b4d6095000c7a9de5ff05b70570d04e288892e401f297af557b18e64f88833ec

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
Size

4.6MB
MD5

b6e37e371332c7188fe705420f4a5ebd
SHA1

e0bad480b70f92d6f6b55002bdaddf80e405f041
SHA256

b4d6095000c7a9de5ff05b70570d04e288892e401f297af557b18e64f88833ec
SHA512

a1c6803dd917f78b19663914938c8a594736d7cf1e2f4a871987761fc57c3f4524aafa5b5e100d4ab15e723b60c811321cbc011c8815f6c59b52ec177b7f30a1
SSDEEP

49152:PndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGc:n2D8siFIIm3Gob5iEargZyk

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1988	alg.exe
3860	DiagnosticsHub.StandardCollector.Service.exe
528	elevation_service.exe
1336	elevation_service.exe
2612	maintenanceservice.exe
3500	OSE.EXE
1588	chrmstp.exe
4452	chrmstp.exe
820	chrmstp.exe
1912	chrmstp.exe
4868	fxssvc.exe
3288	msdtc.exe
4528	PerceptionSimulationService.exe
1660	perfhost.exe
1000	locator.exe
3716	SensorDataService.exe
1864	snmptrap.exe
4748	spectrum.exe
4612	ssh-agent.exe
4076	TieringEngineService.exe
4884	AgentService.exe
1512	vds.exe
2168	vssvc.exe
4884	wbengine.exe
5168	WmiApSrv.exe
5284	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9c3991b3c8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0748a2666ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133646076293471547"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fbe31b2766ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002f10c62666ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b10a72666ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031259b2666ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ddf9f02666ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cd1082766ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011fdb22666ceda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cd1082766ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3f36c2766ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
1572	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
5744	chrome.exe
5744	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3412	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeDebugPrivilege	1988	alg.exe
Token: SeDebugPrivilege	1988	alg.exe
Token: SeDebugPrivilege	1988	alg.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
820	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 1572	3412	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe	81
PID 3412 wrote to memory of 1572	3412	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe	81
PID 3412 wrote to memory of 1524	3412	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe	83
PID 3412 wrote to memory of 1524	3412	2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe	83
PID 1524 wrote to memory of 1936	1524	chrome.exe	85
PID 1524 wrote to memory of 1936	1524	chrome.exe	85
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4304	1524	chrome.exe	90
PID 1524 wrote to memory of 4448	1524	chrome.exe	91
PID 1524 wrote to memory of 4448	1524	chrome.exe	91
PID 1524 wrote to memory of 3592	1524	chrome.exe	92
PID 1524 wrote to memory of 3592	1524	chrome.exe	92
PID 1524 wrote to memory of 3592	1524	chrome.exe	92
PID 1524 wrote to memory of 3592	1524	chrome.exe	92
PID 1524 wrote to memory of 3592	1524	chrome.exe	92
PID 1524 wrote to memory of 3592	1524	chrome.exe	92
PID 1524 wrote to memory of 3592	1524	chrome.exe	92
PID 1524 wrote to memory of 3592	1524	chrome.exe	92
PID 1524 wrote to memory of 3592	1524	chrome.exe	92
PID 1524 wrote to memory of 3592	1524	chrome.exe	92
PID 1524 wrote to memory of 3592	1524	chrome.exe	92
PID 1524 wrote to memory of 3592	1524	chrome.exe	92
PID 1524 wrote to memory of 3592	1524	chrome.exe	92
PID 1524 wrote to memory of 3592	1524	chrome.exe	92
PID 1524 wrote to memory of 3592	1524	chrome.exe	92
PID 1524 wrote to memory of 3592	1524	chrome.exe	92
PID 1524 wrote to memory of 3592	1524	chrome.exe	92
PID 1524 wrote to memory of 3592	1524	chrome.exe	92
PID 1524 wrote to memory of 3592	1524	chrome.exe	92
PID 1524 wrote to memory of 3592	1524	chrome.exe	92
PID 1524 wrote to memory of 3592	1524	chrome.exe	92
PID 1524 wrote to memory of 3592	1524	chrome.exe	92
PID 1524 wrote to memory of 3592	1524	chrome.exe	92
PID 1524 wrote to memory of 3592	1524	chrome.exe	92
PID 1524 wrote to memory of 3592	1524	chrome.exe	92

