aaaed55fa138000ed15c2b0e07f885f0744f

SHA512
7774c835631aaed45239bce085625fa3871e9168b2ea354055d3d76516c7125c68cb1fc8158b87c82a5419998ce3dd735c40b82ffe2f926c5936734a6d821694

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\d88f189d5f6c6349.bin

Filesize
12KB

MD5
3f2ae857a5735058c6d9b85b93a22583

SHA1
50e883145dfd7ed5aee7e8a0b27e7f2def7fd5de

SHA256
c9e5e46aeda90cf79addbc86ca4dd5b4a2cdbda6d4b0d90a468f2e7ef557a936

SHA512
fafa28e2710e611409e705da6eac596ade96da2641ee2e8e95228df2b3a960efec19f3dc82c62a5f1e7beda5312ce6b08c601f2302d9a3b684752de0960ce640

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
120ed45dfec304472520632c05122010

SHA1
e0c6f57252d3a053207f72fb62805433f9cdd55b

SHA256
cd256f7eadf6cc84f7e9a674281a520b0c56b78db09c3221d461c641a944bfd2

SHA512
b6d32e6a52ebdf2be584b6896661bf89f2bd945fdbc3bf48b35faab3b722fdb456c8d30bed90c6ee3b725aca14298bfdfafc8b8de843648ee6d1b52920422e80

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
f92ae4f4f027612006253b6afe519d6d

SHA1
f4201146cea9c604d72882e0395b3be4c82297f9

SHA256
199774c7313bd1ed82e1963e7cf5891b5fdf703b2d93ac1f351254214880f0f0

SHA512
f1d9917dada6c537c82465b9bcb7835807d4551e3c4816776ab0ee5067bef0007bf15b59bfbcc93e387dffef4fe8e8970c1d49503edd2adf383813a6be3751fb

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
a602cb2ca751800ae62abd9f92fe35d3

SHA1
66f1d2087d8f39367fc16217a36949e85218104d

SHA256
96454d7bc0ad2ba5b7a2f2766a8a0445025f23e0c693d462789d34a6a3e266ce

SHA512
c858c717a4e6304d0596b1d519acb7340e6b4b90c244a03cbad33265c7d2a5cc12a03e2d88a8ff1d81115be3ca3b7f67f191d64d78868579d301b92e6f7e08e9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
359677338245819c256dae8befa13344

SHA1
466668f27f85aaae45dfce062bc6ec06052a08fb

SHA256
06d47da5972add7382f3ff5585d826d096dd466f34b78788ab02c44f83a36757

SHA512
3977c39a10aada6161351233ff2bc8b98548ad3a057d7f5b3c9ac5ffa03bdd8ed08aed47dc173191b68cbe691552f33218841f2b1d8f3dee4fab17608fe7a1a0

Download Submit
C:\Windows\System32\vds.exe

Filesize
2.0MB

MD5
a917d8668c6efaeab5ddcaeae5010627

SHA1
026edc3c4785f025e647171d43807012bdf5efb6

SHA256
ccceb9d90d1d5560a685e6a19f5bbf86635df5e17c611a4e557052a781c1d5e0

SHA512
e0a6ff8855de85747152f49bb56bc1be9685bb98af0ae3656082e8577a99fee55de9bafb8a867be43201ec65213f0f3a3350888cf288d1187f52ddf45ac98a86

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
09785d1deb077a76d301d252b53244e0

SHA1
b915360ced3eaef40e57d89122d546f04261722f

SHA256
8471e311f634d3c70ad47de9a846662da3dbb3503cd7f73975c1bb933311ca95

SHA512
b424c4c1b97928c1a88682678a48276a1b85cb4971a2a49cd37c5662ba499f1270fa37bd1c868eb92e09c6287c72f7373248cce28b0858bcabdb3d9476ebf405

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
b1a762bdcd4b1659ae857d4c14ccc3c0

