Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 23:30
Static task
static1
General
-
Target
2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe
-
Size
6.8MB
-
MD5
67b2a42e5719bae4aa2cdbda7aa533bb
-
SHA1
32019709338b0b4edd4f9047a78ab1f7f39de3cd
-
SHA256
335857898fccba036e634cddc73ee3812929ac3a0a76045127362d21fb91917d
-
SHA512
3f6a84bcbce6d427d9b2e0b7df91694a79da3337872c9c250cd72537bd7bf366e5da5391ef3c0f0522d8774ed6f2ec86474cd29c2f2bf209f7c91c2156721382
-
SSDEEP
196608:iEKDROWCMZncBmuAQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQy:iE8ROWCMZncx
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 26 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exe2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exeAssistant_108.0.5067.20_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.exepid process 2836 alg.exe 216 DiagnosticsHub.StandardCollector.Service.exe 1424 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4128 fxssvc.exe 760 elevation_service.exe 1108 elevation_service.exe 4188 maintenanceservice.exe 4492 msdtc.exe 764 OSE.EXE 2396 PerceptionSimulationService.exe 1020 perfhost.exe 4480 locator.exe 1712 SensorDataService.exe 2456 snmptrap.exe 1412 spectrum.exe 4656 ssh-agent.exe 4852 TieringEngineService.exe 2256 AgentService.exe 4804 vds.exe 5092 vssvc.exe 3400 wbengine.exe 1772 WmiApSrv.exe 3572 SearchIndexer.exe 1648 Assistant_108.0.5067.20_Setup.exe_sfx.exe 3528 assistant_installer.exe 3492 assistant_installer.exe -
Loads dropped DLL 7 IoCs
Processes:
2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exeassistant_installer.exeassistant_installer.exepid process 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4340 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 1424 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 3528 assistant_installer.exe 3528 assistant_installer.exe 3492 assistant_installer.exe 3492 assistant_installer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exedescription ioc process File opened (read-only) \??\D: 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened (read-only) \??\F: 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe -
Drops file in System32 directory 31 IoCs
Processes:
2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\locator.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\580b6c15822cf6b9.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exealg.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75875\java.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe -
Drops file in Windows directory 3 IoCs
Processes:
msdtc.exealg.exe2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exedescription ioc process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000672a04b34389da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007868c1b24389da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000006a3dbb24389da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005dcca4b24389da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000438d06b34389da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3607bb34389da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009599b4b34389da01 SearchProtocolHost.exe -
