Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 23:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe
-
Size
5.5MB
-
MD5
f184d87eec99f6424cfd690e65ebe119
-
SHA1
d5270da8d20b1f173d22fde48c05783c0294ea11
-
SHA256
fa78d1d10c7c6657ca3fc6a4fc464d81c29c3cd3d08d3c1d10ae0d7caea60fc3
-
SHA512
2114ca27ef7d44aca54f6dae95f1fddc9b61ecf45914a666ac9e1e2414b15b7de92ef26b5ad989d87d59362d5b5046711622642c9becdde7e8cf86c9f9bfcd2c
-
SSDEEP
49152:nEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1bn9tJEUxDG0BYYrLA50IHLGfj:zAI5pAdV9n9tbnR1VgBVm0TjYvH
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 4520 alg.exe 908 DiagnosticsHub.StandardCollector.Service.exe 2340 fxssvc.exe 3140 elevation_service.exe 1640 elevation_service.exe 2212 maintenanceservice.exe 3232 msdtc.exe 4400 OSE.EXE 1964 PerceptionSimulationService.exe 3708 perfhost.exe 740 locator.exe 3472 SensorDataService.exe 3908 snmptrap.exe 680 spectrum.exe 3344 ssh-agent.exe 388 TieringEngineService.exe 3084 AgentService.exe 2252 vds.exe 2188 vssvc.exe 4136 wbengine.exe 4372 WmiApSrv.exe 4548 SearchIndexer.exe 5736 chrmstp.exe 5676 chrmstp.exe 5924 chrmstp.exe 6024 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\4eb6a0a1293b476c.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe4d02b8e8b2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133615851335466222" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000642ec5b6e8b2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e7f95b6e8b2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027d10bb8e8b2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008fbaafb6e8b2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1312 chrome.exe 1312 chrome.exe 5220 chrome.exe 5220 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1312 chrome.exe 1312 chrome.exe 1312 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4544 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe Token: SeTakeOwnershipPrivilege 2812 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe Token: SeAuditPrivilege 2340 fxssvc.exe Token: SeRestorePrivilege 388 TieringEngineService.exe Token: SeManageVolumePrivilege 388 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3084 AgentService.exe Token: SeBackupPrivilege 2188 vssvc.exe Token: SeRestorePrivilege 2188 vssvc.exe Token: SeAuditPrivilege 2188 vssvc.exe Token: SeBackupPrivilege 4136 wbengine.exe Token: SeRestorePrivilege 4136 wbengine.exe Token: SeSecurityPrivilege 4136 wbengine.exe Token: 33 4548 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeShutdownPrivilege 1312 chrome.exe Token: SeCreatePagefilePrivilege 1312 chrome.exe Token: SeShutdownPrivilege 1312 chrome.exe Token: SeCreatePagefilePrivilege 1312 chrome.exe Token: SeShutdownPrivilege 1312 chrome.exe Token: SeCreatePagefilePrivilege 1312 chrome.exe Token: SeShutdownPrivilege 1312 chrome.exe Token: SeCreatePagefilePrivilege 1312 chrome.exe Token: SeShutdownPrivilege 1312 chrome.exe Token: SeCreatePagefilePrivilege 1312 chrome.exe Token: SeShutdownPrivilege 1312 chrome.exe Token: SeCreatePagefilePrivilege 1312 chrome.exe Token: SeShutdownPrivilege 1312 chrome.exe Token: SeCreatePagefilePrivilege 1312 chrome.exe Token: SeShutdownPrivilege 1312 chrome.exe Token: SeCreatePagefilePrivilege 1312 chrome.exe Token: SeShutdownPrivilege 1312 chrome.exe Token: SeCreatePagefilePrivilege 1312 chrome.exe Token: SeShutdownPrivilege 1312 chrome.exe Token: SeCreatePagefilePrivilege 1312 chrome.exe Token: SeShutdownPrivilege 1312 chrome.exe Token: SeCreatePagefilePrivilege 1312 chrome.exe Token: SeShutdownPrivilege 1312 chrome.exe Token: SeCreatePagefilePrivilege 1312 chrome.exe Token: SeShutdownPrivilege 1312 chrome.exe Token: SeCreatePagefilePrivilege 1312 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1312 chrome.exe 1312 chrome.exe 1312 chrome.exe 5924 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4544 wrote to memory of 2812 4544 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe 83 PID 4544 wrote to memory of 2812 4544 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe 83 PID 4544 wrote to memory of 1312 4544 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe 84 PID 4544 wrote to memory of 1312 4544 2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe 84 PID 1312 wrote to memory of 4364 1312 chrome.exe 85 PID 1312 wrote to memory of 4364 1312 chrome.exe 85 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 2492 1312 chrome.exe 112 PID 1312 wrote to memory of 1804 1312 chrome.exe 113 PID 1312 wrote to memory of 1804 1312 chrome.exe 113 PID 1312 wrote to memory of 2612 1312 chrome.exe 114 PID 1312 wrote to memory of 2612 1312 chrome.exe 114 PID 1312 wrote to memory of 2612 1312 chrome.exe 114 PID 1312 wrote to memory of 2612 1312 chrome.exe 114 PID 1312 wrote to memory of 2612 1312 chrome.exe 114 PID 1312 wrote to memory of 2612 1312 chrome.exe 114 PID 1312 wrote to memory of 2612 1312 chrome.exe 114 PID 1312 wrote to memory of 2612 1312 chrome.exe 114 PID 1312 wrote to memory of 2612 1312 chrome.exe 114 PID 1312 wrote to memory of 2612 1312 chrome.exe 114 PID 1312 wrote to memory of 2612 1312 chrome.exe 114 PID 1312 wrote to memory