Analysis
-
max time kernel
41s -
max time network
45s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 18:35
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe
-
Size
5.5MB
-
MD5
3f28151e194a2cc7864d423bb3ec331f
-
SHA1
d6a93fdc040ad8d4ec00435df0f54be78d1154fc
-
SHA256
17020d36302682ea80022bfe8a3f3d4cdf618cd46b8ca620c244cbd70c3fad4d
-
SHA512
adb7a77d663b2daeae08a1a9e29d317c1905a485f75caacbb5e7b79843b6f22da892a8158ee921bc275932d3a6edb805c1cdaf4665d8f0a17206ca54e8ef020c
-
SSDEEP
98304:mAI5pAdVJn9tbnR1VgBVmxU7dG1yfpVBlH:mAsCh7XYkUoiPBx
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3940 alg.exe 3328 DiagnosticsHub.StandardCollector.Service.exe 1728 fxssvc.exe 1688 elevation_service.exe 444 elevation_service.exe 1296 maintenanceservice.exe 2028 msdtc.exe 4080 OSE.EXE 1656 PerceptionSimulationService.exe 3124 perfhost.exe 2980 locator.exe 4780 SensorDataService.exe 1208 snmptrap.exe 1296 spectrum.exe 5328 ssh-agent.exe 5556 TieringEngineService.exe 5704 AgentService.exe 5804 vds.exe 5920 vssvc.exe 6064 wbengine.exe 5340 WmiApSrv.exe 5576 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\spectrum.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\5cc5d3a62a644d7f.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_124281\javaws.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_124281\java.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005877e8c6f585da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f1305d1f585da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb87fbc6f585da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081fe6acff585da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133566429454719297" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e32e2cff585da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075fca8cff585da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000922391cff585da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 4104 chrome.exe 4104 chrome.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 1612 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2312 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe Token: SeAuditPrivilege 1728 fxssvc.exe Token: SeShutdownPrivilege 4104 chrome.exe Token: SeCreatePagefilePrivilege 4104 chrome.exe Token: SeShutdownPrivilege 4104 chrome.exe Token: SeCreatePagefilePrivilege 4104 chrome.exe Token: SeShutdownPrivilege 4104 chrome.exe Token: SeCreatePagefilePrivilege 4104 chrome.exe Token: SeShutdownPrivilege 4104 chrome.exe Token: SeCreatePagefilePrivilege 4104 chrome.exe Token: SeShutdownPrivilege 4104 chrome.exe Token: SeCreatePagefilePrivilege 4104 chrome.exe Token: SeShutdownPrivilege 4104 chrome.exe Token: SeCreatePagefilePrivilege 4104 chrome.exe Token: SeShutdownPrivilege 4104 chrome.exe Token: SeCreatePagefilePrivilege 4104 chrome.exe Token: SeRestorePrivilege 5556 TieringEngineService.exe Token: SeManageVolumePrivilege 5556 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5704 AgentService.exe Token: SeShutdownPrivilege 4104 chrome.exe Token: SeCreatePagefilePrivilege 4104 chrome.exe Token: SeShutdownPrivilege 4104 chrome.exe Token: SeCreatePagefilePrivilege 4104 