Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
29/04/2024, 19:47
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
-
Size
5.5MB
-
MD5
2f5783d00ba0ca5e69720bef1f4b0fe4
-
SHA1
e6c1b377da6c10b7c34d2733e51b95553b53a5b7
-
SHA256
9d6f757f4bfcd703901b3aba771dcc876be6dfabc693d653f060facc738f67f4
-
SHA512
9b896df895d559485df927e54548738fe1c9c62277f03af1d9093890093793ca07598784ed3810e09dfdfdbe1c74e6f6268c66420ced5e2704ca04cae0402281
-
SSDEEP
49152:zEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf6:vAI5pAdVJn9tbnR1VgBVmkQWdO
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 1456 alg.exe 4712 DiagnosticsHub.StandardCollector.Service.exe 2092 fxssvc.exe 5012 elevation_service.exe 2516 elevation_service.exe 2068 maintenanceservice.exe 1096 msdtc.exe 456 OSE.EXE 2172 PerceptionSimulationService.exe 416 perfhost.exe 5032 locator.exe 5108 SensorDataService.exe 1044 snmptrap.exe 2944 spectrum.exe 1032 ssh-agent.exe 2292 TieringEngineService.exe 4600 AgentService.exe 728 vds.exe 1388 vssvc.exe 5208 wbengine.exe 5332 WmiApSrv.exe 5464 SearchIndexer.exe 5276 chrmstp.exe 5808 chrmstp.exe 5968 chrmstp.exe 6068 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\e7ebd0814a48edc7.bin alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\DenyUnblock.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\java.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaw.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a02dea1e6e9ada01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a980e1e6e9ada01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3128 chrome.exe 3128 chrome.exe 5624 chrome.exe 5624 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 668 Process not Found 668 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 3128 chrome.exe 3128 chrome.exe 3128 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4136 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe Token: SeTakeOwnershipPrivilege 3672 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe Token: SeAuditPrivilege 2092 fxssvc.exe Token: SeShutdownPrivilege 3128 chrome.exe Token: SeCreatePagefilePrivilege 3128 chrome.exe Token: SeRestorePrivilege 2292 TieringEngineService.exe Token: SeManageVolumePrivilege 2292 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4600 AgentService.exe Token: SeShutdownPrivilege 3128 chrome.exe Token: SeCreatePagefilePrivilege 3128 chrome.exe Token: SeBackupPrivilege 1388 vssvc.exe Token: SeRestorePrivilege 1388 vssvc.exe Token: SeAuditPrivilege 1388 vssvc.exe Token: SeBackupPrivilege 5208 wbengine.exe Token: SeRestorePrivilege 5208 wbengine.exe Token: SeSecurityPrivilege 5208 wbengine.exe Token: SeShutdownPrivilege 3128 chrome.exe Token: SeCreatePagefilePrivilege 3128 chrome.exe Token: 33 5464 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5464 SearchIndexer.exe Token: SeShutdownPrivilege 3128 chrome.exe Token: SeCreatePagefilePrivilege 3128 chrome.exe Token: SeShutdownPrivilege 3128 chrome.exe Token: SeCreatePagefilePrivilege 3128 chrome.exe Token: SeShutdownPrivilege 3128 chrome.exe Token: SeCreatePagefilePrivilege 3128 chrome.exe Token: SeShutdownPrivilege 3128 chrome.exe Token: SeCreatePagefilePrivilege 3128 chrome.exe Token: SeShutdownPrivilege 3128 chrome.exe Token: SeCreatePagefilePrivilege 3128 chrome.exe Token: SeShutdownPrivilege 3128 chrome.exe