Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 14:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe
Resource
win7-20240508-en
General
-
Target
2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe
-
Size
5.5MB
-
MD5
2aa28d25d747a12330c753887294a979
-
SHA1
e0e37e1f6d6b683c9a7e6e805943be1a2a3d9c06
-
SHA256
580f25cc5f204caec104e807bfc9c3d154b1a46ae6d1cbd8e786a966114c70fa
-
SHA512
fb32e44b20a7770f35bfe977b023da7485a9ecd12ecb4dc83075a25060ad97b2f8e14e68002813f555791a75d11331818839f91095da2480c2f0c592e4386482
-
SSDEEP
49152:IEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf4:GAI5pAdVJn9tbnR1VgBVmveD5s0JXP
Malware Config
Signatures
-
Executes dropped EXE 25 IoCs
pid Process 3536 alg.exe 684 fxssvc.exe 3008 elevation_service.exe 4152 elevation_service.exe 1052 maintenanceservice.exe 4636 msdtc.exe 4448 OSE.EXE 4928 PerceptionSimulationService.exe 2784 perfhost.exe 1064 locator.exe 2780 SensorDataService.exe 4120 snmptrap.exe 4476 spectrum.exe 4948 ssh-agent.exe 1088 TieringEngineService.exe 3984 AgentService.exe 388 vds.exe 4276 vssvc.exe 4580 wbengine.exe 2256 WmiApSrv.exe 3164 SearchIndexer.exe 5844 chrmstp.exe 6008 chrmstp.exe 6100 chrmstp.exe 5124 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 27 IoCs
description ioc Process File opened for modification C:\Windows\system32\wbengine.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\4712c738e703f493.bin elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{4EF9C35E-DC0D-40E1-941D-AB9119298CDF}\chrome_installer.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaw.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e1257d641b0da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f80bcd641b0da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee732bdd41b0da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000049e3bcdd41b0da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000dede3dc41b0da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022375ed641b0da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008239c3d641b0da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af8be1dc41b0da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3416 chrome.exe 3416 chrome.exe 1076 chrome.exe 1076 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1784 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe Token: SeTakeOwnershipPrivilege 4700 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe Token: SeAuditPrivilege 684 fxssvc.exe Token: SeRestorePrivilege 1088 TieringEngineService.exe Token: SeManageVolumePrivilege 1088 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3984 AgentService.exe Token: SeBackupPrivilege 4276 vssvc.exe Token: SeRestorePrivilege 4276 vssvc.exe Token: SeAuditPrivilege 4276 vssvc.exe Token: SeBackupPrivilege 4580 wbengine.exe Token: SeRestorePrivilege 4580 wbengine.exe Token: SeSecurityPrivilege 4580 wbengine.exe Token: 33 3164 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3164 SearchIndexer.