chrome.exe Token: SeBackupPrivilege 5920 vssvc.exe Token: SeRestorePrivilege 5920 vssvc.exe Token: SeAuditPrivilege 5920 vssvc.exe Token: SeBackupPrivilege 6064 wbengine.exe Token: SeRestorePrivilege 6064 wbengine.exe Token: SeSecurityPrivilege 6064 wbengine.exe Token: SeShutdownPrivilege 4104 chrome.exe Token: SeCreatePagefilePrivilege 4104 chrome.exe Token: SeShutdownPrivilege 4104 chrome.exe Token: SeCreatePagefilePrivilege 4104 chrome.exe Token: 33 5576 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5576 SearchIndexer.exe Token: SeShutdownPrivilege 4104 chrome.exe Token: SeCreatePagefilePrivilege 4104 chrome.exe Token: SeShutdownPrivilege 4104 chrome.exe Token: SeCreatePagefilePrivilege 4104 chrome.exe Token: SeShutdownPrivilege 4104 chrome.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2312 wrote to memory of 1612 2312 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 85 PID 2312 wrote to memory of 1612 2312 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 85 PID 2312 wrote to memory of 4104 2312 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 87 PID 2312 wrote to memory of 4104 2312 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe 87 PID 4104 wrote to memory of 1552 4104 chrome.exe 88 PID 4104 wrote to memory of 1552 4104 chrome.exe 88 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4284 4104 chrome.exe 96 PID 4104 wrote to memory of 4744 4104 chrome.exe 97 PID 4104 wrote to memory of 4744 4104 chrome.exe 97 PID 4104 wrote to memory of 2776 4104 chrome.exe 98 PID 4104 wrote to memory of 2776 4104 chrome.exe 98 PID 4104 wrote to memory of 2776 4104 chrome.exe 98 PID 4104 wrote to memory of 2776 4104 chrome.exe 98 PID 4104 wrote to memory of 2776 4104 chrome.exe 98 PID 4104 wrote to memory of 2776 4104 chrome.exe 98 PID 4104 wrote to memory of 2776 4104 chrome.exe 98 PID 4104 wrote to memory of 2776 4104 chrome.exe 98 PID 4104 wrote to memory of 2776 4104 chrome.exe 98 PID 4104 wrote to memory of 2776 4104 chrome.exe 98 PID 4104 wrote to memory of 2776 4104 chrome.exe 98 PID 4104 wrote to memory of 2776 4104 chrome.exe 98 PID 4104 wrote to memory of 2776 4104 chrome.exe 98 PID 4104 wrote to memory of 2776 4104 chrome.exe 98 PID 4104 wrote to memory of 2776 4104 chrome.exe 98 PID 4104 wrote to memory of 2776 4104 chrome.exe 98 PID 4104 wrote to memory of 2776 4104 chrome.exe 98 PID 4104 wrote to memory of 2776 4104 chrome.exe 98 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2a8,0x2a0,0x2a4,0x29c,0x2f0,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa3f209758,0x7ffa3f209768,0x7ffa3f2097783⤵PID:1552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1628,i,15376624773238480337,1914156623818709845,131072 /prefetch:23⤵PID:4284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1628,i,15376624773238480337,1914156623818709845,131072 /prefetch:83⤵PID:4744
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1628,i,15376624773238480337,1914156623818709845,131072 /prefetch:83⤵PID:2776
