Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 23:22
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe
Resource
win7-20231129-en
General
-
Target
2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe
-
Size
5.5MB
-
MD5
da82415d494f2e3aa1ec83a0164fe564
-
SHA1
d92dda409fda382caed5967e7f1ce20b60f21614
-
SHA256
f0f7338b6f9dcf26c244b6ef16c17658d4b2e3369506592282b248cb6e12679d
-
SHA512
0e95ecc6f5840dedc1882d992e76b79dd99d0f2196036c85fe66bdb81bcc803fc74f2746976b8725d6a8af2147f9c5860a2daf3da6ee237eb113e07521809cf8
-
SSDEEP
98304:mAI5pAdVJn9tbnR1VgBVmtU7dG1yfpVBlH:mAsCh7XYoUoiPBx
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 2260 alg.exe 2224 DiagnosticsHub.StandardCollector.Service.exe 1252 fxssvc.exe 4512 elevation_service.exe 4000 elevation_service.exe 1712 maintenanceservice.exe 3604 msdtc.exe 2880 OSE.EXE 1760 PerceptionSimulationService.exe 4328 perfhost.exe 4996 locator.exe 3612 SensorDataService.exe 4912 snmptrap.exe 3784 spectrum.exe 3868 ssh-agent.exe 1592 TieringEngineService.exe 3368 AgentService.exe 1756 vds.exe 1840 vssvc.exe 3416 wbengine.exe 2212 WmiApSrv.exe 1480 SearchIndexer.exe 5896 chrmstp.exe 5444 chrmstp.exe 5220 chrmstp.exe 6220 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\dllhost.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\69c42494c3a5208d.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000086738445e8b2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081590c46e8b2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133615849409946226" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e85b645e8b2da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9a9fb45e8b2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d235c745e8b2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b69a8b45e8b2da01 SearchProtocolHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4020 chrome.exe 4020 chrome.exe 732 chrome.exe 732 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 4020 chrome.exe 4020 chrome.exe 4020 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4644 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe Token: SeTakeOwnershipPrivilege 1960 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe Token: SeAuditPrivilege 1252 fxssvc.exe Token: SeRestorePrivilege 1592 TieringEngineService.exe Token: SeManageVolumePrivilege 1592 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3368 AgentService.exe Token: SeBackupPrivilege 1840 vssvc.exe Token: SeRestorePrivilege 1840 vssvc.exe Token: SeAuditPrivilege 1840 vssvc.exe Token: SeBackupPrivilege 3416 wbengine.exe Token: SeRestorePrivilege 3416 wbengine.exe Token: SeSecurityPrivilege 3416 wbengine.exe Token: 33 1480 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeShutdownPrivilege 4020 chrome.exe Token: SeCreatePagefilePrivilege 4020 chrome.exe Token: SeShutdownPrivilege 4020 chrome.exe Token: SeCreatePagefilePrivilege 4020 chrome.exe Token: SeShutdownPrivilege 4020 chrome.exe Token: SeCreatePagefilePrivilege 4020 chrome.exe Token: SeShutdownPrivilege 4020 chrome.exe Token: SeCreatePagefilePrivilege 4020 chrome.exe Token: SeShutdownPrivilege 4020 chrome.exe Token: SeCreatePagefilePrivilege 4020 chrome.exe Token: SeShutdownPrivilege 4020 chrome.exe Token: SeCreatePagefilePrivilege 4020 chrome.exe Token: SeShutdownPrivilege 4020 chrome.exe Token: SeCreatePagefilePrivilege 