a864949e6950a004c8d22eb8cc4865713848041684ff4f20894420af57c77d79

Analysis

max time kernel
18s
max time network
39s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_5fc7e4dd053a48a3490e3f31d3befb6b_ryuk.exe
Size

5.5MB
MD5

5fc7e4dd053a48a3490e3f31d3befb6b
SHA1

4df64413b449f37372e11a4b2b1045b932b25153
SHA256

a864949e6950a004c8d22eb8cc4865713848041684ff4f20894420af57c77d79
SHA512

17190405b321178973c0db0b976a32dd7850700ec7e7b4fcc8a0079600f902429825d0d3d427ae3eeb69fb422cd9932914543a4c99a7832cdd7196e1c25aabed
SSDEEP

98304:7AI5pAdVJn9tbnR1VgBVmF70uMhSBrkNq:7AsCh7XYOIoQ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
3852	alg.exe
3820	DiagnosticsHub.StandardCollector.Service.exe
3008	fxssvc.exe
940	elevation_service.exe
4596	elevation_service.exe
5336	maintenanceservice.exe
5592	msdtc.exe
5972	OSE.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-09_5fc7e4dd053a48a3490e3f31d3befb6b_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-09_5fc7e4dd053a48a3490e3f31d3befb6b_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-09_5fc7e4dd053a48a3490e3f31d3befb6b_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dbc014b7b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-09_5fc7e4dd053a48a3490e3f31d3befb6b_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-09_5fc7e4dd053a48a3490e3f31d3befb6b_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-09_5fc7e4dd053a48a3490e3f31d3befb6b_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-09_5fc7e4dd053a48a3490e3f31d3befb6b_ryuk.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-09_5fc7e4dd053a48a3490e3f31d3befb6b_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-09_5fc7e4dd053a48a3490e3f31d3befb6b_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-04-09_5fc7e4dd053a48a3490e3f31d3befb6b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe	2024-04-09_5fc7e4dd053a48a3490e3f31d3befb6b_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-09_5fc7e4dd053a48a3490e3f31d3befb6b_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133571108431001829"	chrome.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3876	2024-04-09_5fc7e4dd053a48a3490e3f31d3befb6b_ryuk.exe
Token: SeShutdownPrivilege	4020	chrome.exe
Token: SeCreatePagefilePrivilege	4020	chrome.exe
Token: SeAuditPrivilege	3008	fxssvc.exe
Token: SeShutdownPrivilege	4020	chrome.exe
Token: SeCreatePagefilePrivilege	4020	chrome.exe
Token: SeShutdownPrivilege	4020	chrome.exe
Token: SeCreatePagefilePrivilege	4020	chrome.exe
Token: SeShutdownPrivilege	4020	chrome.exe
Token: SeCreatePagefilePrivilege	4020	chrome.exe
Token: SeShutdownPrivilege	4020	chrome.exe
Token: SeCreatePagefilePrivilege	4020	chrome.exe
Token: SeShutdownPrivilege	4020	chrome.exe
Token: SeCreatePagefilePrivilege	4020	chrome.exe
Token: SeShutdownPrivilege	4020	chrome.exe
Token: SeCreatePagefilePrivilege	4020	chrome.exe
Token: SeShutdownPrivilege	4020	chrome.exe
Token: SeCreatePagefilePrivilege	4020	chrome.exe
Token: SeShutdownPrivilege	4020	chrome.exe
Token: SeCreatePagefilePrivilege	4020	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 2520	3876	2024-04-09_5fc7e4dd053a48a3490e3f31d3befb6b_ryuk.exe	94
PID 3876 wrote to memory of 2520	3876	2024-04-09_5fc7e4dd053a48a3490e3f31d3befb6b_ryuk.exe	94
PID 3876 wrote to memory of 4020	3876	2024-04-09_5fc7e4dd053a48a3490e3f31d3befb6b_ryuk.exe	95
PID 3876 wrote to memory of 4020	3876	2024-04-09_5fc7e4dd053a48a3490e3f31d3befb6b_ryuk.exe	95
PID 4020 wrote to memory of 3556	4020	chrome.exe	96
PID 4020 wrote to memory of 3556	4020	chrome.exe	96
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 4744	4020	chrome.exe	102
PID 4020 wrote to memory of 2040	4020	chrome.exe	103
PID 4020 wrote to memory of 2040	4020	chrome.exe	103
PID 4020 wrote to memory of 4488	4020	chrome.exe	104
PID 4020 wrote to memory of 4488	4020	chrome.exe	104
PID 4020 wrote to memory of 4488	4020	chrome.exe	104
PID 4020 wrote to memory of 4488	4020	chrome.exe	104
PID 4020 wrote to memory of 4488	4020	chrome.exe	104