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 6100 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1784 wrote to memory of 4700 1784 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe 83 PID 1784 wrote to memory of 4700 1784 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe 83 PID 1784 wrote to memory of 3416 1784 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe 85 PID 1784 wrote to memory of 3416 1784 2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe 85 PID 3416 wrote to memory of 2948 3416 chrome.exe 86 PID 3416 wrote to memory of 2948 3416 chrome.exe 86 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 1052 3416 chrome.exe 111 PID 3416 wrote to memory of 3580 3416 chrome.exe 112 PID 3416 wrote to memory of 3580 3416 chrome.exe 112 PID 3416 wrote to memory of 4964 3416 chrome.exe 113 PID 3416 wrote to memory of 4964 3416 chrome.exe 113 PID 3416 wrote to memory of 4964 3416 chrome.exe 113 PID 3416 wrote to memory of 4964 3416 chrome.exe 113 PID 3416 wrote to memory of 4964 3416 chrome.exe 113 PID 3416 wrote to memory of 4964 3416 chrome.exe 113 PID 3416 wrote to memory of 4964 3416 chrome.exe 113 PID 3416 wrote to memory of 4964 3416 chrome.exe 113 PID 3416 wrote to memory of 4964 3416 chrome.exe 113 PID 3416 wrote to memory of 4964 3416 chrome.exe 113 PID 3416 wrote to memory of 4964 3416 chrome.exe 113 PID 3416 wrote to memory of 4964 3416 chrome.exe 113 PID 3416 wrote to memory of 4964 3416 chrome.exe 113 PID 3416 wrote to memory of 4964 3416 chrome.exe 113 PID 3416 wrote to memory of 4964 3416 chrome.exe 113 PID 3416 wrote to memory of 4964 3416 chrome.exe 113 PID 3416 wrote to memory of 4964 3416 chrome.exe 113 PID 3416 wrote to memory of 4964 3416 chrome.exe 113 PID 3416 wrote to memory of 4964 3416 chrome.exe 113 PID 3416 wrote to memory of 4964 3416 chrome.exe 113 PID 3416 wrote to memory of 4964 3416 chrome.exe 113 PID 3416 wrote to memory of 4964 3416 chrome.exe 113 PID 3416 wrote to memory of 4964 3416 chrome.exe 113 PID 3416 wrote to memory of 4964 3416 chrome.exe 113 PID 3416 wrote to memory of 4964 3416 chrome.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-05-27_2aa28d25d747a12330c753887294a979_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6ad6ab58,0x7ffa6ad6ab68,0x7ffa6ad6ab783⤵PID:2948
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1916,i,13285473916639675206,18063586116173666611,131072 /prefetch:23⤵PID:1052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1860 --field-trial-handle=1916,i,13285473916639675206,18063586116173666611,131072 /prefetch:83⤵PID:3580
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2128 --field-trial-handle=1916,i,13285473916639675206,18063586116173666611,131072 /prefetch:83⤵PID:4964
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1916,i,13285473916639675206,18063586116173666611,131072 /prefetch:13⤵PID:1512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1916,i,13285473916639675206,18063586116173666611,131072 /prefetch:13⤵PID:4504
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4384 --field-trial-handle=1916,i,13285473916639675206,18063586116173666611,131072 /prefetch:13⤵PID:2364
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1916,i,13285473916639675206,18063586116173666611,131072 /prefetch:83⤵PID:4564
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=1916,i,13285473916639675206,18063586116173666611,131072 /prefetch:83⤵PID:5040
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4776 --field-trial-handle=1916,i,13285473916639675206,18063586116173666611,131072 /prefetch:83⤵PID:2316