Token: SeCreatePagefilePrivilege 3128 chrome.exe Token: SeShutdownPrivilege 3128 chrome.exe Token: SeCreatePagefilePrivilege 3128 chrome.exe Token: SeShutdownPrivilege 3128 chrome.exe Token: SeCreatePagefilePrivilege 3128 chrome.exe Token: SeShutdownPrivilege 3128 chrome.exe Token: SeCreatePagefilePrivilege 3128 chrome.exe Token: SeShutdownPrivilege 3128 chrome.exe Token: SeCreatePagefilePrivilege 3128 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3128 chrome.exe 3128 chrome.exe 3128 chrome.exe 5968 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4136 wrote to memory of 3672 4136 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe 81 PID 4136 wrote to memory of 3672 4136 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe 81 PID 4136 wrote to memory of 3128 4136 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe 82 PID 4136 wrote to memory of 3128 4136 2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe 82 PID 3128 wrote to memory of 3772 3128 chrome.exe 84 PID 3128 wrote to memory of 3772 3128 chrome.exe 84 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 3676 3128 chrome.exe 93 PID 3128 wrote to memory of 816 3128 chrome.exe 94 PID 3128 wrote to memory of 816 3128 chrome.exe 94 PID 3128 wrote to memory of 1696 3128 chrome.exe 95 PID 3128 wrote to memory of 1696 3128 chrome.exe 95 PID 3128 wrote to memory of 1696 3128 chrome.exe 95 PID 3128 wrote to memory of 1696 3128 chrome.exe 95 PID 3128 wrote to memory of 1696 3128 chrome.exe 95 PID 3128 wrote to memory of 1696 3128 chrome.exe 95 PID 3128 wrote to memory of 1696 3128 chrome.exe 95 PID 3128 wrote to memory of 1696 3128 chrome.exe 95 PID 3128 wrote to memory of 1696 3128 chrome.exe 95 PID 3128 wrote to memory of 1696 3128 chrome.exe 95 PID 3128 wrote to memory of 1696 3128 chrome.exe 95 PID 3128 wrote to memory of 1696 3128 chrome.exe 95 PID 3128 wrote to memory of 1696 3128 chrome.exe 95 PID 3128 wrote to memory of 1696 3128 chrome.exe 95 PID 3128 wrote to memory of 1696 3128 chrome.exe 95 PID 3128 wrote to memory of 1696 3128 chrome.exe 95 PID 3128 wrote to memory of 1696 3128 chrome.exe 95 PID 3128 wrote to memory of 1696 3128 chrome.exe 95 PID 3128 wrote to memory of 1696 3128 chrome.exe 95 PID 3128 wrote to memory of 1696 3128 chrome.exe 95 PID 3128 wrote to memory of 1696 3128 chrome.exe 95 PID 3128 wrote to memory of 1696 3128 chrome.exe 95 PID 3128 wrote to memory of 1696 3128 chrome.exe 95 PID 3128 wrote to memory of 1696 3128 chrome.exe 95 PID 3128 wrote to memory of 1696 3128 chrome.exe 95 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Users\Admin\AppData\Local\Temp\2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3672
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa4a9aab58,0x7ffa4a9aab68,0x7ffa4a9aab783⤵PID:3772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1912,i,11055862991727822070,14332748670099474098,131072 /prefetch:23⤵PID:3676
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1912,i,11055862991727822070,14332748670099474098,131072 /prefetch:83⤵PID:816
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2252 --field-trial-handle=1912,i,11055862991727822070,14332748670099474098,131072 /prefetch:83⤵PID:1696
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1912,i,11055862991727822070,14332748670099474098,131072 /prefetch:13⤵PID:4340