PID 4020 wrote to memory of 4488	4020	chrome.exe	104
PID 4020 wrote to memory of 4488	4020	chrome.exe	104
PID 4020 wrote to memory of 4488	4020	chrome.exe	104
PID 4020 wrote to memory of 4488	4020	chrome.exe	104
PID 4020 wrote to memory of 4488	4020	chrome.exe	104
PID 4020 wrote to memory of 4488	4020	chrome.exe	104
PID 4020 wrote to memory of 4488	4020	chrome.exe	104
PID 4020 wrote to memory of 4488	4020	chrome.exe	104
PID 4020 wrote to memory of 4488	4020	chrome.exe	104
PID 4020 wrote to memory of 4488	4020	chrome.exe	104
PID 4020 wrote to memory of 4488	4020	chrome.exe	104
PID 4020 wrote to memory of 4488	4020	chrome.exe	104
PID 4020 wrote to memory of 4488	4020	chrome.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-04-09_5fc7e4dd053a48a3490e3f31d3befb6b_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_5fc7e4dd053a48a3490e3f31d3befb6b_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Users\Admin\AppData\Local\Temp\2024-04-09_5fc7e4dd053a48a3490e3f31d3befb6b_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-09_5fc7e4dd053a48a3490e3f31d3befb6b_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2ec,0x2e4,0x2e8,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed7c59758,0x7ffed7c59768,0x7ffed7c59778
    3⤵
    PID:3556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1904,i,17177963265015284398,1500345168246184155,131072 /prefetch:2
    3⤵
    PID:4744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1904,i,17177963265015284398,1500345168246184155,131072 /prefetch:8
    3⤵
    PID:2040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1904,i,17177963265015284398,1500345168246184155,131072 /prefetch:8
    3⤵
    PID:4488
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1904,i,17177963265015284398,1500345168246184155,131072 /prefetch:1
    3⤵
    PID:3932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1904,i,17177963265015284398,1500345168246184155,131072 /prefetch:1
    3⤵
    PID:832
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4532 --field-trial-handle=1904,i,17177963265015284398,1500345168246184155,131072 /prefetch:8
    3⤵
    PID:4356
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4832 --field-trial-handle=1904,i,17177963265015284398,1500345168246184155,131072 /prefetch:1
    3⤵
    PID:1432
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4784 --field-trial-handle=1904,i,17177963265015284398,1500345168246184155,131072 /prefetch:8
    3⤵
    PID:1540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4824 --field-trial-handle=1904,i,17177963265015284398,1500345168246184155,131072 /prefetch:8
    3⤵
    PID:5176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 --field-trial-handle=1904,i,17177963265015284398,1500345168246184155,131072 /prefetch:8
    3⤵
    PID:5636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5256 --field-trial-handle=1904,i,17177963265015284398,1500345168246184155,131072 /prefetch:8
    3⤵
    PID:5768
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5916
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff6b2b07688,0x7ff6b2b07698,0x7ff6b2b076a8
      4⤵
      PID:788
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:4592
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6b2b07688,0x7ff6b2b07698,0x7ff6b2b076a8
        5⤵
        
        PID:4944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1904,i,17177963265015284398,1500345168246184155,131072 /prefetch:8
    3⤵
    PID:6124
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4500 --field-trial-handle=1904,i,17177963265015284398,1500345168246184155,131072 /prefetch:8
    3⤵
    PID:6132
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5420 --field-trial-handle=1904,i,17177963265015284398,1500345168246184155,131072 /prefetch:8
    3⤵
    PID:712
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5584 --field-trial-handle=1904,i,17177963265015284398,1500345168246184155,131072 /prefetch:8
    3⤵
    PID:6000