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Users\Admin\AppData\Local\Temp\2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-04_b6e37e371332c7188fe705420f4a5ebd_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff62feab58,0x7fff62feab68,0x7fff62feab78
    3⤵
    PID:1936
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1944,i,4064834752780950436,1776352383897843822,131072 /prefetch:2
    3⤵
    PID:4304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1944,i,4064834752780950436,1776352383897843822,131072 /prefetch:8
    3⤵
    PID:4448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1944,i,4064834752780950436,1776352383897843822,131072 /prefetch:8
    3⤵
    PID:3592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1944,i,4064834752780950436,1776352383897843822,131072 /prefetch:1
    3⤵
    PID:5056
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3104 --field-trial-handle=1944,i,4064834752780950436,1776352383897843822,131072 /prefetch:1
    3⤵
    PID:1820
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4336 --field-trial-handle=1944,i,4064834752780950436,1776352383897843822,131072 /prefetch:1
    3⤵
    PID:2260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 --field-trial-handle=1944,i,4064834752780950436,1776352383897843822,131072 /prefetch:8
    3⤵
    PID:656
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:1588
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:4452
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:820
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:1912
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1944,i,4064834752780950436,1776352383897843822,131072 /prefetch:8
    3⤵
    PID:1052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1944,i,4064834752780950436,1776352383897843822,131072 /prefetch:8
    3⤵
    PID:3972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1944,i,4064834752780950436,1776352383897843822,131072 /prefetch:8
    3⤵
    PID:4704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 --field-trial-handle=1944,i,4064834752780950436,1776352383897843822,131072 /prefetch:8
    3⤵
    PID:1512
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4848 --field-trial-handle=1944,i,4064834752780950436,1776352383897843822,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5744

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3860

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:528

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1336

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2612

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3600

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4868

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3288

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4528

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1660

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1000

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3716

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1864

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4748

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1868

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4076

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:4884

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1512

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:2168

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:4884

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5168

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:5284
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5652
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bc47b280b54d0e420a240cd6fa8d96d7

SHA1
1a33cad00a719b9b28ec7e2870b4c423cda0cc3c

SHA256
b1365fbc99f39abd840fa8c7026c2275aaf1ba654e5a3c42df9a99869bf84e0c

SHA512
4efc4f2a0705fb1ff4bbc0daec31844e5960fac5a79be4dbdd4e9bc009a3e4a13e30a7af4436d0e216f9ebab8de159e4edf5ef599542612a388cf248a700a85e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
54d96a33c8656f1e530ee7628b05b6fa

SHA1
b3afe3ff6e73679d1d184ff28e361e641966cfb1

SHA256
4108bd549e520a3ff19f31a250fc78edde5c86734905546cc6f017d725b64bdc

SHA512
a1ae47291ea35f225bde06d930c208a11ec6c767f1a09929d910a265dd2da57efd467b2089baa5de0c59a89d3d74317824a892be1497ca12489d67f8d22b10b5

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
0faec6f536628def591a7422cf8563da

SHA1
8d5c2702ea18201f490374214a1979cfad5c3025

SHA256
c0bf566e5a380336b7c58ebd2eb50b4d227e8d31dccd09ec84fb302fbf4c3915

SHA512
dd0d48dcbe5e6972546bfa50149e6ce83fee7ce7ac4bff4a0346c137382513b360a83dfb611f246fab89ead092de94ddb5c8f9c43b5b3088c5ea449299cee7e4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0ce10d925fdcf4d6df084c0b869c6538

SHA1
10dfe8799deb8388862aeac42259c84fb29d1576

SHA256
83e61da972f666514f875d56bc78d0f5dee15aa18c5823504fda21a3ad582c90

SHA512
fd551ff5154a1efdaf6ba07aca19bcba0cba4c366d90cd9a3373b2da7b614187c662c21d1c494f164ba72da3a9ef06c11d12905c61c9c5cd2b3acb5b23f16028

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8069cd0403b5f6f035b488bf73bca769