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1912,i,11055862991727822070,14332748670099474098,131072 /prefetch:13⤵PID:1576
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4344 --field-trial-handle=1912,i,11055862991727822070,14332748670099474098,131072 /prefetch:13⤵PID:1752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4532 --field-trial-handle=1912,i,11055862991727822070,14332748670099474098,131072 /prefetch:83⤵PID:1872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4272 --field-trial-handle=1912,i,11055862991727822070,14332748670099474098,131072 /prefetch:83⤵PID:3416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4912 --field-trial-handle=1912,i,11055862991727822070,14332748670099474098,131072 /prefetch:83⤵PID:5996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 --field-trial-handle=1912,i,11055862991727822070,14332748670099474098,131072 /prefetch:83⤵PID:6104
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:5276 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:5808
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5968 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:6068
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1912,i,11055862991727822070,14332748670099474098,131072 /prefetch:83⤵PID:5616
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1912,i,11055862991727822070,14332748670099474098,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5624
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1456
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4712
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1528
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:5012
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2516
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2068
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1096
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:456
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2172
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:416
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:5032
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5108
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1044
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2944
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1032
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4704
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4600
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:728
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1388
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5208
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5332
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5464 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2596
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 9002⤵
- Modifies data under HKEY_USERS
PID:5652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD508d3ef720161e56459615fbec159db34
SHA160abdae5aedce48924b5d65f663b2146a83021a7
SHA2565fd2bd8ce801e918856b3148bcb359fd3adf7fedff65a226e949cedfd985e9f5
SHA512747b5089448f4c9d67143baecbbc58756a30900c803916332ecc6a428e7937f9e97d7be68906755f6ed34c791862990ea0f16f554bea4a8ab9cf33c14f534dae
-
Filesize
1.4MB
MD50066e478f8840cae5da2064f24f929a5
SHA19092bed747d77a6502716b83c53e8fe778b1da84