SHA1
9a55b5be5f35ad30afc7767b4e65dc39aa712c49

SHA256
908b48e372e95e5e130a345a0987aa5b5f3427f254d46d8a808aa11c72888c34

SHA512
54b81a912cc02832a7aeeefbe2ab42278a2901e34d3cfa9363fa830a4e619323f985d31ad47a49cb652250900526e06b7656de8f3bb7b6e3c4d0389b5cd700fb

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\2e9e8ae98e049a0b14ef70104199c13b\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
ea59020a29db125ee3d40e79467caa48

SHA1
f7a90b5af36ed0445ca70e90a91de13f211ef8b7

SHA256
2defb908b23e2b46d233aeb7e5fe54eb5cfd50f830f310306ecd83c2ded9c028

SHA512
e6fe6db72351431fc088836eab5894b2f91c36bc99b9f7e6fcda6f9d77bef439b6e22eef0cf4c1de9493cb511d8cc4bc296eb8d0f127cc76774e97d9d8fd760c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\3b3e35ee7a80f64c4cb9b814dd7aa483\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
ef015a7af4ff48a699f7c1b6e2c5fb4c

SHA1
62f8da917edc3aa5e882ea2f99b30ea08eb3ded1

SHA256
262f28025058456bb5a911b0218d06fb4cc7114ab14ce6024a289f95402a0182

SHA512
3dfdc0c19083ea4005ad494e5fd9810857e348ece8029a834641d4f9f915e6731d2d540d91aa0c5790874c0ee35aeef4d7305c3393c9a36d19053a6281a4cc4e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5F5.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll

Filesize
180KB

MD5
fa7253075656048028917b85d04e29ba

SHA1
49fec95c3bbf488d3f3fbe798a0b102ab0974217

SHA256
cff5fd8c893f1e9676af3e0a7c9ec0491f0bed68df9599fb1e76a279b3765f5b

SHA512
1199ba5a1f13e75822a56efaf3f72603c06cf042d7f8a3357aa2dd96efef8424edbf99d25be5bc12b24092d5e8aa4d694dd704170f03cb7ac2ad4281645c4f0e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB90.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll

Filesize
143KB

MD5
f786ebe6116b55d4dc62a63dfede2ca6

SHA1
ab82f3b24229cf9ad31484b3811cdb84d5e916e9

SHA256
9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

SHA512
80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
bc27d65234abd95e75d63a6baf33d271

SHA1
74eda1edafb52fe59ad26558b177939adae62a85

SHA256
a2c82023304ac9376e001d8f003aac15752049c1300bb5d8d59875e6816f6964

SHA512
9168affecc5a7d2835924876dcbcac97d1f07de25d10cb96f9f270a1661eec6683cc47abfdf11a816f12bb05aae8a7efe260433da8588e20b77d192c668a363c

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
243e90462d253fec753642b493268d35

SHA1
822497193dfb238a811a954210a73467cd19dc7d

SHA256
4e86d282b1d62575bf66909e496d71bdb7e4781e228aed7c54160c7060224bbd

SHA512
8dfb43604edf2955f2630d09eddac20094d659cee5245530edb2f821f8e362b6691205c988416cc176b7ce9f9abbf48901bc23225f71bd5b7ec13ac3bab18e1b

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
ff44975ed48afddedf9183794b8c477f

SHA1
b3a1cdbed55d2011e8d646abf1302c52d339c87c

SHA256
c4ff72f90b2dbc6a9ac03e9636466b0bd2fba0a5d93551b9fb6cac19c222425b

SHA512
ce84ca6fe1eb82db610f5d6e8969fc03c5f792ba64ef04d0b044709bba72813ee117e525ad8eebce4ca21b830d6cc478086aaacbcb101c47004d4fdecb357149

Download Submit
\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
1f189821d5fbab04b49a699cfc5f6981

SHA1
24426583f01612ebc37d9a2840ccccd22e40d307

SHA256
b4d3cc3f98328bf7377e7b5054ceda97952de820693f65e84e2c0820ef95c6ac

SHA512
dbbc6fdb19a30c443471f47467e155439962c938a329201f3e8463cd32011f37e5a53592c5498361ff101578a4348447f4fbe8b53e023990f33e6ed339575d01