SHA1
29911c0f6f0eff38f248d4d659450331544df5da

SHA256
fd4e63f988ce6dbdc1329498371ca9888873be1634a0d91424ed7e83ed5cfc31

SHA512
fe34590efec105b520fd10a8bdd26cd8f416f42b06e1b5c73da009c363b226ecbac298c817b9e40b979330e577b4dc4bf86e123d5841e3f0458bc6dc69011c59

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
5cec5666363500634615981cf7b42111

SHA1
f55772108f52e1300d3bedec316199addc10be4b

SHA256
15eb495856425efa6ccfa0de95a7083aab1006d7b64eff9215eaa03bad701ce0

SHA512
64bb271f086dc4247925636fbe8d9dc5dbd7c2e1bf624a036f91c1defc383e9fa1d0cd08914977c88f7d023090f18ac259331d5861731818b5ac0a86987973a4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
42701a0d1e49f5e2a4ad4715b25811da

SHA1
e147737f2374c22d4e4a085c43ed445274d06ff7

SHA256
af39294ce196b9a06a9dfe235827ee092540fb4c7497a0592a1c54e99cf52d86

SHA512
37bb40b7bff55f392d1904460394df4ee36c8a4e60e7ce142dc1b817ed60b4da595d82cb8ea449a20dbd4d1b25e2ae4ebfdd5e5c735f7c6542a8160d795b1e41

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bf8ee4395d853a30a2869a3af8d3158a

SHA1
29ee58e83cc34e781fe5249c545902496a44820b

SHA256
a8fe8ea98d1802a06d79c81eab74e18dcd1aa04735d88bca4aced8608275568a

SHA512
880ba4e90ca92a18bc947ecbef298dd30288c41531429ce8d6cb887264ff797cd6773fa158dcb300b44f256215c9deb8f0ee0c94eac1c513807daf251f6d15a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
451c0da67df6586cf3c2f0101086eab5

SHA1
fc79632199ff5ab7539858c1c0c91808f6e138b6

SHA256
6c2e997c62cee5cd969c1c1f46d79f78045f111308f6de31cdcdcd6b9db66d94

SHA512
436fcbdcb9c78836169ddf1df86909cfcabc09526524df76cbc28886571c06e6169f1ac12434456ccbee88f340bb2f9ad5eabe32156b8ee9ef7f7310cff11693

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
dfd48b1134f87d9e5910c36acef65eba

SHA1
0c76dd0e981d9158b0074e75b71b1cd702fee2b8

SHA256
a86bcaff05f6a442d9dfa0deb2c798bcd911c6350135d73391d7d86360036d34

SHA512
b7e7f00ed313fc6aa67b1277cfd542972a6bfa20c0d7e4e6361c0eb89d19b1cc56b230fa3cc0f391268413e7bdd97327f831998f7432140aade34e4ef51bc7ff

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e920ffb91ba25ebdf6cd9832ecbbfa33

SHA1
45246ac3c933313d86639b5d3cd366f333c1b3ee

SHA256
d86595d77f2312ed3ce4130db871d3e34a9dca6f5e904938d214e62e3adb1882

SHA512
daa336dda0fa68b07e515e54ed19a12d85b999f828d3897d1bccde0d929de57bd84c4c9250fdde3876d7f586f5ab690d319a31f166901f9bf67706ad142f91c6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d0982a2ee648f336c3237f5a155f2f24

SHA1
cdc3fefd0745e4cac1f8d7ab45f7c25745881602

SHA256
efae71e01bc31893fe2ad0bdf9336c4cc620f3a606d5d2fc46b5ae3ad7c4410c

SHA512
3ed117839aab857a910fa3dcd04ac92bae89520a7a44287f7de2a07ed9293d5b545ecec173cf4284c2f0f94c41cb60cb77ce77b20d8543c0da27ee4b43b0d385

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
20835abcbeefd2cf41f955d760760b2d

SHA1
2c5c1291974e1b9b2694583a0dd8d55de1040cdc

SHA256
c554562a587dc0319d6dc7eaaa74e242633410c9f975aed787aba332ae77266e

SHA512
e0b80f8c80f6f2fa0e805226bab55008eb27f5cdb01675d27db443b6952638590a5a4446dc448e7d470e37e650fc4632875f85cb83d65e4515c51c2a1e8e9abc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
10adfe2f5738acf1b13e9c48c4de8081