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3852

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1576

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5020

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:940

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4596

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5336

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5592

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5972

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
PID:5480

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:5648

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:5720

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
PID:5620

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:5624

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
PID:5900

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
PID:6052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5140

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
PID:5160

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
PID:5764

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:6104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5680

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:6672

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:6828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
affc60b4c8caf3e9ca3aa59380d2b638

SHA1
3a9c5911c2778a82efab5bd162c376150ead4deb

SHA256
02bc48296b3d086fd6f085d3713760f7aa5ce34b4fbdc41526e40f75a4a33fde

SHA512
d944daff2a30aeef13b403433b9884fbf65f585c66e7108e71a2b5c2f02ff0fd1285367a26e2e0b5dd800c0161b5af3c6fe8475c178593a9d63c2308174345bd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
7d858462931e1cb44a1829e4a9104348

SHA1
a8ecc08e0db4df73e59e686f07a92480ab92301a

SHA256
a256497cb02f9c05f66a84f8b189ad85a01bcfd6f6b8de90419b739f801bce89

SHA512
7f08cba5f8d39aaf0dbd28d3e81c4af36b0e60de9ad1788971ee0596977c288e331bd58558106f737bfb5ecca5d7817e4d1d12a44e83e8093ff55270e791356b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
c46849dc5b4ffa407d5aa630dd826231

SHA1
485ee5130a560e2baab89f010269dfc72d06ff5c

SHA256
a5dcf5bb7ba8cf5ec95efed63ef4d260b803984ff67b99f9a11ea865b078e3ed

SHA512
a0a14b8b7c282db88f9a312ffe23a79514dd5d1b84eb5ce37e9f709adb6fa2b31f6831a4fa01af0c2a401c3efde5fe4a2598403f2ffa57d9ed5087a5294f6eac

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
49f9f48940f801d3a63ed7925b681bb2

SHA1
5cb4a81143374e1f9d73f04ec6edffc2539822a1

SHA256
3730cd5fd3d4d7a1064a724205eeed0e294c0b05158c5c2263dd7afe3d797f1e

SHA512
3fc34b6052d32c2ec1f0131394824dfc1e16c46d33437c3f615cebccbea853e56cbef9ae963cab762aa7cae7462459585cb7e379fb36117222ce125f88392c63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
65219931b1894f68863fb2403027d744

SHA1
7b1103a90a637639e7538ebb3e9339f7f4e9df0a

SHA256
4dcf7eb26b1812b535a623b40b7d19b80e243650dbd0dff6a490b1351eabc4ec

SHA512
f9cf2fec045402def529b0a1df12360740c0dd62651a98399fed312b92784a9fc52323f900c4637a3fc4ee8118e6877cdbd9b617b697858f1a1208d60e944e81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
df58df82cb9535ecaf0b6a04258fafec

SHA1
1e6b3dd884f57194858894ddac640cd00b66c4d7

SHA256
cd2c58a5372f89d0cd76c2c07357154230807e32403c638a1586c20e0e1a882d

SHA512
4fcc1889cc9f1fe7b116800c14deb131a9fcc63353b18aacd02c93efa2277447a26bdd1370f3f74c33cf4e4dbb1c7ab96573c1e192f777c94084829e66e0336e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
da98441ef58a956533fc5e93e688fd58

SHA1
710b1e4c7ec6606c2dbffc4166ecb4e8f5fc0105

SHA256
8bf524978c274376b7d5aadc99622860ff9ddb50a06a43c5a3d3d5e5f6769ddf

SHA512
9bf46ea11f8ed53cc1b026556677e55bde1295e71de751ba85c9733d629f3d7dc5c0bbd44c3ebedcb967584df1b29f50716b9659b75ab0eb65ed9d3b6efd3247

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe583fd3.TMP

Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
6671e47807e5c89d35f7fbccb441259e