Processes:
2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exepid process 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 660 660 -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exedescription pid process Token: SeTakeOwnershipPrivilege 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe Token: SeAuditPrivilege 4128 fxssvc.exe Token: SeRestorePrivilege 4852 TieringEngineService.exe Token: SeManageVolumePrivilege 4852 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2256 AgentService.exe Token: SeBackupPrivilege 5092 vssvc.exe Token: SeRestorePrivilege 5092 vssvc.exe Token: SeAuditPrivilege 5092 vssvc.exe Token: SeBackupPrivilege 3400 wbengine.exe Token: SeRestorePrivilege 3400 wbengine.exe Token: SeSecurityPrivilege 3400 wbengine.exe Token: 33 3572 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3572 SearchIndexer.exe Token: SeDebugPrivilege 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe Token: SeDebugPrivilege 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe Token: SeDebugPrivilege 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe Token: SeDebugPrivilege 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe Token: SeDebugPrivilege 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe Token: SeDebugPrivilege 2836 alg.exe Token: SeDebugPrivilege 2836 alg.exe Token: SeDebugPrivilege 2836 alg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exepid process 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exeassistant_installer.exeSearchIndexer.exedescription pid process target process PID 4936 wrote to memory of 4340 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe PID 4936 wrote to memory of 4340 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe PID 4936 wrote to memory of 1424 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe PID 4936 wrote to memory of 1424 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe PID 4936 wrote to memory of 1648 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe Assistant_108.0.5067.20_Setup.exe_sfx.exe PID 4936 wrote to memory of 1648 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe Assistant_108.0.5067.20_Setup.exe_sfx.exe PID 4936 wrote to memory of 1648 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe Assistant_108.0.5067.20_Setup.exe_sfx.exe PID 4936 wrote to memory of 3528 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe assistant_installer.exe PID 4936 wrote to memory of 3528 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe assistant_installer.exe PID 4936 wrote to memory of 3528 4936 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe assistant_installer.exe PID 3528 wrote to memory of 3492 3528 assistant_installer.exe assistant_installer.exe PID 3528 wrote to memory of 3492 3528 assistant_installer.exe assistant_installer.exe PID 3528 wrote to memory