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4256 --field-trial-handle=1916,i,13285473916639675206,18063586116173666611,131072 /prefetch:83⤵PID:5160
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5204 --field-trial-handle=1916,i,13285473916639675206,18063586116173666611,131072 /prefetch:83⤵PID:5556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1916,i,13285473916639675206,18063586116173666611,131072 /prefetch:83⤵PID:5776
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:5844 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:6008
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:6100 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:5124
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1916,i,13285473916639675206,18063586116173666611,131072 /prefetch:83⤵PID:4800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5064 --field-trial-handle=1916,i,13285473916639675206,18063586116173666611,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1076
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:3536
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:436
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:684
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3008
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4152
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1052
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4636
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4448
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4928
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2784
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1064
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2780
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4120
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4476
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4948
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3552
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3984
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:388
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4276
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4580
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2256
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3164 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5348
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:5648
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD56cc9332ff95f73886844ccd531e66942
SHA1861ab53ece58873a07fd9a5e824df575e8dae867
SHA256a41eaf1f032470c448c69199c07c278bc33c29cc5590c2e65074064d00d3ea90
SHA512c222257d5b92d7e3f6f89b7a9de56c1198b6200ea384574f09beb9629d34a1894f8b8bd3f4eaf23a1a3f9e3beb813cb1f0dd735a5068dee8359752c45591b079
-
Filesize
1.5MB
MD522da8ea2c3c4a6fd14090c44522c6ed4
SHA1ee29e0b721c8744405d19b59459b4742ddbcef39
SHA25620dea0454824b3f2a9aea1d3690747a88bf674833aa81b513a19cd960a42a159
SHA5125a01084ee416daae47daaa8607dd7709f6c0ab4d035d10c5cc7e206bb97c15e795db7cbe90113bf5cea82322a645fea57affd08d7afd972ca91c08d67bd00f56
-
Filesize
1.5MB
MD57f422947f16547e98f5942476a79d5d3
SHA186acb2e55f12e245ac6e8f0385b291fa6260f6c1
SHA2560ab5d1490a7207d8f137a624de7a2bfe2f8941602e852ad2406f2b83cb712317
SHA51208c75915a47dc9e7f5b20c70dce9c0cd509a49e6639244ebdaea9b2ecd0fd34289131ed0e202e51344df1d5f639d0603329031ec7f44e43f9107adc347956441