SHA1
82a1706afd7238b1cb0ea4076e04ebccfb8bb46c

SHA256
cc325ed23e641d95aa9d27b76b187aa06145572eaf9e62fc5b0d5b1d77af2f75

SHA512
9b27a0dc97f1e42fdf17bbcdd465ee2adfb37e462e35a50abb96b2416ba871c41691f65e69370114acbae0f99601143fa6997f6fb0f911c99dcfb4009936a956

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
981d261651adf15fbd9ca2f9c7e3c5b4

SHA1
0f431b8637f468d730f1044f11303e0124550e54

SHA256
0c4c280397b28ee83dce39a4f6beb94c68e68aefde97a8ae1eee0017d2fae5d1

SHA512
c92433168cdb313c7a78b2b0cf12a3292b51dfa0ed3ae4a26ff00adbecc4641a32013856b5f90b10ed58501c47da61a4fea1e752c0d8a4b64e8b86271a131c4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
4KB

MD5
b59b4b4d37295edb1a67103105219c56

SHA1
5a1dded96e6a6fbbf6181088d59dc59a2163a636

SHA256
1fd8a1cf24222f45fb58e8dbe913733a336823eb3d425bd1b96643bcf3f6445b

SHA512
05783f8abd6dd631f3425f69d726e3a9f273983dc83b6e0003c1800af390fcb4a49d4c637bfaa68451394ab6eb458f37b773b4e7dfeac38b940ec6f03223be62

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
e088560dc65449b0cd42a04947a81520

SHA1
78f4fc3e7b72658d43f0b851412273ab6b4f47e3

SHA256
149c56f5fd7f4e6d699081058b0a3e22daf62989d30cf6e71e2f45168998220b

SHA512
15b685e8f408877b1c989ee6548dc017d74e53536455ebf9b5b5a5a34c22048a1c3f2ae4ade6814b0706f5438123f0ce3063313b7f0b3d512eb7e3ec01bbefcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4020_1042443119\4e0be938-b4ce-4623-a79b-5ea1b68d70f7.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4020_1042443119\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\dbc014b7b3e2edcd.bin

Filesize
12KB

MD5
69bf11d28a2148f9daa242ec26f32ebc

SHA1
7e79a0ff137442d0a8e08a784a2c7cec47ccf086

SHA256
a0f6651b1b5bca36056bd190d6728bddde50688116057c361e5ae4ac11037acc

SHA512
ae84089930b4b61e5cac2e35dc1f187b566596708e333e3a66ae9a8fd7e901b8e10a795f28a85243d6a3c3e57a7220777a4d1d0dd19e680696d292d6c264804f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
7093b139fb734159041c4c3b8c00f4fd

SHA1
d53316b4b8e5cb77fef19d7c124f95a6bb0e067a

SHA256
2e27fcc702ee650445d5815c924a09b71f3de35330c372c369e720d499b95019

SHA512
b36cf00d7821fcddeaf968fd3a7d9110b79a6d9beb1f44ee00f7aa0bcd271b779cc6051898aed3ad6ca701081632d76a0e9c893d58588c718b63b370430278bd

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8cc705fd63af7b0310f1d7d170d7adab

SHA1
8b907d5bdb90807737574cc9a5169267b3de4ad4

SHA256
d20845497baa769cf85b87b8aae8e643b5f28964f8d0e3e179e8e1dffbcc293d

SHA512
0ed144f6236e1772f8f9a82ef10553d0f4a52d1536268ac98e1e185372235330b15c54b4efd8d969eec359d316f31e76359bf68319433f2828163f4adf918ee4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
bfd223ca66dd4b0ebd7eb49ecbdc2116

SHA1
dd130f27c1a8f9eccfeeb7061f4389d674c60c4c

SHA256
7c0b979c75697263fdc217368d66bc33400cdfa1f457637b7f3d9b5fc9ec9d83

SHA512
87ea0cc6051f68f416edcad37086680125f7aca7d3f1def75d8691ecf8fca8b44a6cc1ddc9e9b91846892ca751d5c203b154e7ff76c1f1e0fa46ae08cc50ddfd

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
aeba7dd03269da6a06535f1f770e40e5