SHA256560965b98d5d89974fdecd7fe9965d2f0c4cc7911368c3cda0365c3adabb3d9a
SHA512ed963ca5d5fb0ade5385145294f77bc1de3e6687ca0e3de27d05c3637cfb76d5c0db753a599d3061a9087c3063b385617930d5dce00cb9b7bc8f29b0200b93c8
-
Filesize
1.4MB
MD50717c1e057de02b4aa5b5b472cd617a2
SHA1284d89783b91021a758aa011aacf6f4171efa325
SHA2563dd6d588c14e40164fc3fc27da87b71da0b866374ca270705df8efc61fa6ce7d
SHA512a102b4016892b7f776a36493ca195e75d4c53194808a4077c071bbd0fa0d5f0079a27d0664ffaf5676a820dabdb55171a9660c3a44a2a98c3567b85ab11acb70
-
Filesize
5.4MB
MD53657054f81c087051fd1fefd36fce3f4
SHA15934dfec6c12a02aa47bf59aaefd19584deac810
SHA25697c4fb04721cda8ea797e73955a61a572c99a08a10397fee545b1a4a4b6c6497
SHA512ddbe553c6e5bd06c1ca1a63b3db7456e91538c1f2812304d0b7585a821490d9e708762a80b2551268eb08c949b5717432f0dbc11c14a69942553621dda262df1
-
Filesize
2.2MB
MD5317937ba17e4ebccf5f78b05ca6d9206
SHA145a9d4cf697b1c021d290612add446343c07c16c
SHA25669f4d7b012c64b8a9c3d50e1d4084b608f22b32b10df659f1c53a6d419aa8b8a
SHA5120eb71eef63d0357da4d6d6b6dd48c87641a98813931891ee84dba2470826e1e19ce2b017f7383252f44858d6026f4dafe6fcfc138e9a098834a44dfcfb3e81da
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
40B
MD5ead5c5b65992ef68cf2eb90edd0f8846
SHA1e23f95767614ce9830147ec6ba7b0b5ca18a8101
SHA256be7c1faec23a46d25250554bdeb10d8f49b4fc3176004c914f34cd0c8caa990f
SHA512043645f254ad57e33e6968a60ad645630ca980de7555b410631fbc597bdee7402e1f4b15e7d522537f01304ca08400fd58a69609a125e7440dfa3f1bb33d1077
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD5344a5a1e822e6de1ac9a22dfea4300f2
SHA1e20b3deebf62ddfed5a653b83d877c0a350267f9
SHA256356549b6c98e055207887c12edc70e3d31a21ab2c4ca1c953f297915101f45aa
SHA512940d0da91d992042a1166f9a04fa21f718edd38d422e9d25e23c724b27ff17fc0ae5020544ad2f90af1e912d8095fcc5a3ffb584d685b5f682c1457977923dda
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5565aff2f931d4ce40731aab2efc99d1e
SHA132d948685f2f8445c1ecc6c8ffdc40263aa65abd
SHA256acd53756a6964ccc18f97aa1c0269f620ebf2c83f3e48974183f6e6771538f6a
SHA512f4531b68c1cd7fb3607ab1a22db10c3a88cac327eeb56b824b6ec13886a436c09bba1c3c000bd9013420843bb66750c4bfb09b509cf5cc5471928567238a3b2d
-
Filesize
5KB
MD5e56bb383ce7bc115012b50989a0bf816
SHA1f80e46c2d0c51450b71513fa6fc711259af7f7c6
SHA2565de8077af36efb3cb289c3465c5fd3fbc23d53746b6f1a3b09fab7e74a42c31c
SHA5128c5864612aba1c81474aef2e0b8fcbb1a170b0e333947e8bb0bc296b76faa36676c5b0cd6701baf3bdb0b865e4aca6b8898d8e124f1cd4f0a3753ed45e271d52
-
Filesize
2KB
MD5056cebe70ead07d8acc38f1ddd50556b
SHA1906167b4de443ef14bb095ae8f196165c25d17e0
SHA256bb4c89650137cd1ed35cc2299d77c4b282072dd0e43418272d06a04c82c3733b
SHA512ba3fc43ac1e418b5c33910a18aa115755a4350b946b3a6589b77361b95f5f109973c3a072b4724ae9590f8ef2cdbe52ad0958be62d7d08ac46fd90dc3de00fe6
-
Filesize
16KB
MD5a364bc7ec067288e0770b983cc6d8871
SHA10a3ad745fae5247ea9b91f4f0a546f24e4aa5ca5
SHA2569ce7ca0dabd8759c7ed1fe9812bb9f6dda9f52aff3269a99210d9246018cdabd
SHA51274053f7ef461e8b13a6cbed473dcf1ed5019cc356968eeb31de8ffce9fef225c8633b4076b588b81cf766f2374152fca52afda7c1a37a05ff1f7de40c582b705
-
Filesize
256KB
MD5d960f204c13f176dd435844bc7f2c22c
SHA1f9401ad3ce9081eb243a737aeeaeaa54ef26e264
SHA2564c787a892ce4b74d98707f0f34da1132c17a30b185b1c346a5a1a179dc59a132
SHA5123cd72ce4dfcf9776406b3d2b27bdbef9034c52d7e16137bb8ab8da8adc32aca6739992ef414666b3e97af99e4103b25df6da1fa38b8685a4a5e5a09e740bc535
-
Filesize
7KB