-
Filesize
5.4MB
MD55a4fc283689a3015c3383477fca3e6a4
SHA113062ca1b5b6061dd753d4bfe78be4e41dea7fea
SHA256cfd3e177db9a3d66e27a4e97fa87ab34402ee1b5853c2e5da4bb1894834955b9
SHA512853957b9146a799f8dac58939800b732c120fdf00addc1d417bcd5316a997d1cdfbb35a1f3bdf98e9b882380f351bbbfd9a52f6f65e3d5c8183b8f07c273e4cd
-
Filesize
2.2MB
MD5e5c4292eec5e74ea3b2f8c48f7d9f975
SHA19f0cc18ca7afad006c41d2f23cd7d16f2961782c
SHA256f724891676b4f71f048bcd2bdfd1a66ed9bdac3b06ad5767d575b6f483f20fbb
SHA512d171e39e1bc164a24412f54944679b758ccfb219edb4e7f04ec4caa4f16ba3fb4c8d8746c4e94ac2ab4cd8001a5d3ff10203979d8ea74a5bdb2b7e3c521d6de9
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
40B
MD5d0df793c4e281659228b2837846ace2d
SHA1ece0a5b1581f86b175ccbc7822483448ec728077
SHA2564e5ceefae11a45c397cde5c6b725c18d8c63d80d2ce851fa94df1644169eafc9
SHA512400a81d676e5c1e8e64655536b23dbae0a0dd47dc1e87e202e065903396e6a106770cec238093d748b9c71b5859edf097ffff2e088b5b79d6a449754140a52ad
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD54f6059909d147c8dfe69e1f3561e0839
SHA120feaf6c1b683d9408dc2b202551a03b0bbfd45b
SHA25654e9d75bd947c13fd295b6e80c9de90c16f999317ebc96be0636bf01839eef42
SHA512a282615c9eced25fba62c9fb180deb78e34a547bcb0372f75402005a027db95d260e428ddeb5472320e1b9e4c0cebaee23388e8d307cc8df633319accb900128
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD5ddac84a62b58cc7e7724041f032086b2
SHA10167e98f7d81089557cfad2283058a8d8547602a
SHA25617c697568155b81568c26c656d86ec33b4e76c88f066489782e695065b78a6ae
SHA51255d35f90b54c19d11c0d5df1228893a92e9292d9a2bdf571b4a4f9aff531a71e2625ddcbc64e83d9a945577d71e225747975bf4d2b0bde5afeac44b9b42eaeff
-
Filesize
5KB
MD56d2e852470406fa651faf4d54e61b07a
SHA177ddf31f0f983a33533884fb81523b6f5faca963
SHA2560072154f9fddca9457d72bde05c90ea35214719e45b9ef6571dc4192a9357416
SHA5126304dda6965683712bb8efbb152ba99f940bd4701546aadfe4806806a92355cf7fccbaca515fc31b35e7be0d501fed70577707503259820dd3478e9f6eceae38
-
Filesize
2KB
MD51d0245a0816fd932b1963600bab98460
SHA182d188a3a5fd107ed83000e16e41e0d67eed941b
SHA256b9d8f68c1f5aeadb1748f8efa21c33a4235cca822bfdf19951d296b2f29944f6
SHA512febc999100ab08b73d52fa2a08f7c09cf2281c420762d121150da6cecc922372a9591619163881a5d2956cc20a7bd6d1b5017b6f0575b55ca6baeeaa604632f6
-
Filesize
16KB
MD5186e6953472a1dd4db4ba6a149c41fac
SHA151dcb80874300c247abe380fc785eed851c4afcc
SHA256c82465c593f5c9f6f562c2820d3799952feec4ce190c0bb36bbd27e634c93800
SHA5125b0235b7d2ded50ceaeaf6dbfe3d505bd789a54b8ac49afab4f40719b37615eacfe62b7793bb5edf476024c4f7a8d2b937c2d80a3a7acf7d2b9c68cb30a83718
-
Filesize
260KB
MD583cae2282933c8d7a3d3b9090ff8188e
SHA1085daf080f8f0096026d7fbe8410113924705a2a
SHA2564949c89ad70aa17b1f394296d0d9819db696cb4bcdc1f506eb77f2848bbcdae2
SHA5127970582ccea397d1e1ade525b1267b8082199addd1a2ac4ba88e20fb25e11229ba9093ae0174054c8d51f1ba219ccf753773e545f122840af27ad27ff249c370
-
Filesize
7KB
MD5f96c39c4f51aff0b350f5e7c2a1268ea
SHA1c02fd16c9762780d9aa41151977fe4008e44ab0d
SHA25665aed71bf6ee8e78561aaaccd291e0573c299def60938ab9ad5c565ca4c42b31
SHA51226a0bda699c5dd71ad5939407ae56549429b7f1516c44fc8b4b1ebe5da5b0e1d676dc65b8bf4f3eea335401acdffc2e99637c30f163775ef72cf46fa66ceb5f0
-
Filesize
8KB
MD527e7f41d430aa91d2ca91bc31b96aeb4
SHA1f7e5f59951c6d51ad7aaea2cf545518c7d0886aa