SHA1
b1399100394d57ec4a6befd429b26d28d4f05153

SHA256
58100acb4acf1c11ab221ce6bf16349b9ff07ebdfe65b2bc7839e485993b9fa9

SHA512
c314f4a0ab28efe4964063037337d5a325ac310eb2fe1bc77bfc03f41bdfe0b04bed2ef0208044670ed1215eb63bff24d7d19a5cde068d7ecc7ca4d18ed5e7cc

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
c141f7cb0d302d5f0943cd5e25cd3e10

SHA1
03b6fcd277e65fd75c5f95a12349436393615122

SHA256
1a29fa9f205f70f8672b641ab5a025c115e4c6dc086ee00fd533023324dacc50

SHA512
7fe211aa7e44ef444361c6593a09e98987ac20f4a2edf77430e96b8c8221461969a811ecd9c20742d3c88620236d7c55d731fef869e5c692dae00563b9eb0c29

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
0ef58e5558d507be3e72864656c1ab58

SHA1
70566bc0d24b7e42f5f7950bca48825aa58506a2

SHA256
b6a8e19804e28750dc95223cefd1e57d7df6cd4f4f29535edb7437f6797f27ef

SHA512
c012d69fbbca800868ade26d81f40da8499c0d9a7e34dd3a3a267b89693f6e578f3e636704a0255a37dc07f1f6268e24adfe704ef913c041cfa000adb2b5896b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
e564f817056813ab10f6bc02104d74bd

SHA1
8c451e3e8b76055c799de0ef90480130b0e53859

SHA256
f49e64b9554e8480ddedf69931f658aabd901341f6d4f94aac46445e7510d082

SHA512
efa33891a280df60053da74503d4aed80f647747bc916d259190793cfb6d9ed972cf3806949951dc18ce6a273e9cd33876cc69f0ab3f98a2340e29fe8058ca5b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
822c7227d7cfb729bcdaf594d24a9369

SHA1
f3ee36514ca76fad20fa07c0537095ae67858a64

SHA256
0995ef07a82390b797b73b09ee73eec72924e51b56bd513a9f0556218c12256d

SHA512
58fcb9678e434c00fa27b500fc30a8cfb08447e6bdd6c74af2d0cd258e0f6b90d1a03435380003294d3099673dfc609249ca3211407d517edc554c9a87ba2ea7

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
710f67d1e9ad68ef5922a02b9821c932

SHA1
ce7369cdd95e518df0e01ff611c8be564d10278b

SHA256
b79c857c33d9aaf192ecf4d0a4f5bd507d9702b8e8a7222413d2f822c34808ba

SHA512
df3180df11555996bf5356d1f427857f89b7cc38279be60789af0c91ac138a2b8726367602b052d0fc7a57798c9714340409db207962a1311d6b8e35fd49c9d0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
c68e2683cfb1b5f3cbd4325c604b5b34

SHA1
d5150bd7f38ab8f87b80817ee4a883ab6e24615c

SHA256
22f246a6a472ad26fecc90a1b061ebda982a1b300b0efd1f2dc745dfd1441c16

SHA512
5fc2729de241be14079ecc6c39f1f2a88e17dd3f8ce385a9e84187b1909889fc14164a0083b0478c6b284703cb10f1dcb29cc9f135ace6fc687d69fdabd8106c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
60c6352ed675f79e7ab6f1822aee979d

SHA1
824bf365926a526ac157e22e9dc3e08816747469

SHA256
045dafa9649356378bc38b788fbf408c01b2209cb57a48525ea234d9860f1f72

SHA512
226c88392a3b9f0d8e79d4bddbc9685cf1773826284f04ad7d966bf0f06f5a2c316d9e72455019d8e2d823bad600c6893db7f86c32139afdcf63885625cfcdac

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
214ba52f933b9eedc49221d0e36bb593

SHA1
5ccce29abfb322fdc24bc40e863dca2ae6fe6096

SHA256
81fe0955b312e0db5b6aeaa8a9bba34ec6dba7f50e46cdd03518ba09d6d13e8e

SHA512
d73c26ac95d509b47939405c9f4ffc5c82d068b8935556e8a252c4335a8f7954c264df7fc139afa607b71ca00d218a3522dc57a5d8511885f9885c70cffa74f5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
e240fbb706f7ce6d095276f94dabb5a3