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1628,i,15376624773238480337,1914156623818709845,131072 /prefetch:13⤵PID:4932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1628,i,15376624773238480337,1914156623818709845,131072 /prefetch:13⤵PID:4648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4048 --field-trial-handle=1628,i,15376624773238480337,1914156623818709845,131072 /prefetch:13⤵PID:1100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5040 --field-trial-handle=1628,i,15376624773238480337,1914156623818709845,131072 /prefetch:83⤵PID:2080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 --field-trial-handle=1628,i,15376624773238480337,1914156623818709845,131072 /prefetch:83⤵PID:3232
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵PID:3748
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff65c527688,0x7ff65c527698,0x7ff65c5276a84⤵PID:5140
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵PID:5212
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff65c527688,0x7ff65c527698,0x7ff65c5276a85⤵PID:5256
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 --field-trial-handle=1628,i,15376624773238480337,1914156623818709845,131072 /prefetch:83⤵PID:4764
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3940
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3328
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1884
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1688
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:444
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1296
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2028
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4080
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1656
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3124
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2980
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4780
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1208
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1296
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:5328
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:5396
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5556
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5704
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5804
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5920
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6064
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5340
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5576 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5732
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5517762db25ad70c0aaa5c4755d9c3a37
SHA1674cbbcda4f3b813c7184b35e95d7fe3a604ffb4
SHA256f1b2818c0172af5d17239329092529618814e19f84173d89ccca141e4e6dcd71
SHA512fccae91e53d9e98aab47a7b7875b4a0af60c7cd162e38331168a8dd3769285040ccd22a73e0220faa819ab9a861a85653b6848a98f2cd4d5b15274412dbf09ca
-
Filesize
781KB
MD57b206066490e94147681def9d08f5dbf
SHA16f82ce44f17ff4653c8d3fe0fc744dbba3b73fd3
SHA25686f40f0528319fb502e099e1683650136f8d86248914f8be99aa13d9e07c2a18
SHA5123ce475c37a188dbfd362a1339061f3b10c9e0c5d814e1085ff61dc890d6a4ddd82dc207ebaaf66d50eefebef8b84ecf6c87bc053c63b7bd4c5c1a13e067d8f64
-
Filesize
805KB
MD51c1b1c1f6fc905ba5969bf294c082a22
SHA1596810c5c1ce6c722c89d80272160fa08e549351