4020 chrome.exe Token: SeShutdownPrivilege 4020 chrome.exe Token: SeCreatePagefilePrivilege 4020 chrome.exe Token: SeShutdownPrivilege 4020 chrome.exe Token: SeCreatePagefilePrivilege 4020 chrome.exe Token: SeShutdownPrivilege 4020 chrome.exe Token: SeCreatePagefilePrivilege 4020 chrome.exe Token: SeShutdownPrivilege 4020 chrome.exe Token: SeCreatePagefilePrivilege 4020 chrome.exe Token: SeShutdownPrivilege 4020 chrome.exe Token: SeCreatePagefilePrivilege 4020 chrome.exe Token: SeShutdownPrivilege 4020 chrome.exe Token: SeCreatePagefilePrivilege 4020 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4020 chrome.exe 4020 chrome.exe 4020 chrome.exe 5220 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4644 wrote to memory of 1960 4644 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe 92 PID 4644 wrote to memory of 1960 4644 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe 92 PID 4644 wrote to memory of 4020 4644 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe 94 PID 4644 wrote to memory of 4020 4644 2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe 94 PID 4020 wrote to memory of 532 4020 chrome.exe 95 PID 4020 wrote to memory of 532 4020 chrome.exe 95 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6032 4020 chrome.exe 121 PID 4020 wrote to memory of 6052 4020 chrome.exe 122 PID 4020 wrote to memory of 6052 4020 chrome.exe 122 PID 4020 wrote to memory of 4476 4020 chrome.exe 123 PID 4020 wrote to memory of 4476 4020 chrome.exe 123 PID 4020 wrote to memory of 4476 4020 chrome.exe 123 PID 4020 wrote to memory of 4476 4020 chrome.exe 123 PID 4020 wrote to memory of 4476 4020 chrome.exe 123 PID 4020 wrote to memory of 4476 4020 chrome.exe 123 PID 4020 wrote to memory of 4476 4020 chrome.exe 123 PID 4020 wrote to memory of 4476 4020 chrome.exe 123 PID 4020 wrote to memory of 4476 4020 chrome.exe 123 PID 4020 wrote to memory of 4476 4020 chrome.exe 123 PID 4020 wrote to memory of 4476 4020 chrome.exe 123 PID 4020 wrote to memory of 4476 4020 chrome.exe 123 PID 4020 wrote to memory of 4476 4020 chrome.exe 123 PID 4020 wrote to memory of 4476 4020 chrome.exe 123 PID 4020 wrote to memory of 4476 4020 chrome.exe 123 PID 4020 wrote to memory of 4476 4020 chrome.exe 123 PID 4020 wrote to memory of 4476 4020 chrome.exe 123 PID 4020 wrote to memory of 4476 4020 chrome.exe 123 PID 4020 wrote to memory of 4476 4020 chrome.exe 123 PID 4020 wrote to memory of 4476 4020 chrome.exe 123 PID 4020 wrote to memory of 4476 4020 chrome.exe 123 PID 4020 wrote to memory of 4476 4020 chrome.exe 123 PID 4020 wrote to memory of 4476 4020 chrome.exe 123 PID 4020 wrote to memory of 4476 4020 chrome.exe 123 PID 4020 wrote to memory of 4476 4020 chrome.exe 123 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-05-30_da82415d494f2e3aa1ec83a0164fe564_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc4f7fab58,0x7ffc4f7fab68,0x7ffc4f7fab783⤵PID:532
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1880,i,16141904850833861173,7401771611445688244,131072 /prefetch:23⤵PID:6032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1880,i,16141904850833861173,7401771611445688244,131072 /prefetch:83⤵PID:6052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2184 --field-trial-handle=1880,i,16141904850833861173,7401771611445688244,131072 /prefetch:83⤵PID:4476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=1880,i,16141904850833861173,7401771611445688244,131072 /prefetch:13⤵PID:5248