SHA1
2bc462c14e5dcac5b1abac5cae9443eb95efec49

SHA256
b1332aafaf27d4277907e4326ed7ec4a046016c3dfb2d840d88c3e2afc1eb04e

SHA512
3c89c05e1ff79af154752f956f5e573e16d6a08124e0147869b612dbf5738398e216b6c47d1b6c449f3bfc8eec22dd563341729ca725f8dcc84c2a6662799165

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
e2ce82b95f2ef8b5ce4327d6cf03b986

SHA1
a991dc35162aa6514650d310efd127ca10e21a7d

SHA256
318822fddd8e3e71cae8e76598ab1da286b4c0dab793a5ccb90b08d6ffd36b2d

SHA512
cd2adc4b2ce12e818805e82f81db10cc260c5af41d5d80f797552e235a734b423da3113faf29549ab916b858b69f9fc10620aaa2628ed12e83b422461ab750ad

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0c5db94721a2cdb9b7b63cdc9457a8f8

SHA1
1b9a98eef43b88b1fdd2e5e4d4b653750a4ee759

SHA256
d5b17ec18f2eca43f27879b7fbd32cd5acec5157a8dafff07c4902c18e55caf5

SHA512
397190c8fe34b5bfdf806cc5e923fcdd87eee2b16bb59907ea5c3456d55d024499702a5ad2a498751dcc93b2c5d18d53ebd5d34ba6da17aff2fccd4f7d7dabef

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
8a4e28b8d878985e77eb4ec8fb11fb77

SHA1
098514e29fca8870b8f87b08f6991c3913e2dc4e

SHA256
53c5b78aab0fb253c9795cfaaaca8661a7fddd843244b83c0ac9aa7e8802d314

SHA512
beb08e5d695ccea5c7e911a7d0ac19b9b393a91647779abcc9e0b9edccc948ffaef6a905202c7a4b4827be3aeddcb53cc1f057e73f92978bc0704c8529b0a6f6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d9e3db349c810af7584b326d922cab71

SHA1
2832ed10aa1c55ed14268947afd235cd71a06944

SHA256
0d37ab9e1b149c577c79c5e59d5aaf8a3c0321e7b67712a64869909e37d06078

SHA512
7fb469339dbf71acb3e3741a7a7c6aa6734bdb576c47a12aad34fbccbcb544933ca1ba341d56526c3b8c92f1690762488060af6b5b3c80b236c2d0e61b89551e

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
memory/940-92-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/940-85-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/940-88-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/940-219-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2520-11-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/2520-19-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/2520-102-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2520-14-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3008-72-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3008-94-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3008-97-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3008-73-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3008-80-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3820-53-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3820-46-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3820-47-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3820-142-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3852-40-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3852-41-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3852-27-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3852-26-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3852-120-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3876-32-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3876-2-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3876-0-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/3876-8-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/3876-22-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/4596-99-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4596-105-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4596-109-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4596-327-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4596-110-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/5160-605-0x0000000140000000-0x0000000140225000-memory.dmp

Filesize
2.1MB

Download
memory/5160-404-0x0000000140000000-0x0000000140225000-memory.dmp

Filesize
2.1MB

Download
memory/5160-412-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/5336-125-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/5336-133-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5336-121-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5336-138-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/5336-139-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5480-383-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/5480-229-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/5480-277-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5592-143-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5592-351-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5592-166-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/5620-415-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5620-353-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/5620-343-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5624-366-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/5624-435-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/5624-357-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/5648-328-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/5648-397-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/5680-576-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/5680-451-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5720-402-0x0000000140000000-0x00000001401D8000-memory.dmp

Filesize
1.8MB

Download
memory/5720-331-0x0000000140000000-0x00000001401D8000-memory.dmp

Filesize
1.8MB

Download
memory/5720-340-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5764-417-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5764-432-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5764-433-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5764-424-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5900-385-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/5900-450-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5900-375-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5972-191-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/5972-180-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/5972-364-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/6052-398-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/6052-590-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/6052-389-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/6104-447-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/6104-436-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6672-591-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/6672-600-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/6828-607-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download