of 3492 3528 assistant_installer.exe assistant_installer.exe PID 3572 wrote to memory of 2184 3572 SearchIndexer.exe SearchProtocolHost.exe PID 3572 wrote to memory of 2184 3572 SearchIndexer.exe SearchProtocolHost.exe PID 3572 wrote to memory of 832 3572 SearchIndexer.exe SearchFilterHost.exe PID 3572 wrote to memory of 832 3572 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2c0,0x2c4,0x2c8,0x2b4,0x2cc,0x7ffb0ab87c80,0x7ffb0ab87c8c,0x7ffb0ab87c982⤵
- Loads dropped DLL
PID:4340
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe" --version2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1424
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"2⤵
- Executes dropped EXE
PID:1648
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\assistant_installer.exe" --version2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x680040,0x68004c,0x6800583⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3492
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:216
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3632
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4128
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:760
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1108
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4188
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4492
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:764
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2396
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1020
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4480
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1712
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2456
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1412
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4656
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:752
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4852
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4804
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3400
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1772
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2184
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 9002⤵
- Modifies data under HKEY_USERS
PID:832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD54831437bef5966334380c18e870ace88
SHA136b4d51a26ae54b5f103d85de19d48fb871392b4
SHA2561fe7b52ae4290b55898d09eb4650f8a16a8991021bac634071b2cbe8c44e9dde
SHA512c6015b7578a8cf267c0e3a7bca40feb2733379d12d946eb3c658b8c8e46cbe2ff40b74ddae0dd13c94d93afd68645495cbb62dae736d1e06eadbb3723edf63e0
-
Filesize
1.4MB
MD5a6a7c43d4ee787b7ad001343c51d150a
SHA1df3d92f3142512768ef3d61871f3eebb8bef354d
SHA25621b226b8df3ab71bd7a168bd763be20816e35059e15bc0f376280ad852a652a3
SHA5125ae1ca6537ff7fecc37aba9773aa014c4a2ae8a45ba87b9dcf444ad063c213f334d5e45cdfbeb58755481c1cfdb28749a5294d78898ecafd6446c3402c564079
-
Filesize
1.7MB
MD590485497fcee079dd7600134927d30b6
SHA17e0d43ec8936a689b10b87c0b533e14b3e9cb835