SHA256429fdd29d4b550b5789f37b9f9be2fc2db023159673238053f40182ce69b879f
SHA512b8763c1ba809ac3b5c657ee2e3b63df3c02aa82107353f12c2066ed44d3d8c608ff67de2a1e34a0f952bf9b79e22212da4b0e5e118df251c802331511e4d5055
-
Filesize
2.1MB
MD5d2ca8a94714501a325313aa12e44825d
SHA1558bbb032e099367328739232bbcb469c62e40d7
SHA256df3d5027e1ff31145bdf3ac03672604d65d2237c0545d7ddfd071eb44e1b18b9
SHA5120ebbdacc406a51da5c9f743a627cb47951534124f273267fcb80086c89fe8b5f1e5ba24b24e7c19039e12ebfbd47b201b23d4419dda2a584838fd0fdd6a47aa0
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
40B
MD5b605879e08d2c37a89e0a7cf9cebb008
SHA1547075286a6e5e6a304912cef29adf2a5379458d
SHA2562a7688cdba662e4017878b44e559b7bf4889f2b32ff1c6ed70e020a2738e662a
SHA512f18fb8e2df93b18cb2359c651e1dbbaf73225ff16912cec7dda24ef3e82d921690aa0690ca493375536159d8aa9ab660e45e2abe4cdbeaaa368f6f69bc090fe0
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
371B
MD554492875107eb25977c5fd4de9de01f3
SHA1f469abedb43a3fc616065c7b274799418fdf6198
SHA256419047b193a03e4c0d8a363b88d3a153fab0ac38d224b913f25c42ef7b494079
SHA5124884da9a36eccfa0d186a0ee58792d541057fdb11a92196002b0748b867a2a37fd74e1ee2483b6da3c6c28b9a8d20af688acd70249d826949fa9ac5234f8fa98
-
Filesize
4KB
MD5c9658b0d1ab8acb84815491fcc3e0701
SHA1da5ca76602800b6b58c1931744ba021dd75d8b6d
SHA256eb42767a8293477418dea0121575212b5db1a7b943c09feaf654ea58939b8cc9
SHA512b116e1de1c9e99eeccf29242a2e92572bf190dc679e3e482b665236ad18d7c1b475726fb8ea035bab58bd74ab6670cd5e2d526bda2224255cc7fb32df674622d
-
Filesize
4KB
MD5a29ceb5d51879b655ed3eb21fc4e598c
SHA15167c242c590c78101b99d28b4f2d4279fd26f66
SHA256272836eb8fa39385ebd2128314ed66b631967680301945945d44167d545aebff
SHA512cfd4fafecc0576e961d7f0f692f837b83d092cbbaff98c0770010786094071f46902ac1da5d4b2ad9e81bce8c56e68a67a0970f6957fc651195f2607686b48d7
-
Filesize
2KB
MD5ef3aac392c0d75f931c89cbb67985e0f
SHA1ce61a9a0890645f7551e4188f0dc09b324f56b63
SHA256474bd435e067162d7364e95374e0fc4f6be9ea3202017cdb1eb05a7876f254ec
SHA51222f026e8146699fdd24911bff6f5cfc0ea1cc131bd378e973e8fca5fc479c8eda9764b7a3a1acd9bbcf6f6cfab8763c04fe6c9a56e1b8e9ffd6316ed11c34703
-
Filesize
15KB
MD5874505a4bd0b3c7a251b29dec266272c
SHA111eb4ce3cdb07c62035a5b772620996e7c5f6c14
SHA256e5dcf9efdacc54c43e1997e42d20b11f27dae8989017d7202b9fcb37b944c867
SHA5122c1ae425610a25505c2e3c5bce2301fc5aeb472e875af1693a9edfd2ee7f4ac1af4166f1620371ba48a2fc4c0a016648af687d2f2496ca50b27eb182915cbef0
-
Filesize
260KB
MD5b4b584ba2b7c47812482fba2a6298b8e
SHA1ac492b7ded8ec347f5e14b9dd1f3cfe32031a76a
SHA256a7723aa8a0a0b741636d8d988d0fb8357499e89e2b389aeec31b224929f420e5
SHA5126cafd8d9556ff5a52d346537d1a5559b7f8884c437fd246bf8a516b36f5ebecf1e4a6616617abc2ab755b634267a28086c28665dd79740ef51274fe57a25e9a7
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
7KB
MD51d2c4d485ced7955b711091163b4f6b1
SHA1fd6ceba5e7bc75ac8576ca11b217463f0115a48a
SHA256221973be64ffa5df3bd7da8391c34cfc57c4ed1c4185b8a2f1522172e14f1a0d
SHA512905685e9988113587d70d516a8d1c7a7f1924b0f508581e14b94dbf9aa836b3e74d34fbd098094e387a1bd79cab7a76d39719416840cc2a60da0b38be5103d37
-
Filesize
8KB
MD5722ffae32ff2db00d33960bcdd16bc06