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1880,i,16141904850833861173,7401771611445688244,131072 /prefetch:13⤵PID:5260
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4276 --field-trial-handle=1880,i,16141904850833861173,7401771611445688244,131072 /prefetch:13⤵PID:5692
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4432 --field-trial-handle=1880,i,16141904850833861173,7401771611445688244,131072 /prefetch:83⤵PID:5852
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1880,i,16141904850833861173,7401771611445688244,131072 /prefetch:83⤵PID:5876
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 --field-trial-handle=1880,i,16141904850833861173,7401771611445688244,131072 /prefetch:83⤵PID:5016
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:5896 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:5444
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5220 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:6220
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 --field-trial-handle=1880,i,16141904850833861173,7401771611445688244,131072 /prefetch:83⤵PID:6228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4112 --field-trial-handle=1880,i,16141904850833861173,7401771611445688244,131072 /prefetch:83⤵PID:6492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1880,i,16141904850833861173,7401771611445688244,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:732
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2260
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2224
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4940
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1252
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4512
-
C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4000
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1712
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3604
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2880
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1760
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4328
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4996
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3612
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4912
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3784
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2900
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3368
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1756
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3416
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2212
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1480 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5424
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:6136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4360,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=4136 /prefetch:81⤵PID:5788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD57d0bc5dd590e77b09f7edf2c908c3d0d
SHA167a480ae537d35d516c57805d84fd03250aff167
SHA256daf69a2c9ab72f5609d35cc3789790babafd9913eb0fa3f1bcd8f636591686d5
SHA51251926e3e70b712d132b40016a3a283a3aa7249eaa7a0e723a3d92b5465e4b1757801d0cab8d21ac8183dcfd0a4b65ebc2ff67bbe4ca7162e22f9a82110309b63