SHA256f009e2e4c2aeb5ea5a91e5575c19c766b086d28a11e4b8f5ee495254fbcb7c7c
SHA51256ec45fd4f3dc21ce07da448b501a2350aa5f8161a92bf68f740b62f014d2a9598c0fbe481fe302255a543fd654e2012cb2e2ad95c3d870426ade0b644b3e07b
-
Filesize
1.5MB
MD5f296d9f9377d72d2621a2bf16089e053
SHA1575e093831ace821589fd5641370bcb97f375545
SHA2564e649ef4939fd3c071a4ab68aedf126bba5c107d9d5f8e882e959a8d01aed645
SHA512eb73b21542db15431e824d4a1bf22297a424fc8da793e0769344473fc9288ab2fb345fd9e8caad2e0853a371f7869afb371984054fb9063cdf4e37f9d78c24b2
-
Filesize
1.2MB
MD5bb17a64d5b2613d8786158555c307bd7
SHA1dd2ee38bcae90b4fb699757cd911e6c688eaf2d2
SHA2564f2432ed4c8dc03c091cfa4949246a25bddecefdd7ae16231543d1655c61df01
SHA512a897f0ad4379a2d7b156c93ca915158d61fc848652a97a3d0c3ad4c835472c3e4363c4514a578933f0036bb2c8277b0d0005f6808017e22d6340251199e52fa9
-
Filesize
1.2MB
MD599ec59e4b2166b67e77f1ed3b1c80b6a
SHA16700f3e6e987c21c7a5a8a41f1a1ee1b0056884c
SHA256e848951025e53de4a7766e3c1f7af697eb3d60a981c4eaaf08f12ca5a6e1fa67
SHA51230b02dbf5ddadb04d96901dc89febe9f8ba668b6e76bece65d678ad4e5bb0663c77d051f88fba64e9e388ddc15406cabd2562f9bd6936c34be0593387241b15a
-
Filesize
1.4MB
MD59843926263e907b0742d2b0cd94f194e
SHA1172bdeb97d07fb59b4d022f0ddd88a094b907903
SHA256ba52e4124b4bb433c73d440d43c58b1d0b91cd27edbafe1631aef54ec9e9dac2
SHA5121820dece28a9a4aaf8a16b05062685d8b260b32b91522d1c2ac5f63557dc67fb8e72b76063a7461b623490caafe02a9894afdb6360a7c2158aa68ad40405c0be
-
Filesize
4.6MB
MD5da0c506b0256d49e4f46feaad6953d1f
SHA1e4e951e56d23666254ceb7125d3f86f1e1d63cee
SHA25608a510460b7d8b490b8cdf72ca16e19e0233165c559a5dcba5dd445c173445eb
SHA5128fea841a21aedde46e2d3aa8692f8475e91cfa9bab499f3a28a00397ea6469d1b4bed89593d8d0b31f54d9f0fccc82d1951c81660b3c75b233a2bf238000479f
-
Filesize
1.5MB
MD551d0af6d9915937b6d11110cff563eb1
SHA1e5ee08b7964cb430de775867f60e97e5a9b8dd79
SHA2564c49d6d9b8690813a269291959dec0b1464d201581f6e5a996cb7078f0e17b25
SHA51292d11200a65f15e3fd9c9d34af7eef08991af114fff94d8916df7292be011cc25146326ecca56fee595ee74ad308b67700a74e2cc12cb89757746d19572c1a83
-
Filesize
24.0MB
MD5e2477df0bd81b6a7339d16992447b5c0
SHA10ca6516ab4681acd4a72945e53087890203bccdc
SHA256ccaf7a20320eefb732564bcfbc94e62f4d20917adcd24f50465358ceb71e19d5
SHA512e4106c3639f4cff7d8896b7d68d4a53572cb1c98732637bfb458cd69fd5b63e74d86cf151aac6e1e4ebd36d4c826959546d02e302aa637eea64dfb6137f6cda1
-
Filesize
2.7MB
MD5df9cd84f4475675e638eb9b368733ee1
SHA16f6ea705cc245d25770265e87dfe7d6ddc3ef680
SHA2569404769d1eb0acf1c56b77008544e38e3d3ba284e6bee98cb1ccc23bf6ef1f5b
SHA5120d8dcff3006709695dfb486c48f32a8bd638f50cbfb81ddfa8d9eb8b94bf14129148e49b33dd8f597a3dda8025b6ca05c931f75a9335e5333d284b583e18e71c
-
Filesize
1.1MB
MD5111960ec1144829b4be39f398efa0d72
SHA16180cc666bf8e65d1e159e8575c28431e48bfd76
SHA2561c90b8d769f5a0fab54a99e3ed4bded92f0b5327c203b4390ebd678583d3808a
SHA5121cf77af550e169bf53532d8cafd27439953a4b232de93f6491387c68b6892235ee3ce2dd18d67d3eb39f46fbf8a80467da1bf38e3afb45be63a2fd17446e3085
-
Filesize
1.4MB
MD59f0bff7ec74abad929fe1dfb40971af9
SHA167dd18f616335244c22ba1306a497caf77dd5297