SHA1c31db83e7f45cf5b34264bc54a3b4a2dd7273af0
SHA25616988ae868443f33c1a113afa2e77fc841eb5963ea35bb5bac6fff4192c973bb
SHA512866be0efd9f300c05af70b898ede5f9538cce8f026947f5cb0330a965190cfcb88df1b0fd6cc0e53d16bf7a97b08e6fd310be5b1bb66fe8428da3e08457cde41
-
Filesize
12KB
MD54038b2933dde6b6b78b2f99b5ac715f4
SHA136800ba91627159b5d117f9adc779ab5751e6697
SHA256bdda059be64a4b620c1492a50af07c653cd03d6e62235b7fd3e7b906b2a98c71
SHA5121c1c9f0c53ad758607ba826356f628f0ca6f68f2412a787350a9375daa3b0f4dbabf857f06a6073f66f9641b0a95de6bcb242b056cc1bb66df70b5c211031796
-
Filesize
588KB
MD5a291886ae27e3780fcbeaa90c1b76355
SHA1a6b727a070a5fc1f93fec77544b0ae71b0806fb4
SHA25670f4460184acd12de8330397e0eda3da9efabae0d99bdf544a17ca77f08d69b5
SHA512468684d859caf82adb8dd13ee34ab7661437a5eab52dab25c30a7d9f287c9bcd920cefd335bc9a8dec793909a3d5da650a625953b8d47c22311ff2200b083b3f
-
Filesize
1.7MB
MD565a52de0f9a7429939f81bfb6b26e2b1
SHA12dfaca36a73fa7687babc03a4955d987803a2571
SHA256817818040db2914eb5c3681207161632f7f0072f48fc313e007d8b5c34216c8e
SHA512a16c21500b9efad5c9100af9fb537a8ed89930b0dcb4dfd6cdde93900db1c19c14f8982567cc0af317cf2666a986c43c46b42d97ec066d4c78831f8dad4d3268
-
Filesize
659KB
MD569ab6d7d61e50f5f6199070d59c5c42d
SHA1a3d89c37662f34ea1714e10e99d9ba427aa27f53
SHA2565f60df782084fa7dc65ae7dd47e94034941fd50cf9bf5a25668b0af44db120d8
SHA512bdf94af8ba3d6c3cb236546a3fc3758b21006500cb9c1e8ee3480655e9cadbbef9557d954d379205f25fc861ae2324bd93d932cf964758ef035cbff745e24905
-
Filesize
1.2MB
MD5472ab2fbb28005489a8e564f0cfcd69b
SHA1efd348cd5382f8ce5f1a903fb6d961dfb3c4dd8b
SHA2560575ff010bf4dca1df8f0f07ed6cd716151ca3a8d135fbc44b53b82b465477a3
SHA512a1d7ec09b427610a49b65702f14cd64b2be5ff95d8d8b043504dd6d6a975e49f735c3902d26edb1c0cfd5dab05d715b8d3732c11b785aacbc9edab1b00449b33
-
Filesize
578KB
MD5e103e184cb0b2f2ecf936e0a2e0664aa
SHA1135fad0443b7c98374a28e5ff951be51a0899c4e
SHA256ed4a16942d82d6deb714a5cde29fa568ead96603c86413394cdff5f027a77e80
SHA512f1162a05d6d3d979efba8b57fa5e84fe39b18963ac7116a0fdd89a3cf9ff49c683b6f7525ef1aecbe0bce5d153b77431ac8ae659ada53dc008938b384b411508
-
Filesize
940KB
MD55da973abbe03d942e53cfac58f43dfbb
SHA11abba40e1f2d1aa74411e6a7ded43025132f01ae
SHA256e052b6dcff5b3082477ff9fc12f98180a6021a548bf03110d732567f73c232a6
SHA51220fb8144a17b8ad50604acacf79fb85b1306b87c268323330f4e50cf3a7d1e0578261bfa75b3e245c4e8c35149578db157756f9db181e7870f1ac9cf095aa5f4
-
Filesize
671KB
MD539c976d26d44b56ef0e7926c5392c0f1
SHA1714c9d25231ab9408127154ae49b68ec57ca8d01
SHA256ec74c1c78c7f19a8b873264fd66f0dae440e39daaf68cc966011ccd81636f5c2
SHA512af041d7d07142f89ef8f569b57f4f96d2da9a1bc77e6b53a97b1a6cdd9992f402bef97e3c70860197e7fc16ea029fd3a8c66f8185cab8487563b6a28d70c3ba2
-
Filesize
1.4MB
MD526ecdcbef6b4df0de753ba441173fafe
SHA1b9f05c699bc3f9c9b9cdd4d7179d8144cdce3c0e
SHA25667aa0371717eab1b5491693cf2688310a5762e3a8da0db2abee9af1fbd9a5beb
SHA512341aebb16a787bec38750ac958ad2ecb7d22a8157c1ffbc420d09784db5467b5d8e4b31786c45ef02d6347e606ff9e203e63a981fa5495166ec212f5d7646cbf
-
Filesize
1.8MB
MD5cbaedf0a9546145fc92734cadef4560f
SHA14c26b2412b92e093ff50fa295a68091b710f759a
SHA256878f2c3fd871697666ed7b6c12e56a27c5aa93a71c60ca94a5104ef8bcb4aca3