SHA1
1fe407c3e16f8e1911e0485d7269614915f80be7

SHA256
35160adaff3882454dab21fa82e77e13730b7560dd8574a26ca515a64045a6cc

SHA512
79ebdc27184c87b7434804940c50a5497e15466bcc328aae4faebf1bc49a5eb03afb699cf206d8299ad3c7ddce3ed3717f62442c1dec88c0153565c99a6a9415

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
1d52cda194521f908e2f29c99f19361c

SHA1
c66e53ff23a1dd5ab70f96b563913b342f161603

SHA256
b60d63b5b2d3d1670e2dc05925a83985de8d92153f36e928d22a522e3348efcb

SHA512
4d4e896e8e73a927b7757f193c7711d82f103f8be20b7fc5cdef0126b1a4444dc0c350124615f96be3b969553365fbe6e291b5e32dc1067e45cd55635aaa90f0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e18f6c294da1939a3dafaadbb9198948

SHA1
80ac6991691dea973f1d7277853cbc0ba71e379e

SHA256
1043d132c8ffea6849da30fea222bb1b41c0afb4604c275625a9ec22a127d528

SHA512
47a05403d72f5d4bad023ceb1debb33d1b6059a5a8607f08a7c06bbdd4539eb692b6edddc500f6a0ff5ca33d8da8cda112b058c337e2c1b5ff4efff01286e278

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
c2237e358a0c6626a0afd40e04f247a9

SHA1
f93783fb4b2d1968ca8cd97a0483ad86e3573b7e

SHA256
7f48dadb8f25bdaac5f811ef9c9f0b97ebc9a442f343753424bfc654ab2722da

SHA512
0d9f3df6fd377ad27a6697ced9d991731fd195082dedddcec1cb7d7055f93e93e8747398c7d6c1e04d5240919a48d1358ee90b56a1821bcae97e53b13e8a34c9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d2e2bcbce50726317602b2b8780aceca

SHA1
3b2c00d834bd39273d9c2b2e7097023006016cd9

SHA256
460ab0916fd15ad08f6102e34aecb84be536d17e481edd94799d575502b34140

SHA512
ff22613f65847a46ed3ba3ea759d8393f2f10ac41d6c2107c90c1cc3376c11890ea2fb87db58398dacb85a2893f44cfc38f95f2fa718cf7ee388e2fc77b02610

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
ac9604724dd69c38d70dd02c2f62cbb3

SHA1
47374cf28c17b38528c0a18d5db5a04783b1856d

SHA256
d8622a2d413cb0190839852d8ea249c85ae47697ae4aac8c0df6e28c689837e1

SHA512
d00e42d4542d49ad8f5c30c08c8843778feac1b16aa4fdf8a9236228aed9ffc262ae760d49213fdce4250ccaa8313ec2fadca2fb3e91111ade981376ac22c096

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\ca42c49e-e790-4d4f-9c58-776cb8923035.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
93b7601ba28cf254192ec9ab85612139

SHA1
923e45d8a13fa84a7c10c41fa1c31ef06d11e9ec

SHA256
91fcd8bba9582a64fbd94ece117362f5dde22867f124e960bd9a2d3911468434

SHA512
3ed89d6942a35a7186bfb408ea5afe0827a5f1ab601be6062f9660627d84304a2343c15640162a841fd2b17cdca997b475d3cbc8393ae8793ddf2be3d38ce54a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
48726ef06e3c2a3a6c184a748c622b38

SHA1
e2d74afa4d3f3f607d267d6687daabcd86a95482

SHA256
d015b0d56434d30c79396bfd15607aa05b0756fa204ee56406af76463c136d57

SHA512
fe67c26dbe810fc446be7f1eaef7c1a71a0d4b0bc2ee05c54fddcdb20d7809e69ef53392302f4110646d01a1f71e85c3e8e502be3a7336dc78b207fdd781ce7f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
0013f68cce513ff4c4eca789a379303c

SHA1
51fc2958745d93de0ea7d601b70a6bc0f3682a70

SHA256
886eedf733bafcc4aaba347c9ec78dff5f289ad651db459bc73ebd377305f923

SHA512
76cedeaf0e5f0233e71939e29f59cce11cb9e066728ded68ce190cb854b9222c37293f31c13490901e577bf6b67b2579832f29609d9111f802820e7b2fa29f2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
89f55681cd116518c116754e0407b2c8