SHA2561345b98e7f87549339212f79ae7bbea0cd548f977e3157b72c71570dfa8b9a54
SHA51244f148dc125fa2cfbb79ac7d4d34f2577912c58c39c43f563f5c521e09b32c84516944dcc698c8951ccf8997c8da75e93c6566e0fc599343820e2eb935593e16
-
Filesize
1.3MB
MD55fb26373f9ee2d3c14879b886480f9f2
SHA16c2a1db24eb758cf5f71bf4a0e861eba0d9c3c0b
SHA25676a99420307e7816134ca3d837d90df9bb21f1d9738fa39e8855b346a36441dc
SHA512775056fd180785ed78ab25cf0b0f90524dcc50ade938b5e657a067f14aa1e6701198eef447485b8d9173dc3761b4026e9cf793fc51ec9f74329ff36f34fcbcbb
-
Filesize
4.8MB
MD5aca4da56c65e6abfdd372d6f3283df22
SHA11b6f2a88b87534474834ecdab2ad9d379690aafb
SHA256173817d5d64515acb0aac8713dfa9530db60c0003d28ab0fc0ce0de05491dfb1
SHA512e9ad1ce44b2959eb73404273ea1827e4f0c4aa64b63cb32c3b9c4a22d0e0f2dd1bef116c725464cbc4b099dcf22d35fe46cdf16d8b023adb744b1bf4e94f321c
-
Filesize
4.8MB
MD5b4805f6d9e3c70c97a309e8ad7ff19bd
SHA1cb7f3318b9d3fd2a6f29f0b671293b6f688ec8d5
SHA2560e77bf552affe92a80900b314c7b74f3e56049651f818b2f9ec229535af77171
SHA512e2ed03ec7e9eacf2b0009ad324580931d84c868061d5b4beb70842a7cb613c14808f418d9d84d9ee6d96ea12990fc1920e365307222dfce114920e2e54b097b6
-
Filesize
2.2MB
MD5960a83040fc7f31797bf82df4b4bfaf0
SHA1aed9a94882df2aba1b599d10e52531abedad058e
SHA25690082d6fe257a99682185102b294f0f86db7554024bc9a3664b38ccea85466b4
SHA512c063b8417eee5ff73d179a9f63d2847c9ef915f35eedec4b34e13f0692694e008476f37292d69c6e04348925ff077853d440f7a2180234959d77c6c1a139d91b
-
Filesize
2.1MB
MD58fbeda2d582f7203fa64c9adb93eab43
SHA146cd45617a6c114db6f53d4ef005d5167ac72218
SHA25629e6e0570937250427af08e38b43eab83e974dd76929b9a9ddb327e49112f7fd
SHA5125470839d3b51484b067d26ebbf60fdf530eed6471d53ecbd664fb7aa97c4db5c8129ec9388f87705da49e56756cae1b1f4a020171bc746e27be2c8c75cb56c0a
-
Filesize
1.5MB
MD50211733eb6e09ff32d6c0ec85633dcdf
SHA1a6f600fc5a7284f81e583eef6f0cf65f7beadbc2
SHA256d44217b80e96efb080d7a9086cd76b54162756270ea5f8644711d1b0e82335c1
SHA512e1bcab00b8232dfe0643d9bc3d0d8cb5c1c19e70140c2eaf89a9b90a06f81d0dcfe5ee92847639888e618d6a2ed0841cc14b6f59d6966a9d13b4d32c4a736751
-
Filesize
1.3MB
MD5ba63abf877af21475994095201baacd3
SHA1d920fb4e5f3d764c7832942a26b123e988f893ce
SHA256fa6189ed891c5ac84599318991d8465a719dae07c5a171dec0b068ab5758cd70
SHA5120568d21991f5e8c6a4a49d526779ff2473b680b2e15fb9fe39e8ccd2792b1e252bdd0e27b288ff75fb3d3e02f65a1b403173f5a9a14cf1f0600fd4beaaa424c4
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe
Filesize6.8MB
MD567b2a42e5719bae4aa2cdbda7aa533bb
SHA132019709338b0b4edd4f9047a78ab1f7f39de3cd
SHA256335857898fccba036e634cddc73ee3812929ac3a0a76045127362d21fb91917d
SHA5123f6a84bcbce6d427d9b2e0b7df91694a79da3337872c9c250cd72537bd7bf366e5da5391ef3c0f0522d8774ed6f2ec86474cd29c2f2bf209f7c91c2156721382
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\additional_file0.tmp
Filesize2.5MB
MD520d293b9bf23403179ca48086ba88867
SHA1dedf311108f607a387d486d812514a2defbd1b9e
SHA256fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA5125d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\assistant_installer.exe