SHA256908a7cf6e5db6f9a428331910fbf0b2b1417059b0c233b7b5229119cc96f6475
SHA512e3218f6e4ed254b6881a1177f18f476a46923b050d1ea73af4e311f38636ab7caf27f33a371bcb97fada0bd3ee8998917dabf0e2f86f3632bbdefc1d028402cf
-
Filesize
12KB
MD5c9fe46dcd48d321bca644025af134877
SHA1d6cbbff75c86c28199b0d5dedd3da2c1725fea98
SHA25668c23fa194a0adc64b996dc93b5fed170d05ed7376766ecb4d43a172738b9c9e
SHA51217542de7a4d035dd51790d385442d7056ce0b9f456aaf5ceff9f2d4df1d6959f7eacbcfc70390e2a8622a2468806e7e04c0106bfb72ea2a92cefa83169876d20
-
Filesize
1.2MB
MD5f3316cabc1cf1c37078d40991f64dd09
SHA15a98ebe478bf4cd4395b510236239615337682e4
SHA25602a4ec8230c20cdabf5c1ee154849d4499f34f78c50015672576abb68d65b018
SHA5128b6022bad94c5bf4f90ccc74a6077e13961f3777ef3a53cc59e39e5b40dcbee72a665f817b4503ade582dacb2dc46193e63626cabb9574a731d0a5463f4e59f3
-
Filesize
1.7MB
MD50f6b7e2eca02ef0a193dcf4f4f65a196
SHA1e4592f729673b56e176b2e6301c90e2d0ca24db9
SHA25602653645e07566d04ee0aad9e899a89ede3e82fc5df6d348bcc56f4761a8b625
SHA512e436caad3528b9542e59e98cf8364dad0f69a8f98e886e4f8c34c502e63688b7b0a9e32631a6629ae4b89c2b33570001283dd836eac540e9bf5e0bf7518a922b
-
Filesize
1.2MB
MD5883e1bbb7e87e50094442677db042a82
SHA1ba8f5f0156de73bdf5eb49dc09ab4aca6dc76c65
SHA2564b9774f4d13edaa9ab69970a9721240aeaec481c2153a0d904d8f5108a7700f9
SHA512242761d1846c31bc23d09d35006bf8b9efcf6d11a3eee28ba643e158d800665e8460eec84870451350ff9df341e73d20d99e83a2f04930d2573ba29d20e1d1db
-
Filesize
1.2MB
MD5500cb9b7c4e7c22393110e8658a4bd84
SHA15541ad28a25531ef3599ce1b61a857102e7d96d7
SHA2566b63fad0f1b3514b89ee05e5b46fdd422b8c9221e4e0bc99f160249977b8163e
SHA5122ad0d656f798304d0491c4d63357824b1ce38a32dc335ea50b5a03a094e8dc6b3810e9829a356ff2b3879042ad7f42c890c2e44004472af5f3c5d1f77227fe38
-
Filesize
1.6MB
MD51cdaade4f005fbfae74b768f0f325fe7
SHA14d689dcaf2e0beeb75157b9c38bcf8defa619816
SHA25636f8dc5ddb89e6bbdeb64c24d1b2f5c88ac1b82a83c1991c20487b596307877b
SHA512522e3562803cea436b93652b45c2acd7f8fec3568321879f338fd6d48ad2e28cf80437364bd98bd4c27cf1bf809fb17c0d4c8873e72ef0caee0ff643f4048197
-
Filesize
1.3MB
MD5abb75647e05c5a56f2350ce562c91026
SHA10f7cff21ba9f7d0d38762fa8878ad4a9e59ad3ba
SHA2562cf50c0b2b4b757ed161557c6db7b09c81fe840261a3aeb872f4b674703dbc40
SHA512141c18af16aaac794b6aa2e421ed35b601a7054a74eb26c4e83a08c54d1e3dd3933b045de549d317b420723070c069d5ddae6b75754a014a52db639eed116c3c
-
Filesize
1.4MB
MD5479d106480b0906a24c4cdae0fa63250
SHA13e849f9911abd353b424b56a1c37f95f6fb3b1d0
SHA256b005faeff0672030e9d67fbcfae49fb7a4a6c3a55ae056193634b49b15e24cae
SHA512623ec4b21b6d19c269e9f03575f97c5a8767a32a99eca66a3d369a8c4a0ffec2be36d7fea9103caea1296d8cd574889ef72cc88ea4b16fb477f920f73a73f109
-
Filesize
1.8MB
MD5516c36af818de7ea27665b69e17b67c2
SHA10e995a53099f937c5364f65ed6d87a4ff453b783
SHA256a455a3ccc41b5fd1369b091c6b657dce97f8ab9db22e13742deb565d2368a3a6
SHA51262dac4a21faf8fa5a8d5bf91d7ebc308dd0d003cb78d6e46596120667123d76676cac53db4171fc5987a5591f4815b620bc09c5d2afa5614b44f374d6d6566a8
-
Filesize
1.4MB
MD5c58b3ad96305a8dd669bfd67b5536ee6
SHA192aa8f4e53b7802c202f7fc824340ed0c6342e45
SHA25604e869e8879b250aec73598b412f354990e8d9c8cd04b6517eb12cdbc6e515e2
SHA51200260e1bb380287da0784e2f087d8dc4335193d3e54362a6526da304db26bcfb7584a2ade51b0fcfd1215159f734fbaf77976e7ec61822d263463930d6c00c7f
-
Filesize
1.5MB
MD5216cd54f3b9784b46dc7931466c9fc9f