SHA1
f5d4aeb85e94ba181091d6a1ebca93915919c9c6

SHA256
f36101d056932eba1217b54d3ee1c54e0c6c4120087bf1e1e0781625d2be6fc9

SHA512
8db0dc249a77703508e63c8314af4bddcf54ac4f887b26409f743b344b94f9afe762d266cbac8b8097ffb28870d40841c7f64ed60acd087dbc1768db15b1c0cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
cb85017c7a6d0b044336d4723b8a0213

SHA1
4b47a385fe5a9a388cb79abdfed898c1d23d550d

SHA256
fa7bbf54e0489925fc1952de5762eee943e135b0a9cc1726b26651f3ea7fcd2b

SHA512
9694d0fa55cd572bf27f65321e5c43b80343e9691540f01af4d50f78325cd9ba1274d0b5aada9e1c84640346b9076e59d4a2a790ac9d0fe3ccae162e3abe736f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b4aea23eae5002a5b47a8e1b9192175c

SHA1
f5a707ed4ec5f913281591e0049ee71511e06f40

SHA256
ccc5a6ef4298b9ef2f436cf15409e0e36276b26e977d7d66e864757062c2a9d2

SHA512
472fad62d94145b11474f797a455a000ee100eaea99ac3e59527e5e889191cb87afaa228f962bffdad9befb2891fea19dd0d780f1d24b1e52b43250f44309574

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7d0518c04fccb931655b1b751459405f

SHA1
add4a4a481112b63602704d7ce9baf557fc64731

SHA256
beedc8e8cf95d7026947acf4488acc6d537fb3d394c9be7cb12eb71750faa7a2

SHA512
291bf44ffe5fd34bdaa7501d864f2108d3be2b7700b8567736f17b90b0a65e3c75dac8cc358a37587a9eabddf3ada00948630b93e83d071a465d948caac340b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576513.TMP

Filesize
2KB

MD5
8e5632bb5baca5f24f88c9e2a8eb2b6d

SHA1
71f7dee86640b602595b40c6a65d7ed4498cf00d

SHA256
88575950e262396bd009db3c75b18b3a1cd44b7b869b90f9b2c961ce9b74c1ad

SHA512
def476d83ba944f2fe83839108072677672a230218192751dd5e37305d42816e2db59b6f368fe8d3ca8848542ac3e3732dea3a58187c1e14f372ff2f721dffcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
538227f6bd9e2b3259e29770b5d042e5

SHA1
96b96ece19256df7574d6b3d3e84a8e71985ce66

SHA256
8e0321b460177064c053c4502433e8637407f8ac97800aef53a7a731d2bc928b

SHA512
d955107fc42ee95f4aed2951c530804d8fc1f13c6454d942a5ce6d7a8518dee877e7daded62bb10f046dbe3d76fb08ff4e85a264b8a930fccb8153d72bee4523

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
ce54b9544d0318fa6976710a902610a5

SHA1
c11c9140fb88f666682b206def9bb75a70754aff

SHA256
b88442aeec85340648d15d26837d5fd1fcd5ba979ff245ced8c90b36dae9ce85

SHA512
ebf6ef858496d34a520d58eb58bb14f41097a862d0bb85e012e5c58dc2e8a606df69940e6ae172dd360d43c3b7ad05fba4143cdadd165a76bf068724403a9111

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
13ce4ad511cc531d72bb9d5980e6a422

SHA1
39ec26a864ec034a80be723bd342f425bfe2db41

SHA256
a43a4fc4ee571ad455f23567515f9046703104fa2ddf12e12963b7579005aa95

SHA512
fe4603566b096b029434832273e0c1627053c81116b445f2872708069cd3699e3976512dbb36536943f6d3a1a2357b5f9f3cf4d8bcd1a571260c848c49cfb547