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.6MB

MD5
6e7475a9fb449d9c5c5cd45be7807a42

SHA1
0f9857ee141623862a4a5df0ae1854998b7aca60

SHA256
75a93a1cf2e90592c51b88ea6cac97c968795d7059aa4243e617e147a7894cee

SHA512
450c9aa75121f15529f72f82687a46288d63ee0579960a2ad39a1ff6c5fc44de32d02ba8edb7d915923bb84791f38f0747c06e7a7881187460824e6fe68066bd

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.6MB

MD5
d1e82e19115f09156bfcaa04f42f6117

SHA1
2d9f55615c76cc7befa28a3b95b79bf6c92a324c

SHA256
8dca24e90c52b4731d34720484284c77b06880a7cc3c46e5600aeb23218ccfaf

SHA512
67f012e90f369fdcf8009846f91124bea70036fc950e5525f32173daf61f6ccd9f6e3adaa3de9d0fc8840bcca1f10108dd1ed39784985a10b372730f2ba84409

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
1af8b7de174b951427328c1455d48175

SHA1
739b1398c17e6488bab9a2644f3a3043f9b51cce

SHA256
83002832c3ae2d5915d1525ba9a6de1ea69ca9bb4f203356885fae4c684a069f

SHA512
309537e334fc451c9e6a6584e25f8a32ece571d188221f2a2c5c5653c3e6a5875d8241f619397e427354c88e94c93c53e9090cdc54f346f90e682a4b4de2363b

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
743a96e1dea9e00c91a9c1470d7e978d

SHA1
2d891a5edae477e4f4c82b3be80c9f3647911c3a

SHA256
bd7468bd49f995e80043d53407e8aa8acbb798d75b24ea7a7178b456070385c5

SHA512
60ab46ed69004a6438304d14218d046b65da8c00380bcbcc84a55729d0106ea7172e227f86d7b68742926df88fca3dff0f70177471ff73459fe9a5512d8aa563

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
a199c8c05946b15e00c7767e7413bce7

SHA1
352e3da4d59ea1833c375c8edea6497968f6443f

SHA256
fd39db522147d631fa2c462813527415047e89f9ee8ee544b5c1d7610715e5b6

SHA512
9f8b9860c155be6d482a87d6c79a7f74b7b04ca159a6f8ddf709d24904a7609ea5dde543807332b0b3ef3b673ef9552ea67affb86f0dc66bf8416cd40fe6cc83

Download Submit
memory/632-180-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/632-924-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/632-182-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/632-174-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/632-362-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/924-964-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/924-976-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1164-148-0x0000000010000000-0x000000001018E000-memory.dmp

Filesize
1.6MB

Download
memory/1164-98-0x0000000010000000-0x000000001018E000-memory.dmp

Filesize
1.6MB

Download
memory/1224-196-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/1224-18-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1224-11-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1224-22-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/1312-1385-0x00000000022C0000-0x000000000245E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-1389-0x0000000001E20000-0x0000000001E44000-memory.dmp

Filesize
144KB

Download
memory/1312-333-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1312-112-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1312-1380-0x0000000001BC0000-0x0000000001BCA000-memory.dmp

Filesize
40KB

Download
memory/1312-1381-0x0000000001BC0000-0x0000000001BDE000-memory.dmp

Filesize
120KB

Download
memory/1312-1382-0x0000000001BC0000-0x0000000001BDA000-memory.dmp

Filesize
104KB

Download
memory/1312-1387-0x0000000001BC0000-0x0000000001BD0000-memory.dmp

Filesize
64KB

Download
memory/1312-1386-0x0000000002100000-0x00000000021EC000-memory.dmp

Filesize
944KB

Download
memory/1312-1384-0x0000000002100000-0x00000000021A4000-memory.dmp

Filesize
656KB

Download
memory/1312-106-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1312-1383-0x0000000002100000-0x000000000218C000-memory.dmp

Filesize
560KB

Download
memory/1312-107-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1312-1388-0x0000000002100000-0x0000000002188000-memory.dmp