Filesize1.9MB
MD5b3f05009b53af6435e86cfd939717e82
SHA1770877e7c5f03e8d684984fe430bdfcc2cf41b26
SHA2563ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7
SHA512d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\browser_assistant.exe
Filesize4.4MB
MD5e08001a17d420cde24580722d0cb7504
SHA1795ee052fb424b55895a68fd5411769cd0b68446
SHA256b8fec0b2731065076b3103c628a59a0f38b242aa7659bafa3bde57aa7fee7603
SHA5127262709eed4fd5359af69c4058b37bdea980a52036a874d5ee196b8289f1cfcd382a1712f4510734fdadf4dbddef5627416cec130d679e4b25a351f4815e8bb4
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\dbgcore.dll
Filesize166KB
MD58b6f64e5d3a608b434079e50a1277913
SHA103f431fabf1c99a48b449099455c1575893d9f32
SHA256926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2
SHA512c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\dbghelp.dll
Filesize1.7MB
MD5925ea07f594d3fce3f73ede370d92ef7
SHA1f67ea921368c288a9d3728158c3f80213d89d7c2
SHA2566d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9
SHA512a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\launcher.exe
Filesize2.3MB
MD56b4e7f64ad78b87801c683e80d9da951
SHA114ee0af80a1e63a7e2dee5448b26f07e6559dffb
SHA2564bf13400e417ee0dcadabbe8c568b0e5de65976f31363a81dc1c075ef5826ed6
SHA51287b77795875945fd155d0b69d5dd0e2068ad43cc422b00d6b1eb84240d145924eedc8bddf1bbab622caba4f1e28c2e5b423132df32fbde355ed00f23f3b0d9f6
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\opera_package
Filesize103.9MB
MD5f9172d1f7a8316c593bdddc47f403b06
SHA1ed1e5a40b040af2c60ed6c2536b3bf7ee55e0e52
SHA256473f0d4b886db8cd39b900b92bdc0625a3fcec8addd43f71179696bdf186ec3b
SHA512f51ab2bdf29ca6839e4f7cf1fac1bdfc03ba2da4569a8f21e5d2ee13e6519097c3da40bf0b4ca7642286ed033d0126bbd14ef7842eb9f2db1d6e503849521b02
-
Filesize
5.6MB
MD5d7d32a284a6cbaac784ab2c8c144215b
SHA1620bb04f32e90420aa5e43124cf366505587b2dc
SHA256b00cd59787d9356f9a70d679dccba58b4b58713b69876ccdcef4bcf0724e7b41
SHA512e35f7d034daa1dbbcbde0c0f2979d329ae8b9367a9241af726a761414ec85666756be3b698c8c0ec354b9f76d0bd06e6c9d232de9150510ed056898936f643c7
-
Filesize
40B
MD526dbf1cc6f1e1e758766cf725cfff5a6
SHA13310dbefdbb4e8d127e199a6947aa4f5cb9c1306
SHA25659f7c4207e5715ff2614f3f88194c13bbd437780c86198056ef9f9b96149e97b
SHA512ac7922c21738ebc09be4fa564723a133059a7ac2816019579c55b6b1b6acb3d3a73c83dded06183bb7205ae1fa6920b573aeecbc35ce35abdebfc9a8644a8ff1
-
Filesize
1.2MB
MD5f03d63f5141bfc516ed06583681999b3
SHA13e84741d8f49d9882b279fd4792f856fc56099d1
SHA25639f421c3043e8ce5f4f0366dda202524c670fd0bb27d789a230ce66094d0fd59
SHA51220fdb240855947ceda4e71ab5cfd343c64adbd12e728c57a472b4f426a6481a50bf2cb7775d48eb5edae97ee118c8832ee5b57244f8eb5d0567977acaf9d7671
-
Filesize
1.7MB
MD50a8056809e4be1eab72fa307d2fe1aba
SHA1e061a2d7053243b3979f1701e93109658b427df3
SHA256ed83c762a5e575e6d592b9f935986f8db11171837f70b76ae54a9332deda7d39
SHA51277419e4d3dface63a3ea3568729ea8afa436ea26126cdd4e8f258a56a02d3cd0788819e7a864b477c55f6ccd285f2fc1b914b8c2091f1b24988a8e48ddebcb02
-
Filesize
1.3MB
MD5de1e71f4ca501d43c9acafb78af3d1df