MD56556973901a750d92e0c3d3801d228b2
SHA1f97f26a45e11b64500b483c0560234bd7034d2eb
SHA256ced9a8cb17cad9038cc7375ebbc0593f48d15a5f288baf513592536ce4cd3ab8
SHA512e4d9c16101b9cc20bb4d7d838ca08ea81fdadb793629a7223121bb7718d31d3939e4392c50891139bda908b55e3f37eb82cfc85e6410979df7e0a9d59ca3efe4
-
Filesize
8KB
MD57c8aefe87e529a7a1612889a01a8dae7
SHA1671e43cb13fda2477f39108c302813cb30ab44b9
SHA256ac80a174d77e950375eaee8369ff85748c2dd12f803ed87f5ff57fd809fdcf59
SHA5121e7fc3efacd6c937c6e73985abfc183a713be8fe1c7a896994fb44ef883f3806c6045f9aa2c8abcae1d23faddc8a5c6df5bf7f98a5a8e227996d70f1c4a17dc1
-
Filesize
12KB
MD55b3b314d20a28003fb024c4a4c173eef
SHA13d610032c7055a31dbb9a9072eb2ebe4c136700e
SHA2567e5202f2913ba7dc06ec071b9d15f16c760e837c4a5b6a9096b9cde9e4a7e7e1
SHA5123ae33bbce9cf149de2e22e218d9627d45d61ad9e95efebe901295c8aa6f21e93d85324433fc5594a15b52fe9a6a461250b5e94ce48c09ee1fe957e74294c8fbc
-
Filesize
1.2MB
MD5054fdffbc2859f9d8f2dc4d80acbd939
SHA11df63b535260fe4fa3cc254f2885c2e3e4e71a28
SHA25671975293107d7939d01c481e356850c3c7ce250c95406b330e9c7c9553067636
SHA512ce25a04a442427eace035284a76ddd0c146643ef51e16b04eb7f7fbc00f36b655295d621a303ae3d8d7a454fa1ce5a12aeb85ed90fa700edee9f5d36d721fe90
-
Filesize
1.7MB
MD5b722b29bb17b3eb11f971df09e3bf9e9
SHA18b178c133cd4d57f951ef283e8e9e5c2796918dc
SHA256d223f9d410de312ffda473a20b0be170f36fbab5963791cf3e04fb2c2058322b
SHA512d7e9f2cd36586e364335ac104caf19bf3a8cff5b6d22ea2472ead2c30c06f7e1637487679d2457a12d018f84c3fb9b5c4ea13cdaa524d691dd26db61e892643a
-
Filesize
1.3MB
MD52bcf029939713b0342bf2b5cc9b74ee2
SHA1f5594b62b3d73a0de7e1a34ec6995e20252c11b7
SHA2567a184a4565ca407788b3019309f5bd477473fdc3843ebc6c5fc2239b1110069b
SHA5126681f7045870d1927fe7f5af4991b5dfc2a6065e38e5fa33e63ab3b7a2b37b1962e80c52cf8a41444f8d52fc85914a34e534f3bed18ab4089571f79228c0d7b8
-
Filesize
1.2MB
MD5d84d59463f0171fef9ba109c500884c2
SHA1771f795703d4ab960c1a30ceb030d1f765736f5f
SHA256f73a7ce95cd00d2ea2c4c7a442003bfc5835948596418ad99ec6f624fa6788b3
SHA5120188002b5df168dca6526dddaa621e91492a81a2cb57d5e4e301ade2fee87bc70ba4dd2d71f643f64d53b0618995e5996454337c217f8253b65a39266c700384
-
Filesize
1.2MB
MD594afaad6d6f90152d14bcb79d68f7bd6
SHA12d78c0d8fb415a403827680497578a6d682ff3e8
SHA2564e46166ddffbfd40076fdf9f7dbd112bedf81be68df4315b0415e58b30d0c0e3
SHA512e6e97e3ad4f2f7832bc71b1127ce6497fa92431fb3b0b671dc0561853829cd5cb7468660cba899fd991d733c45c4ef68850f738e20ef646b2a56a6e126e18b6d
-
Filesize
1.5MB
MD5aff51f2576d093ebe6be4ca28477538d
SHA1d78489a77741437a9736c24eb6a5e107cca5c787
SHA2567706938a2467aa17e0bfe80a5da5c92d4f1f44d3fe070ce8d7df8f03477e76be
SHA512afaaae6a33992c10f4f932bfdfb4b6251915bac8e2cb04a535976653bd457ac44b820a833f12000d9623ec869660ff5a96b5a8e7318f4f1c8f6c321a5ac3dabd
-
Filesize
1.3MB
MD585d860042807053531b7f246d645ba57
SHA16868c0654923ce3dba79225d3e107bcb0f048d2a
SHA25624f3d7f6e18595c0b70e465991f1a8d5af66194ceb0b63e752f7c6084c42739e
SHA5120cc6bda878da8586e9489a72dda6048b4d95c6df5285a6d81ff213fa9d838a40ae7614d12a7bbc6afdcf7032b9dd2479ab8bcadb270af68d77bc589942c7d38d
-
Filesize
1.4MB
MD5f8a1d788f9dfc2ccce624e47785e7afc
SHA18090e06e71e2d343567cc39695301f6351f1e26b
SHA256f6c7a41c86521144653e741543ff10af5b8e6d6f32de30f4439fb1d56a2393b1
SHA512bbbe5f0536fc4996d9db34dc7aafc9e86ca6c981325887eda5ba3a83c4600bde6b49d192928e8b548fa836705f79d48ba9562c6cee47021aaf928a6452cb2df4
-
Filesize