-
Filesize
1.7MB
MD5522a824b052404f252c300783911f43d
SHA17b88fd3135912b8e362133cbed6c24d4cb55dd31
SHA256958d2863efc68f3093ab20e5e4a2f8c468446e7e531e0b311fb96d18d3626469
SHA51290dd8e8c1e9cd6d260302362341f3d3c6b361eaedde14e959218a49aaacdc629aef10d15e0a3cf8e36bb407368f6f92ecaf63c70629993de501bc25dbc6d13d3
-
Filesize
1.7MB
MD5151b711024e01cb3e3341b3bfd4b818a
SHA12ebfea30a077247f62e53e769237a84247bac366
SHA256e4c3791daf4d3c4e7812eac3c963fe143c3a6517d54dcaa97057887d8926742b
SHA5121be96ac190550e6f717f69b3ca783f7c611519b1520d6fe75e6f9dead1ceab32b3abfb46e41ffb6d52bbf0722aa53cc05553b665ebd2b6b5afb5768b58234c51
-
Filesize
5.4MB
MD52331946878f9b873c9253f4c58296c7f
SHA19ed9b78b5906f50b217ed7d982840d97ec08b87f
SHA25635969a4f8a8544c78c522b698d9074ba260b75f986bac483e49b64978095a774
SHA5124a68148b48e019c06c05cd9c3a1c97e1a9b349c385989634760a941529fffd4b783f1057ab652facd299285909ac2acd56d1aaabf97f317a8fd9af4c37747cb3
-
Filesize
2.2MB
MD5d35084cee98e2bb6e6ed519654251f02
SHA1bab3a09173c6c8559868b45ab3ea1aae89b34fcf
SHA256e638fc5e8d9c7f2f91c7200c1b7a880530fb17c98a40c4bcb52f37999d5b3dc7
SHA5121f6db901310506e12fb2a416123001944e16a5703a6c615c0236401b35c9fb9af6a12e7ab2cfe83c09438025c74608b3a8024c6381f5f3bd98647d936ddf5a55
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
40B
MD5e646991f9b7863013f4543e5deea2d49
SHA17d3ab1c249b15c5bc5761baef819fa96b043539a
SHA2560cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07
SHA5128b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD586642d655e40582493357a2c5314c0a7
SHA1b37f04e8be3939d791a4855d0476be0f206940bd
SHA2569758e0a519fdd7e1920619b194cb4cecb4da995f9e3704a59a13b66705dcfa2d
SHA51251a2c413160ed29b138a698f9a773ec40d2dbb002cefe793608277aa585421e5511eb9b3ba9869ad27511e92d7242ccfad90953f816e08442b48855d5cb020fb
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5bf91efa5d1815fa4b74bed8b94e9ca88
SHA1a747117b1af32518db7aa75ed969f5160ff22cd9
SHA25636656e206669731ca319783299b9fd3be0e4e38bf680b8954f0d2d957e1d86e1
SHA512dedfc1a91ceb3a598e9fddcae78c9f6395150dc52eb711a0c1f6fdf21ebe53675e03bc367f1a780f48e730ac9bf91ded45b9c64b71efa8faa4b80a58a3a5f721
-
Filesize
5KB
MD545e2f6d495422eb70b6c0101768a542b
SHA13e3f4437c2459543c31a3a448688d45a0d97406b
SHA256c0e898e5d98e6ab5e6b7bb64bfde9af8e21fd652e8a939dd0550169e7e2818d2
SHA5121d6a95641dedef84074420adf398da745b66a08210ea81d701e89dd2966d8e4cdba41ee617d295b368253f29248884ad39619cd8897669bb70397c0081aa3189
-
Filesize
2KB
MD5c4d12c24a85b7e1aaf85cad983fe7610
SHA100bcb6e962cbc5a3d88689ec2f8c15feda6ff7fb
SHA2566568b506f3cb4367abf414e66e1e93a4d4e40339dd3a2a1d5ded1f1907484337
SHA5120d45cd5f36424147b7a67d4f154539d9ddde285cb363a139c5922814e6073cf731d61902a7eb84e9ac6547bcd52e65b023a2f97636072db478ccd04495a59aa6
-
Filesize
16KB
MD5baddbb4f6754aa74ece93b1b27e73f56
SHA1607b41ffc8429dcf5f695072450e03c6c47d54da
SHA2565fc14bcddf1d28c289b93d57602f665c41855968d68cb80c70b3caaa3175e728
SHA5120f3f8f79c69cd32098249d0f988a232cf94d84e01fc6c9b20395ea701ed238e9b9cab5b1b081d76d3cacfa3f02a22a75629abd75512b918283563671d506f468
-
Filesize
261KB
MD59bdec8c97eb0470da9b30c2869b3369c
SHA12fef3efa1a478c1aefefdc39d89f1942ab320270
SHA256c9c524809aaa0319ef47ca60f1d854b4ae57e2f1f10009b91955af769ca45ef1
SHA5122fffdf759fc884aa35ad3644d8956637597174bf0f7334ff298d846db0871859adf3a124aef4fb11eedaf931fbb911200f8b48792becc785e4408b9f9747a55b
-