SHA1ae40766aa0a3727f0700daf3180ecf7de8c865f1
SHA256315ca445d87e8d51375783ded5045757683ae4e8ccf72a426ec282368a267296
SHA512164a60289616ba0eec12d4036f853dea933e54d0c2106af877ca1f0c75f5168403e4436c3a43c69b1caa2caf782dc678a8d88704d11051a96d5bc95349e9969d
-
Filesize
1.2MB
MD5252bd8d874fa9008be65984c75a497d2
SHA1da05a06c390a76522a2c24d37069d1e3530d82c4
SHA25685b27c2afcd2a592ad3ea8867c4f33f91e09a620d2526ff9e96d93b6c140aa7f
SHA512e6f032fbc5e888887f398fbb011f6d0a38fd72c99c53b18a9fcc3cbeecc1fcce5c867646d199e869fb51a747525cd6a62a532c0b34f8cd835f975f817a391530
-
Filesize
1.2MB
MD5b4370d312df642f768a1b68e921ca21b
SHA19f85a10cf76566f12d25dc7c561261774c85bbf6
SHA256da745ee7ef21855d2f415538e108de88966a70424c17bf617fe99977c6aee823
SHA512ff0f893b2a1cf333b87f0e110976982c6669ac4260dfe3a348d002bbd5ff7423d1f55eb2d6b57316a33c83584ac8046369194b91b796f5950e10de281fd9ccdb
-
Filesize
1.5MB
MD595c43c2cc3a4f5b94c9bf28f3d127d9f
SHA1922926d24b5c503d6422e5174fbb9144cc6b422f
SHA2564898da28a4d7c9e21ee5fd67558f2a46ff0078314821520304b93ac71d60aa7e
SHA5122f4604fa244376bbc1e6e7b6aa011bd7a2dd35cdb8c33be43100080026315d9ef377a2fcbab0ca56d33111d2e7460406dfde21c6f5cebc94adb79e69ddef6851
-
Filesize
1.3MB
MD5407b6fa2d0f954147d02c26d5dedb657
SHA1eec152bc13a10ebc156cf4b70703f6cefc7c0ded
SHA256ede792d912bd1d7b193bc5a1cd0e1791c8f6125fd98957f646eebc3c381ba360
SHA512a77c9a4831dcf4d667e607383d935d98b2926e6c4a2402cbefaf6d557f07da4a0d03e5ea19f1035c83214607d21c4a9bad2ce50ef0c3c4280af01dd0ce820353
-
Filesize
1.4MB
MD50e1c10a59db3082c3d78e44c3d201036
SHA15b82d1bb7ebb4876cdfa29c9f6364399b794a697
SHA2569ece7bfa22fafc2d0f9204b24cbd66a985de47415a8bf5318b9e9d0eaabe9a12
SHA5122bc51158a1ed37e3e3d38f5c4b2c323cfc5befc1cf3f0b867b5da90ca1343f8dfb86c3369143f32ba03b1cea482bc4188a82fd5b4d7145680343180fef0f0551
-
Filesize
1.8MB
MD54a86f6778aeb577d7340953eddf59c66
SHA1c2aa935a5b1b8ec918bac29ad88cef3fa5193838
SHA256d92cff7b15c3303795a164108354b7d0b2032f586b7193306fdaa2beea432fa3
SHA512cd58898bb47c7732010d08905c2aa827b387372fc522485b05390d25eb86c4f0c7c97e67c0ca2e59e4a02a9591bfba71601972500c964381e7080cb853c54848
-
Filesize
1.4MB
MD5be9e77328c180fdd88de227d6d9e7960
SHA137a4ca60a708148a18b00121931f6ebeaf682a93
SHA2569f5d2f10a292c04e4791ce1aaf70d21034f4ee74d0435102bca0b35a2d3fdada
SHA512717e5e11583d00cb704bc82f4a5d151c394ace8f67ede33723ab66ac97fdad2401e72d42381875c75980fda8d911dce72a78dd04c4a2bcc7a97398071e652031
-
Filesize
1.5MB
MD51872b399e33ff8f7bfcbd5e0559afe0d
SHA12d07f42485333af73a90769530b2b7d08c23f8f2
SHA2562591a1924b4d57ad09427667f8dc49cead81d7bb856da20605e2dcc7dfec6938
SHA5122e3c5ed21d75d2e9b92c8b3588a2e5e96221f9027d12a64b107921d273abd041776beb2d23eb61f59a4491ee8ed9efd1765a84fd46cc1f98a368ef0cda768ead
-
Filesize
2.0MB
MD5420939406a640b9d297e6e1f9f8f3b82
SHA1ff49b1fa00515f80a28f6a07cffcb91acabbdc61
SHA256151fb9d877d2c63b26accc7f4c60edd4e51baa2a4c3bede235cb50424ccbe55e
SHA512b8f40c34989409d7f80c52a87ea3ff15c7621acd47823864fcb1403e23166083ea1fa885fa03fefae59c0a52e051a8e6a0c3d3be59195dea05575ba0d7d17b5e
-
Filesize
1.3MB