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57da72.TMP

Filesize
88KB

MD5
ec507b9bdf6eb2b042e870c67a068a73

SHA1
f3468352fcb6ed887e5b4f55636d54dc1184e89c

SHA256
a39b936b69f75b0b2c910034b525f58a55c63a24ca4761f911a9b0f5e280908e

SHA512
583119f9157a35166ed94388b67071d29fc9e2f3d66c3f12fec584d4e41d76ccceba6e215736649176742b2c3afa1ffc6c7656c547c87460dcdbb63e1d328350

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
8f17834c1cac581272615e9366d7c804

SHA1
a6dc074846c758b99f5939b9c659e2f6a03370f5

SHA256
05f553416f0a9a7bd9f04edb03bea2ce978ce8f723a5bcc6b4a163a294c6146c

SHA512
510d8dd86553536f92771599f58a96910af42f1e029fb7751703b2a6a373e981f5d57b406840252e31358a82628352709e7c1618b3b7b630c5cd9930f87c4d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
2d1fe3c5c232937426ce9e7271e0d94d

SHA1
9d7fbeaa040cf7127cbd77cd9e35531fe3490d54

SHA256
ef6de50fdbe5c5704507c772f3b1b94d57f947fa551cd9dbac458303b3302954

SHA512
d22647dba9779e61cdef242d8221c272bc4db9f614cbe6b2f3d3c7a1c3e98df8c99d513627ba5d3e2227f4dc8885582cdf652c063d36d99a691a10d880f519c3

Download Submit
C:\Users\Admin\AppData\Roaming\9c3991b3c8648821.bin

Filesize
12KB

MD5
b4d60eacd8f612ba3d2233e048347e0b

SHA1
ab900fe9b76e1f7af8378948894403e9102877dd

SHA256
1f3c6b71b0506b28bd363cf4f9a4cc0c0be3cbb2a2125036d85486c9fff389b5

SHA512
b88b02c6cfe6d79ec4764e29699eab827a61d843a2d7f99db49c35ccdee57e76085e3aaa7b6989715ca19f30563d3c2c3e895d2c00074fa70f2781aeff26b242

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
00dbee3c7c696e86816cfa8a138af2ad

SHA1
636a3f776acb346f4698e553e8dc2eaffe5af6bc

SHA256
d3409d68e084fca775c6fe5fd742df8c7a9585ac9e83258f2f030dae763b79d2

SHA512
dc36c12ccb7932de4e2e4d12048161ed1381bc90248e64ff608a148e43ef3bc4319b9486dbc9dd28b6392d829e7573d6396d50e1525290fca9cfcbca24caa87a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1912f200ec5006cb63ae68a94c206598

SHA1
67e09bd1c58da349209df9a2c2d4d31fcb6eb392

SHA256
7f1589cc6c4805aa91349fe1df18b5b330afd79a8c80841310d0927c2e2d198d

SHA512
4c7ec3f881e1c9faad9f3124cc82da662565187331355668b2c9f08034cc2ac38f3d32ab95b62ce0418ab6c11eca160afbdf2bd947daa788e1a8ecd8fd5b9216

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
95ccd50d771ee06259f44d661f67a61d

SHA1
580f99359917cc1c6624d916b1f1744cab9ff16f

SHA256
c0b9146d9d6347e13e457ea8c05d5711816e2eddc1ffef8f40e0f5f495c41e89

SHA512
79001b55af83e7f1b846fc4da91ef9e841dfc2df0e507b9fca109622f82a7ceab165d928f0756bacc6b2d4a5ac37d9d602033876fb879cf00b8bbd81e829c937

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
bd5edd11f0d871d1c7509c43102beb2e

SHA1
b8428172b217be9d905d12495450fdb2d07f44e2

SHA256
8f7bbf44bfa03784c79a24f5953a2489fdf667486813e1d01f9a9225c8e78462

SHA512
b283f3244ac2026c1a53bec57758619ac2b80899d60ef2bb97a73c91b1b45e1ab9b73b2b1d13a5e252286b731e3bc2b4cc605c34dfeb8ad8a9de10d9340486d8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
63a39ee597693260f1fbe3efef46e473

SHA1
45fd0ba31b1ef34b8b32ef8189b5fba60671582d

SHA256
930f9afd6cf8d975ab2e3952fb22955d6430588c390c2af5232232a6e884d2d6

SHA512
8a256ab9f25fe9289e0dc98b12507b32749498d8ccb5e765b98503dfc7bde8d9d8c7727bed540633781459fe58f1785e39c608b5343645d7a94039f288227117