Filesize
7KB
MD54cb06afa9caa80e1956f2e3650bc9ba7
SHA14a932091f8a794f446c2f8cf4d9638c88d097a0b
SHA256bf6824ff821ef7dc5fc2a0c094c3ee283082b06310fb05656a44a5a706725707
SHA512810c2bee180cfcd4a7c6f88ae7a43a06f3c0daf762ef67d426f10184593b2f9e8d01d0112c0c72c9bffa9d53fee31c336754b8ad9aee73eeac2d2a33cf7cee5b
-
Filesize
8KB
MD56afe933b46bd8d2e1e39f3fd99518da5
SHA12ecec85a24d50e4cdadc3d801f5087eb8cd2004b
SHA256d7121fe2f79e97da0c9c3b33d7c317dfa0bf04ae07e453cbc8677d3fd59e2dff
SHA5123c77670abf9abda9036fd9b87cbbc0820facbdae43faa470223d058920677313eac8abfde48612f29513795a6bcd6c12f94c91ceff5604933e6f85a48b8f8482
-
Filesize
12KB
MD5518839df886938ed10ae7985ba945b25
SHA111769faa7151905ef1bc8c70371ff4f3d4748836
SHA25688520bf3f5a043c14fc49388c33d539cd0fa9f9fda4c9cd4a03599ef7aa938d1
SHA5128a96c841ac5d03c7df2c8c41f85c60b9986ecdb5958df4a4d7712917b10d9c21223ed6be727a9fbb42ef019ed928b0ba2e87241b51c0a227b0df0b0d49fd62a6
-
Filesize
1.4MB
MD52b1885eb60afcc86468e9dc4b9dc015b
SHA11916735572ec44e5e3e1336a51bbbb82239fc88b
SHA256c9566503686a44030cc2800c5033426c41b2a3f5dd5f7f7b5573ed44b7ce8204
SHA51236a1e2b8a2b7198354dee2a95a26f1625d206295aa7722aeb5c5a65c59e013babd796a7b72291b0a525b14b6af52ff9f777aeb37bbd432771373ca23c9a62dfb
-
Filesize
1.7MB
MD503999296b6c7536b17d34e401668507d
SHA1464fd8fe044bb5a51ad6c30918bfd9f4d42e67df
SHA2568ca6af0438f6cf8dec3abdf4f73a32b02811b78e2aa66ef0eb8bd53f1051fd9c
SHA512342ecb60a9e59d2ac7197d2e42a8d03c69d507bf05f363418bb631602a5dbf83ad2629ef507b18b578f5d5cc5a16dcfc4ff27f13456d27e2ed01e1fb30d73791
-
Filesize
1.5MB
MD5582aeb93d49e7e7cf1ad5a6c90c45c94
SHA1f52e845d571be659332956381b9066d963f9a973
SHA256ca118f1f52e567290ac891fda093486e1c94cf03f61dfd8e1ce6725b43185686
SHA5129f56ed38258e27505dad27695e5f6308670046ab682f31eec3272d7b7317befef23278aa10bb79205824e85d7f62e2a9a4bc398438cf4b413d5e641ae24d2a7d
-
Filesize
1.2MB
MD5dd656c8b0f36c799da6b0a920656b429
SHA1fbd0aad82a303fcf60b40955cafac15307384839
SHA256809d14ec8cc1438d6adc10da84900299e38b93fcb4b77a447d5473287b908a01
SHA5120f99408247a502430fe2c967ebd09703fdcd3fbfa7e02f8bba340c2425ab6404d8d996d6968ad8ea0684ff3da3c347410b730d5853db0dcb66711d72ee9cb1d6
-
Filesize
1.4MB
MD5abfe9b303da5a3386a9e5eaef0639cd5
SHA1694ad8ed901c859bd9c1f6d0ad020b4361087981
SHA256d193ab4ecbebb45d0b96b2894ff86b23ac6df77d4dfe98461b4d5f3c699c246d
SHA51265185ef3f4fcf4ddaf856b6e3724e8f7bbf74565ca732dbf5d8d6599b23db16812f8239e0c5f9f2c5ef46b91201452cbbaca0828a11fa0cdb9eff292b4ed29d0
-
Filesize
1.8MB
MD5b9c24e0f86997a83f1c4ba8b192d1520
SHA1fca9400b8413a89e2d1ea09a44aeee8e2d890c8d
SHA2564034f6163d89eb371f274b5ce5eb76a37a1c237dcce156b9e0707a2ab2e8772d
SHA51244e1e838fb0a7c72ad91a52a86a6f77ba0ac4fc99c0c2bed77dcfb3cabd029cd0aa39e3fd260416490c661fc4b92072c503c7a9cdf6be7abcad6a896c27aef61
-
Filesize
1.5MB
MD572668d14126d1d599922ffe538b0252c
SHA14a228bc41cd3e3315e3caa884e66821bce6c7441
SHA256133c60e9f1079a804447b61e270cc9e50988bfc7a97931d4f3dcbdbdaae84df7
SHA512e608af5f1e5780a29bf747c734de9cb2c9a452ec0f7bf6bfc5465df2701870aa2e3ea8ddc3f18ab20c25c50a80d7552aa8e504834b89b34ef651815a091c8e6a
-
Filesize
1.4MB
MD5520a8e77f31bc69f68ed29bbfe214d8f
SHA1871e014ebe7f2bfce1655dfa08c7e30d4ba14ec5
SHA256251ac39c4b5ab11c858c67dd9e28c34afe754ed972b32b5cee18741b1aafc98c
SHA51214d4210970f2b8f28d9a67eb86be1b24396124b6eebd44e5f38cae705f886ec521518639b75961245bb4db3ace07a0dae952f82267f3a023446f9796251e1d88
-