SHA1f1530d604649b5115359fd15a508c63b2df04050
SHA256b2ce32969e6861f6234ce949304338597a723d3d44e747319c64662f4d3da61b
SHA5122186e2cd8c9a8ccf55bd1656c8734cb698ce649793eeefb1c859572a362f8ea92aaeecfbff00c868e74f35f7874f0944b22ae0f098eb24344c6ed730e072f701
-
Filesize
2.0MB
MD586da9a5bf761bbe427706c8aaf253aa5
SHA11388af130081d195835d61118bede20109243682
SHA2567b07162e04ef416434adf703237e5261bd934cce66869da73d22e5b5e2b08046
SHA51255cce8dacf314cb2b326d820a0ac0192223a264bc526556b3aa69eade5c9908b98826d06d541051cb635ee9effec57797e8cce933b4ac72ef688ce26173fbc9e
-
Filesize
1.3MB
MD5554c8395f8acbdb30483440073ace3d8
SHA160bfba82a534727cec84af8754f16adb3f165fac
SHA25650327fd693b52377b5b948e7e5619b7868e6020ac859e9c1892875d7e61638f9
SHA51257d496cc5de9248739d377da8cebe3180f60188b81714523e7b4a82b825ab620adb500e551340ae92c7a1ccb2fc629e7d364b88ef132f127d9ab271c0c2c9084
-
Filesize
1.4MB
MD53815a44746df46b83ab2fd574d2c0cac
SHA173bf4ef5abd9f1775dc3d84b5ef7783f75e9c121
SHA256b3be2f4634b7dbe94d08e11fc0281311b7718007c93b2c944e27e54ea84ec729
SHA5125e9dc0740fa9e6f03f7d0e7df35d2ac897cc8877458b06b6bc6ef126d2b74fbea38a529159fba2b4a652f200e6404694eb2c3144784136a7be4210dcff6de419
-
Filesize
1.2MB
MD58fd308bc4a4ffbfca86685bd384fa70c
SHA1619d24ab17f1d688fc298cd2609b6e7debbf36db
SHA256ef8a1765d05bd377467500f6a60e783657869525c5e8580e2537270bd0b7e917
SHA512198adfd597f61ce09c1a63fbcfd614af048578882730d1b96b95f18ec18c68deed60241f399e31404b11ea272185f875add71c5be41b8563f27ee7091d72fe95
-
Filesize
1.3MB
MD51106e8d5e219e95c561fa9f41f2d1f18
SHA1f4386ab373b4fd71b2a90c7d3317ebf5ed65885e
SHA256d416bcab924e06a5244c11933700461ffb6fccce5210d8a056d8468f146b2ffb
SHA5129dce1fb2e816db70dc8f4fccea95b4e2172fb0e73032edbfc4f63715e6f595e7c04614e99bdaa595e36eada8c6a16db9e90ffc01f3394d323dabaa7c78565808
-
Filesize
1.4MB
MD598662621282357b652b5699ad0f23a5f
SHA1579eb6c9c4ca6ac092e494a1123e3212572ff144
SHA256b737e656928063454fb627692babc03748f54be3fe0761e106125f518b23ccfe
SHA5123165dc5db23e9c1148eb0656837d42300ede5e833426b1183192996b24a9c09b74786f6ed4065e3a41cb36bdc791e2714e396b69061cf0c3766a5107a023bd04
-
Filesize
2.1MB
MD56ea13416d3c161df8fe501b7372eebc7
SHA15729511e32118723673cfaef8b0adf632fe45a76
SHA256003b45e23fc705ebfefa9ff1b8995794865b914b4017c214de90e0a270545c92
SHA512a5fc1c2cacee56dd81ca35cc46844efb305d63b60d21c7bc30c48508d133f4cab269b6531e76d16f1e1fedce5203d390f918fa77b7254d8cd5c98743662ff02e
-
Filesize
40B
MD5dd7a044bb22136e85285d21163fdef66
SHA11fcea0d904998de1bdea9cfa654a50c20b3dcc5b
SHA256b918a44d48859b4ed705a9a7a23d4a816a368aa2161ad495a7a6d1c6992b61a0
SHA51267afbad0468b8d5b405186c63a0960f5fcda15b2ab73767c292863e221265758001b2e110a3296f5d2ba1463863d556a535850a65a107344ade40a79c33bf358
-
Filesize
1.3MB
MD542a9b91ddf2fb96259d3e227423e6ab7
SHA18b38cd12ba2f4a95d211aa05dcbd30d14bba891a
SHA2564de0526e7e37207218b2cd3364633ca75496485f0785040a72df981345de0f4d
SHA512a9e1005af9563cb06a6a53fd849ad817698398a10348d336d1bce3be3fd4e61a6c8f30eace6d8762f0199b026ce168a3660e77f4759af7c8345203b636df73b6
-
Filesize
12KB
MD59549d15ca20cb8396816185d3d753509
SHA18096858b82e5c51568c13081aff36ebbb1c9cea1
SHA2567b52a40247b8ac16563c82241f7159f9e7d15ba083f4f492dee799f540bd29f8
SHA51273c62c722c8d9d00b465e4e9ad719cb6f12a008750344501d4e6708fbbfb0df475eff4fe70a456d1fd15d83087281f96eb02b27dc62b7e5c78bca3f7037dc5ba