Filesize
544KB

Download
memory/1312-1392-0x0000000002100000-0x0000000002166000-memory.dmp

Filesize
408KB

Download
memory/1312-1390-0x0000000001BC0000-0x0000000001BC8000-memory.dmp

Filesize
32KB

Download
memory/1312-1391-0x0000000001E20000-0x0000000001E4A000-memory.dmp

Filesize
168KB

Download
memory/1400-161-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1400-170-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1400-348-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1400-155-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/1400-1326-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1400-171-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1400-162-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/1572-364-0x000000002E000000-0x000000002E19C000-memory.dmp

Filesize
1.6MB

Download
memory/1572-504-0x000000002E000000-0x000000002E19C000-memory.dmp

Filesize
1.6MB

Download
memory/1628-7-0x0000000001D40000-0x0000000001DA0000-memory.dmp

Filesize
384KB

Download
memory/1628-0-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/1628-21-0x0000000002670000-0x0000000002B65000-memory.dmp

Filesize
5.0MB

Download
memory/1628-26-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/1628-24-0x0000000001D40000-0x0000000001DA0000-memory.dmp

Filesize
384KB

Download
memory/1628-1-0x0000000001D40000-0x0000000001DA0000-memory.dmp

Filesize
384KB

Download
memory/1628-8-0x0000000001D40000-0x0000000001DA0000-memory.dmp

Filesize
384KB

Download
memory/1824-396-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/1824-909-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/1824-203-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/2164-188-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2164-392-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2164-198-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2276-458-0x0000000140000000-0x000000014019D000-memory.dmp

Filesize
1.6MB

Download
memory/2276-303-0x0000000140000000-0x000000014019D000-memory.dmp

Filesize
1.6MB

Download
memory/2568-329-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/2568-237-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/2580-125-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/2580-45-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/2580-58-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2580-63-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2808-485-0x0000000100000000-0x0000000100199000-memory.dmp

Filesize
1.6MB

Download
memory/2808-350-0x0000000000570000-0x0000000000709000-memory.dmp

Filesize
1.6MB

Download
memory/2808-347-0x0000000100000000-0x0000000100199000-memory.dmp

Filesize
1.6MB

Download
memory/2808-500-0x0000000000570000-0x0000000000709000-memory.dmp

Filesize
1.6MB

Download
memory/2924-140-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2924-337-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/2924-139-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/2924-146-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2976-213-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/2976-36-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/3008-222-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/3008-416-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/3128-393-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3128-502-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3144-512-0x0000000001000000-0x000000000117D000-memory.dmp

Filesize
1.5MB

Download
memory/3144-395-0x0000000001000000-0x000000000117D000-memory.dmp

Filesize
1.5MB

Download
memory/3292-918-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3292-944-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3316-417-0x0000000100000000-0x000000010017C000-memory.dmp

Filesize
1.5MB

Download
memory/3316-591-0x0000000100000000-0x000000010017C000-memory.dmp

Filesize
1.5MB

Download
memory/3392-825-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/3392-522-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/3480-435-0x0000000100000000-0x000000010017D000-memory.dmp

Filesize
1.5MB

Download
memory/3480-595-0x0000000100000000-0x000000010017D000-memory.dmp

Filesize
1.5MB

Download
memory/3488-965-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3588-642-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/3588-439-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/3640-828-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/3640-592-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/3668-658-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/3668-459-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/3680-829-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3680-854-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3680-594-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3696-1164-0x0000000003E10000-0x0000000003ECA000-memory.dmp

Filesize
744KB

Download
memory/3724-921-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3724-902-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3760-862-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3760-906-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3800-661-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/3800-474-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/3820-943-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3820-954-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3896-603-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3896-488-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3952-499-0x0000000100000000-0x00000001001AB000-memory.dmp

Filesize
1.7MB

Download
memory/3952-779-0x0000000100000000-0x00000001001AB000-memory.dmp

Filesize
1.7MB

Download
memory/3992-880-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3992-851-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/4036-973-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/4036-991-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download