Filesize
1.8MB
MD5a397c3371b3a6a2e00a5713393082348
SHA1eeed6a55490b15b406309a004c80bf297906bb29
SHA256e7c5522b786fd9488b689ab8fdd0a57e74d02bdd62184d0812473d3a338e81b3
SHA5122ca2bcd66a8874471a4c575040d9f989c4a0e5d91fbfbca96cb3821a13e790178cde38ed652b28afe7d333082e3d98e208bcec3f621309e34a7dcfa115db576c
-
Filesize
1.4MB
MD5b7c876f0994329137804fe7661e3656d
SHA19e1aad074d58557c8675f57b53ed8f815b4fe6f2
SHA2566fe15136a3621eb8a1d1000927ae906fe4a34a66bbaed24b71186012dc59379c
SHA51271a7d202e536c1b5c47d137f01f30b0c2479323481206a0d75503e914d97da802f5b15781caba313c7378242160c0615814d23e0c704d52103ae41570a792303
-
Filesize
1.7MB
MD5200947728f8ea2c6430a61394708a723
SHA1f04510ac2d28c476f1431a15e3b79df4e6745e29
SHA256bd57fbb691de95bd527945a95be9db97acd491c5614d8b53871ea081a4700e5e
SHA5128be0551fb94bdf4fa56d26256862f35f2ba0b746cb6aa63dd74469b644bfa0292861af042ebcac8bdca146410db9c7f8a431c71423d67d81ce9019d58114be29
-
Filesize
2.0MB
MD587e93d898a634e756e328fc0d6e768b4
SHA17c9c762c617cea33b478d7c6d7d1dfed6605a109
SHA2566690e0bf12b3e054f684d789044ca8948723f072bf35d318c633bac5bd0b0f9b
SHA5128c8510c68be6419bcd05ea43b634c2828ef82b678bbaae7a51d3ab4ff913af018db997be7ca4f2c6e983c9315a44e604fa788d80a4fa14bed483353d4ab90b69
-
Filesize
1.5MB
MD5abac90dcea7e9a1ba4305acebc81dd9e
SHA10f8fd0c135dc0cb6d83f73bc6d860ea55b82371a
SHA2560f5fe01198cf613740bdc9933fdaac03d35275c9b2b2efcff0e2e0c4d21218c7
SHA512f5fd7c331cb4e154a5b4e81d806e7a50e4bf68ece3345fb50efabd19e4423118827e3b0c9d25a56ee410a5412dcc7991b434d8465e288057b61a08ec1f064ed3
-
Filesize
1.6MB
MD5945b7a47b9d139f94ed53b7a41fc00bd
SHA150da4265e708224755ee7e74969ba4dfc66bd53b
SHA256872f87427448d9e3347ca1748e758a39446550137983122a63b9fb2599e2b46f
SHA512c6ff960b0fca03e240804b23097fac9d453ac599833f7307c363357958292775ab6e3600215f9f2b949d9537e0be4b850a11bc861b33549d91175d22c6f85d2c
-
Filesize
1.4MB
MD5e6885eaaef53558c18e014eea9f10555
SHA175391eb47e1d53cf9a2e57393173e133dd6f2692
SHA2569b9a77cb17d5cfd33781d764d709efbdb75146be2c96c6b17e461fe87f8ad2f9
SHA512c2d9e89a1d5726392b68dac3530ed75c25a8bca47b818ce21839faf4bf8e8ff34eb912a9146ac20dc89f021979a79940dad2e5f1447b96b621939a08516f3e0e
-
Filesize
1.3MB
MD56c0bd972a5ef9fd6654879829d4e622e
SHA17622229735e0b2653ab9e3a5a12b5da90ff14612
SHA2569367e0e6bc24d126a298e2ba0dc102c240aa97c93b82f56b4c7227d430eb7467
SHA512bfbfb7d3f8f0267d1da8d22d8f8b3ff211c6523a85e8d857cb9b4822db5f5770c15d9959b93185f50c9a027d504be3ba3af042f812141312605f04a7f446c7fb
-
Filesize
1.6MB
MD5b52c964569e39b6f9dfcaae8fae0913f
SHA1a4e5a27975caa7ba44379c54d3dd5ff5b0ac973d
SHA25602b6c351f72f66afdcaede905dbd80a6ad7b271f742705c8988fa35bb788c99d
SHA512cab9df62b33bfe4e900bc23e5124bce5a43dd7bb508f2ac3066c4ee7c1206a54d4195af6051766d7be026bf9e84559b6751fd8f81082c5ad9dbf9dcf40c97c6c
-
Filesize
2.1MB
MD574ac9e413bb35ab91e27f4875ba2f139
SHA13bb00136f2f3f317ef749bb58246b9f3fae55728
SHA2566168206bb71ff9f720d4a9bc6298f1767c996324af5c634e8ea7b944139e9425
SHA5128fded7fdf2097b74ea8f71bd40b5637fdc93d329e59400c9fd116f7df42a66dabee91c8fa3fcc8101528580424708898c991886a4f1ce078953121f2894c52d1
-
Filesize
40B
MD5de12892063f81f60b11c0497ec332fa7
SHA1ccfa0530f55d277c3fe6d75260088ae08d5b7616
SHA256afd8ccad757251c38eecbb67fc9f41af5aecfec62b521b229c5b17e17ba05eae
SHA512441e809f431b7d1715efa1a6eeda910ba6945b9529a6330cf964a1d8f7233e97893e6eac6758abbeca4c61d315829371fa2e2fa02a5b838d1fb79e7a43b6d7ca