MD5e811bd116844984f881605214717ffcc
SHA19739ec732e0a808e84c691d0df55ad5cd078470b
SHA2567272d29ef99eb4e0ff0577e9f5e3d98bfee5f9f9d31f5d8fbe3e577d36fbcc87
SHA51275497f4234a24bf77cdc6cfdf11727d08938f7b8cb861bd1c609a4e8d67e9519ccf71e60e96f9bdab5f4cecb072e09e99654d8cd8234c8cbf4082c8cf8371f31
-
Filesize
1.3MB
MD5c741e47ef58c68c1c7b87f5d266d2d7e
SHA1ef490d0378453acaa666ee6f4b7bfbba5449a2fa
SHA2561dfddbe7cbdc869bdda9d9c2067b1e12a774f4b7fbee20e4ca46a3700d89a96b
SHA5127f905ed245ef2f7673a79a47a981c490dbbe1ad4300fed0d88ed8e3c5621d82826dacac523c8002dd8b8e4191f885e745a92bfd3df747448cbfcf13359975a7b
-
Filesize
1.2MB
MD53223d663fbae607eed4b076fe39f6fd5
SHA182b8400fa5849a8da57a2bd72a6524461df2a44d
SHA256cc6de0e152426e1b9e326cddaefd73ffe5cc66ca639c518ac11e9b8a87fb958d
SHA51231710eb5197f5770783d59cad6ca828ac2372c70e9133bc4ca6fcf2201875ce1da572142805cb1245d8c222c746de41e6940c6cfdd2ba025c26b01970802134a
-
Filesize
1.3MB
MD52d6d2fec3256ee84344cd880c37bceb7
SHA123b32c2f3814aae0cadfabfaa680a3a150607899
SHA256c5db62e4ad1c176a45994936be8f61723fd8cd78861e342b93bff574045b57cd
SHA512f56c6e3ec9b6c94246b3eae43b70bfcacb6f8ae1dbfcc46bd7b36b117e65cd071aa2ccc3f65572694458b873914d489fe318f8933b4d6744c450fc8f47ccd36e
-
Filesize
1.4MB
MD5ad733b52a8cc7eb6efc603e2f88e26a8
SHA17682daf13bfd48f9f9fbba6f9c71d4163986a40c
SHA256fba2bdf95acd008fc96e0b2d428d710a7071a1641be78e5081e676c051410b61
SHA512367d784d3e122e38253181946a14cf4885c41867deb9eda88b43f55407547654480019611a9bacbea6ba9f075c6336df51a4acabcc1dd4a2cf40e44196752236
-
Filesize
2.1MB
MD5a015f36a7e0865e4fb4a18605ded0065
SHA16af60465fd1255b3abe725135fc37e5a22f84c1b
SHA25698d00c3030a2e81ac63810985adb73ed3b7aadf7b98c6f45f76cfdaccb334f33
SHA512e52dcffbbacbe7765e907ac16d08c2e562f3d71f12eecf11080ac370f3258b1c3f3ca9b611ddb8f8e2549479bd3d8b294bd19ac99b292a178eafd66124cf54ab
-
Filesize
1.3MB
MD55c4c3799569662e968af2a713bd7c9e4
SHA1a3c237522d468f800249ef137bd3ef4ff42c4cd3
SHA256ce276d0caa0d0919bb866aeb64dbedf3d6a79b9846a50305d8dff27c854280a7
SHA512383037e0845b66eb0883a2eb93e90ddf35ff523f7e58d0c10322faa94cd94feccb39fcb6e664ddeeaa17eccc82de5948c4b938aab52c69df0ea4d3474f20aa79
-
Filesize
1.5MB
MD5446c1e8c922899ca3a2be611fc9ac2c6
SHA19dcf12a5e9f603672322617f68b41ef803e957a7
SHA256f577b6b7f1ce1bbc9d5e83f8bf371661f603d77e79b321a465fa2b7c3fe044f7
SHA5122eabc8b0ebb5c33d9503e7b18e05516657e2cef0b5195cd1ace2d8421e38a4ef2a7620a2e3b2513203c97b88ae83bc19eef2652db4cfb468716aacbcbd57367e
-
Filesize
1.2MB
MD5fa2e14149f7aa427ae7b914b6fb9146f
SHA151a70833b32666b3ec692d0d54922a64954de822
SHA2569c4cb4801c76c3061fa0dc69600986b1389d118b09a2a0f1c294a701f387b93a
SHA512a0e777e463173fe7e5728d1766ed3b2408c439e6724c18d85b7ff82d15b8a095a725bcc6e930e1e67274470f2bed52c899919c2c779da3ce0b78164b47832191
-
Filesize
5.6MB
MD595b7d74e6b8e6d4da5a79131ea7c69ad
SHA18a04a82addce4483a35dc2c96e6e905f34208a8e
SHA2566140d494e2b320272396a0b0defaec124d0eedca86e4c41613cc36201f12da76
SHA512d0d0ec2147072c4bf3c7f9bbd0ddf68b96ba685b4c81958b52f7a25a74845a7d03c00964e7979128978c551d7b30da041beaaf6cd5cd88544a295c4a8fc6f145