1.8MB
MD56dfbeb8ceb995f39ff41caaae364fde4
SHA1f18afbabbe82044384b6404b9992964d272afe36
SHA256b5fb9dd70a765d4ee03704ce5cd9d18148ae8f5280cf81c4853be351739b0025
SHA512c36d3242ff5205b78e4d06b2a8b8a0e8d2eb9b23f756357c34dddf0a8b741fa6e71b54122580738503f5eec06a24461258ebc0b3b99999be190231d726212e77
-
Filesize
1.4MB
MD52df81a4ca3392c576385bfdea204db9c
SHA1e695591734a4345086f03fed51b623fbd0f92518
SHA2566908c6594e58f06ccc9bd948bd26c4183d7c9d0577483a1e49abc64ea4107431
SHA5121f352f1af8fb6893408b6850e5df8a6f4aff4ca8ee096d22cbd54878d9b2bcd628c991de6504cb97d07aaa8da85949b5c961925979b2fdf9c84a9ddfb6801355
-
Filesize
1.5MB
MD50cf6995ca00161f210c701815e24e5a7
SHA12fb62342141b498decfb1c077e76f8e57fdd321b
SHA256b5f820c65e1e470bcb9b904bad6bfd10f06974b8c46d03843c9e793fc0667c3d
SHA512948c2b6ae83bf2531b991da2a003f5e9a35263e1d2827450ed946bc99f26dec480569b16384feac604dd81c6d4dc6cd7a5ba2375db967382360d3e7636226b21
-
Filesize
2.0MB
MD50fbee3bc9b2259d6e347478f41cb147a
SHA114c0ba09ffdc95f5b05944a2efab259ba2293938
SHA2562f05ad583051dabceec87f8ced1ae68519ecc8528c09a30ae267fbafd369fb77
SHA512cb4dfc6a24a554cc1cdeacbed7b47aba5130322cc5a51a463fcde1c40cafdb0d45feb00f865bc650651583263f9c2650ae1aa19ef96b34a8250a03a76a8c17c8
-
Filesize
1.3MB
MD59f763b017bf7d996030858f6920760ca
SHA13390f81e78924df65873a9af0041a4b33de2ca9e
SHA25654e2b1422ca14ff74d11d1c67616af7fd6ebc694d2abfcaac69ff6a91244481e
SHA512ead8145115b643f20d1257f233488827f00afb4ee506d0ab2ba939941d10b41d246cc838d973e319b4bf23406ad2420cc17901952cf978c2cad162e348c00b56
-
Filesize
1.3MB
MD50c0db835b79f8eec5dad369af961d268
SHA12a6da4f36200ba2b5921cb6d91881cacead412ba
SHA25639965c1e6db81ca69bf2a791ae061183015a6c28764d29f88025a3d462e60352
SHA512dace1e13f0d447f32daf20ae556bcd2af60d20bfe2b902a42b1a43f81ac04aea16cfe732454ca9c5f31b8371dc1146acb844dc3effd2267dbd6839928f1b3738
-
Filesize
1.2MB
MD5ca514891d83f35fc35f96c655c841654
SHA1fdde772848a0edc9830ab37941759f44ffc8bee6
SHA25680a78c98f7337c553ebf683a1e339338a3635d66cb53e14f027abde16944a52d
SHA5120a47ed96f49ce2163938bb42cba99a4b56fd0a26bc1644b2105d8c3d167c135e4412d806651c6a46a7e4dcae6d63b4bfed37028a7bebe9561eaf4a448b0e38b9
-
Filesize
1.3MB
MD5c0ee374f61c3e7bfdb54ab20c3780e26
SHA149c29fec4b267810a34781924b6aae660130d351
SHA256f7b46227f5af8e5ccba04269541b0184a0430169d9ce0a9995ee74a662c57adf
SHA51262c696dce9f9a6cf81c8a0a4cf3c47f99db28ea80bf1a1336c703dfa562ff4bba351804bb7d8834942a5e6488737f7f0a2392a241174be6cd3b1d950853b1e13
-
Filesize
1.4MB
MD5999a9c9b1afc61d114b7b71d915030d1
SHA1f8d26e12495c83e6eacf59458001a1e77d641f30
SHA256dbd8040f7f88bc4adabee66e23cb28a3bb8877b864d98cdaa979e6203cc553f2
SHA51256856deed7a51ec388e2a70fe84c2cce768646672b50c6ee637ec41fb0abe5202f4a521e7cee5482e67067838670210b64150cd392780d080f95308f1fc58bec
-
Filesize
2.1MB
MD565d4e33af780004964f3f1ed4b3d181f
SHA1d5ef2e73deab4630fcc97c53b41ba49bbb010122
SHA256adde4bd854f6bb398b92a6a57215eae4492114e0f59ce67adc246917fbc7e0c3
SHA512f27f030db827c100b9573c031cc2f4a11250b6167d2103eb1bcc92332e40be89c3ab44a6dfdff8526ce4c6bbd6c9b221bc182127ad92ed232cecd161ad59b8de
-
Filesize
40B
MD5295c35172675c56d85b3271fc5adbaf7
SHA1fc8f7052aa2fdfb84e7cb6bf027db403bcb8cdf0
SHA256f022aa4752d0400339634741871e82f3bb6e1dc719e1ffe9b3987e457c01bdc0
SHA51215813f64afc1d8f3fb24db561e3b68c8efcdfe45dd0768d53f85b32e72352c0f22240b9f4156dfa8feb88fde664025c75d3fe6594c957aa961fc010496f8548a