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ab8f15ac3d93f95acfbb77cd111ff8b1

SHA1
e1942ad7320fe58a22225dea546e0853e25122a2

SHA256
7a61f5cb3d05dfe332bca152595ed305a613a0590234bd00fec466756b6a393b

SHA512
04af8f187a2db8321e1d504b74b60168c40f2748fc80b4d46f111a9e544b1f64eef9abe9ea528b0db146779c31d2be90e40039e98539f8cddd0c275eeb20b2c1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
c9f2f7c069701f95f46c44f35f209133

SHA1
021390f2b11984abb75633edff599b46a0c5af7a

SHA256
c7743d34f0cd4a03d80ba4746271c2594720fab2722cb2dfbd349725f2237548

SHA512
e2d800415f818b6f074835064064759a2498007bbd56964baf63af95bf96525755df8fd6b5bf2f09a11d4d3af9256515888de72db2df204ae81251f77aef2f7c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
03f3b33d4bbe76aa34153605496497c4

SHA1
306a16c7953da8c07e9fc53cda8839f260b26c49

SHA256
9baa3b33c12d33ea74b8fd85d68120921eee6c42bfdc657a38d93e22af71585c

SHA512
e1c0c1807b8486e8d974fd753dbb5ff67cfdb354f2a3c986fcc961e30378570b56b908630f27c32f0da877c50983a4aa735f46b8cb8a4a23b74d697b830645a5

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
42f6ee10ccae87a2241a0db25225026b

SHA1
445d3bf0474442a38980a2dcec831d5658f793b2

SHA256
0d3ee85ff1c105093564a7674b7cedcb9fd4db9ac1810312e3eb1c2388f9a6e4

SHA512
9ce2fb776be9e97cc3a1eae9e272674b688e62aba07b41c9693d2946bc1d40c5c6424cd5ba094292e327dbc0fcfdfdc221e5ecbaa5c29d94d929073e1ec93e94

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6b5b587c7cd6d29d5616b6c3031db0f6

SHA1
70ec8fc15a9548899b8374c3e08d01c042fa5946

SHA256
1e896878476c31c7bb436711bad28574b387a194b25abe71a00c5cdf50aff202

SHA512
ffc50e8c2f1c7ecf2554bf11b7381b1642bfdfc27ce28c958dee9ca9034d9addf3751c9886009390ca90e65c6aad8dbeeb3b985294181f0ccd8a4adaf6d030f1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
1295812329eb190a73aae713483234e5

SHA1
e3c5eb99bbe78519bc7ecbac9208775d4fabe14b

SHA256
4c329d610f2cbdca0d6f3f1b089548ab43dae579c201a688695399f1173d6b9f

SHA512
e5388393aab879133f06fe583e322aa89f3222b34dde1cddb361e28cedb0ebf6bf0868f8b6a29688df64211f8036305c386d97964d819bf98cb9a632cdb952e5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
74c13d0ecd525aac190de49fc2768c0c

SHA1
4b2b47de2bb5e4da494e5738da2e848d56ce3688

SHA256
ff9762cc5619757d3bb6ddff9fbf2aaca9855f3c941bf6ff2bfbc8d88304e9be

SHA512
1000c163c114dbcba1f63dd4382fbbe62489393b66d421094f0aa7adf82556dd828f95f3734a99279f8e352c3b825c364871229638e80c41c0f678236c447b4e

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
ca3b35a32998cd08671618bcaf979da3

SHA1
e359f209eb4cdcca2b9641d952f03ddebc611555

SHA256
c13231c58483d059b2687a7481ac3afca32d41e43fac9efeeac7fc639ec8c682

SHA512
b080ef53d4131e3db4ec8d984b235a55bc05ccbb9d0e58fcf13cab60b77f83c1dac9c29bf87efec68e87f09d93cd9706955795a27b372fbe767d7fec0bb77824

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
95892cfca9a11bee82e4b52926ef94cf