SHA512baf35f9729c421e980d17686a967b73b8ab46710e497b662afcfbe80a8512e101a36f6f3b5ea5a8f415e815f7b21200c92bd370f8d7976724970ec5e2f00a1aa
-
Filesize
1.4MB
MD5af10440d9abe68b72e3607eb42a448a1
SHA1207f783780d08cf571091b309769ad7411551290
SHA256b3dcb30767ae7c72c1a90e387251a7454a1936ca9a857a1b48e5322314c62013
SHA5128d93ac034ed9e1f727853fa666171bb5fda970f13f8be82237856d64155d506be25da367093b5ae01e79a20eb8b37297a96a3f5a24f9913802160ddd7a334ba7
-
Filesize
885KB
MD5888e8291c5ba8d5309706904f397dcfc
SHA1f6d3c43a40cf0346d895e02770a956272e068e0e
SHA256d322aeefa5251b9373c120275ad6b5f6ada3eff66a5f86c63196f185b8dbfcc5
SHA512fb13d796bf935e10af7c5cf5066ccaf9458318f306fde3023d9300a203b587fac49f8c4c78b33cefd2582c3eb70fa2f42394848be9f36e58abbaf4183d736c84
-
Filesize
2.0MB
MD51d6ccf586d8e5efacb335630428cd5cf
SHA1480b92862b20745f0be54926bc5c1384b3cd2990
SHA25655dc4b0a3c2df2586e9aaf16dbfe04ec38690780ba6aa8de016d594a6150b4d9
SHA512fc05cc69bc9cdf719669bab4f2648529a1ecba8d1647a12d14c30d45e9e398e901b88407594304a39bcbf56ad7180681248005c478e5f9c6db77112896c7c8c7
-
Filesize
661KB
MD56956f18f798bcea24f5dbaadd813233c
SHA152a15fd4b7a7b9c03238dea64026c3908e0a21a4
SHA25655266722326fb22f4292b1d4531e880d022c2fb9bbe2fc29bd75a6f3ac3e8605
SHA512c6812c55a459d35f5530e888a0f119a788d3cecd74657e45c8238490939fc6c687e0adc64079f7fdc506bce7a520f9b7570444ab6e0c05d72f441256b1ee53e7
-
Filesize
712KB
MD515ac5ac9af23dd385c31c4f6d064eac4
SHA16badf584e7cd6253f1f451ac171a3c6e9091686f
SHA256df2bbd48ffb68b305f763c7be9d4dd5e1dcac0ec1c56c5e53649266597582007
SHA512461fc6497ad080fd87e9617248d026c268193e1192bcc4dc2965aebe1910db441bc01701e5313a096f1aa66f2e6af84c30ccbb97987fbd0aa9f5ca16e6404a76
-
Filesize
584KB
MD5c36b49c779f1762c310bd293e455d866
SHA196c566db82b6f38f8c968dd6fdacb4b39982b99a
SHA2567094abbc11020df0cd3b91f0c86c1d23c6fbf18b4910ebf45f3490d3f4d64bf0
SHA51214dedeb7733a990c11f7e0e16152a7ba15108c827ad2c884232167557c99eb29c2da75be022c414ba95d5720a4659f5b3844c1e1536cd24749b02922a885ffb8
-
Filesize
1.3MB
MD5483fc72ddae4ca018c51dd2f3a41ac11
SHA12d334b9c3aefde6d55738ba447ef2a34fcf62df3
SHA25661197bc6924347427b8ee718ffcfebe820fedc3f38bf503b53769b584ef549eb
SHA5124017bec5ff43fcf1c35f1e527ed3e5092a876be980ad3b6487eaf63b5a1fd4dd349ee250015b3c9a413bcea70e663730fd5c7acb2daa567eae62f0121c755b43
-
Filesize
772KB
MD51d313e7741e971adce466bca766db5f5
SHA19ac7cf95c43b3616933268404532a993a95c2b99
SHA2569e9fce9ce1aeb8ffd486283714165c5aba5c8a4414c4e6ba4713d782db4d7a46
SHA512bc7330fc20c81cfa75d6588e0a07dfc44b944afa01f275a9de38ef966e93344bc538ac07e6b7f31d5c094e15c4c5049c77fceddbc6e6359cdf17b6a51d405b03
-
Filesize
2.1MB
MD58821a0103c7a1d2ed2ca7d58cdaa4db0
SHA139bae8b4692ac040bd7ce8f9ddbdb1d69bc2bdb6
SHA2566d416a3c051bf0e4af47ec11b78d7be39d016d1f7cb0d2017b3347d9108d58b8
SHA51273006fb349ec3896ef06fa02b6604c9273d9059e8ca7ec2f7d080f60bce216c2404810b9764b6fd8da3ffb5c2639289863a67664dd7335615c3efdf37e83aeee
-
Filesize
40B
MD57806f070ee1bf48d945790a0c2a61355
SHA1cd3804e5db65628f5a3c0a8accbcb6d10544280c
SHA2566520df12afb6e96315f15e8777e8deeb8b25d5ac72136065c7d5accda00cd895
SHA512c1c368d258f84828a08885a6c25894d96da5f1bdb66ae2828bf764213827289c4df027188338fede003a59c8bcdf64ab3eaceb0d20e62c8ec8620c921901c7bc