SHA1
6fde160d6080c676b75079fa2d3267547c17459d

SHA256
96c3e7a456e6aa8385fe7d723b3df38c2c16121e23d079b5e361e3217d1d8492

SHA512
e4708851a9864b7a39b97a0c0a4b2b7b9394ec0974ba85729ed9b6aeb6b6a87bf1af80493039aa3695525a52921abb8fb3f40245d91953fa285a9a659dff946e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ac724a68a6630474b093196be02eead5

SHA1
7beb6e9e18a16ced2347ddc1837eea67f89b4b82

SHA256
f29723b3d584f746b5221af725f51932cbc4e4b4890a76380239b50c092e477f

SHA512
260d6101fcbd40b84d0cfdb4a0bedaa3a6346e828ec2ffde7fd09b5b8e3e43bba1108279dd54ce0f5dc7c9a06e79bac0fff45db07a19bb4c8946fd0cfcd75b32

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3f0cc134357fd5bbc87809890ca3111e

SHA1
e03474b7fa7ae89f10603c21d6111da5650bf10f

SHA256
da40c801f20b118d4ebed1e408b0554a6e10aa1dcfaac6c8c7c32ec144b5a7ce

SHA512
fadcdfa487f7b06c7e71da491766b7eca3687bb190d11501359a32a9f36a0728da46eef5650920c8ed74e7fa7a3f1c35c91a99e0537ac4c6a2a0621683eebff2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
7a5bdaf3e4aeff81ffc264299753e8a6

SHA1
d0bdf90df906d0d818014e70d6746cd1990bdf42

SHA256
1824bba66de2101e8eb84abe28ec2029e0aeee69b9a49a076c342271ce836e44

SHA512
96ef9bfbce5f8c50df4e0dadad53ce7e313b0c91553010e69363ea4e4ca51117ca7abf91135200cd8496d9211921a407d076da10a259db03ad2015ad048e968c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
660045c71d1737ba0b0c84688ed6aa9d

SHA1
4af892ec49e7eb6722d6b610c92240291872b2f4

SHA256
2ffcfd48f58493670610d3e5f6cd00df9073d049f7c337f2358433143448054b

SHA512
00495583d723f55d533f6b063f05869035bd279bc6c9f145c1b08853b36f9e497905cea31b78fb57d8b81009829d9cd740a7acadf2a66739223d5b31bb5a253b

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
63c24fafa38c1b0109d7b33c1be0d22e

SHA1
9b3ae6d17378fa094069f9aef62df034089e3083

SHA256
5928caa89b1d2b710b06e2032deeeb129c5844abc95bb506a96a2181663fdb20

SHA512
1387ef7a3e1e729ec2d22463f44463c5645c772a8336127bbbc7532923abb04b62bbfadf10c12c2f6b50d1ffb567ae4059efe192f3fc0ffdd90ff0cafaacb6b0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
8d211e52703e288391ed12a1092841ca

SHA1
1947e2f57620474bc4bb6f9c091d69f296ecdbcc

SHA256
f2729eabff60ea25218b34ccb7d980862e69fd4481e662d3f87e31a11caecf06

SHA512
684777463d5f9fcc90f3dd070c7ac87431dc61dc321d0c91f309d46b814027c9156f487af30abffb4e7418d107095635acc7feb0408c6df664399aa1cc16b130

Download Submit
memory/528-63-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/528-55-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/528-247-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/528-61-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/820-361-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/820-339-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1000-504-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1000-621-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1336-401-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1336-104-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1336-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1336-74-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1512-587-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1512-807-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1572-30-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1572-21-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1572-27-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1572-393-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1588-372-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1588-311-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1660-501-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1660-609-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1864-718-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1864-529-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1912-341-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1912-407-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1988-394-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1988-31-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1988-13-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1988-19-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2168-598-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2168-808-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2612-78-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/2612-103-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2612-84-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3288-586-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3288-475-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3412-48-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3412-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/3412-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3412-9-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/3500-105-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3500-89-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3716-802-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3716-634-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3716-523-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3860-49-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3860-40-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3860-50-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4076-804-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4076-561-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4452-324-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4452-402-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4528-496-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4612-803-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4612-550-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4748-799-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4748-538-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4868-460-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4868-473-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4884-610-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4884-584-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4884-580-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4884-809-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5168-622-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5168-810-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5284-641-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5284-811-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download