of 2612 1312 chrome.exe 114 PID 1312 wrote to memory of 2612 1312 chrome.exe 114 PID 1312 wrote to memory of 2612 1312 chrome.exe 114 PID 1312 wrote to memory of 2612 1312 chrome.exe 114 PID 1312 wrote to memory of 2612 1312 chrome.exe 114 PID 1312 wrote to memory of 2612 1312 chrome.exe 114 PID 1312 wrote to memory of 2612 1312 chrome.exe 114 PID 1312 wrote to memory of 2612 1312 chrome.exe 114 PID 1312 wrote to memory of 2612 1312 chrome.exe 114 PID 1312 wrote to memory of 2612 1312 chrome.exe 114 PID 1312 wrote to memory of 2612 1312 chrome.exe 114 PID 1312 wrote to memory of 2612 1312 chrome.exe 114 PID 1312 wrote to memory of 2612 1312 chrome.exe 114 PID 1312 wrote to memory of 2612 1312 chrome.exe 114 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-05-30_f184d87eec99f6424cfd690e65ebe119_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7fffadb3ab58,0x7fffadb3ab68,0x7fffadb3ab783⤵PID:4364
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1924,i,12765980083916815624,6203168726487961937,131072 /prefetch:23⤵PID:2492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1924,i,12765980083916815624,6203168726487961937,131072 /prefetch:83⤵PID:1804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2068 --field-trial-handle=1924,i,12765980083916815624,6203168726487961937,131072 /prefetch:83⤵PID:2612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1924,i,12765980083916815624,6203168726487961937,131072 /prefetch:13⤵PID:4724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1924,i,12765980083916815624,6203168726487961937,131072 /prefetch:13⤵PID:5028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4388 --field-trial-handle=1924,i,12765980083916815624,6203168726487961937,131072 /prefetch:13⤵PID:5572
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4460 --field-trial-handle=1924,i,12765980083916815624,6203168726487961937,131072 /prefetch:83⤵PID:5620
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4596 --field-trial-handle=1924,i,12765980083916815624,6203168726487961937,131072 /prefetch:83⤵PID:5688
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4696 --field-trial-handle=1924,i,12765980083916815624,6203168726487961937,131072 /prefetch:83⤵PID:5344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1924,i,12765980083916815624,6203168726487961937,131072 /prefetch:83⤵PID:5524
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:5736 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x274,0x298,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:5676
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5924 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:6024
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=1924,i,12765980083916815624,6203168726487961937,131072 /prefetch:83⤵PID:4344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 --field-trial-handle=1924,i,12765980083916815624,6203168726487961937,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5220
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4520
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:908
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:540
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3140
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1640
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2212
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3232
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4400
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1964
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3708
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:740
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3472
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3908
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:680
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3344
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2824
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:388
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3084
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2252
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4136
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4372
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4548 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:6044
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:444
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5bc822f5c88aa298886c4f5f0a56475ce
SHA13cef98315e82a9e3c4b0511bb1332727311599d5
SHA256ddbeffc17e63bb594e0079416a2ae754b23279b5a128a38fc516e510ec13c46a
SHA512b37baf50bce8ded59b8f5014ee90889d2322727cda5a7117edae22654dde3f69cf2bc3e03b474902b22961001b57e6920ca79e39bf7b1761fa5b462ef3679b09
-
Filesize
1.4MB
MD5b19e9e76667ae93c6cbe6000c2f76e95
SHA1db716fe26b050042b24f0fe6bd8c0dc9e871dd9b
SHA256bc99fd82573f59ba954cabae607550cb7bca1add5e174ca5e24e341e72ae83f6
SHA512103b28c9dfb8c4e0776143244aa40379e0512ebea34236a754b1c9518b97899b82333783e19210baede5326a497cb236bfcba7608eb07743ec0f664c904bc44b
-
Filesize
1.4MB
MD52aca61391b45fa2421c8826639e1f074
SHA170d8fbaeb96c345f2d95202c84f41f1751d0d266
SHA2569cb1e8bb12aab958719821a13b94eb70a0d50600105b7313fc40a8c22c5a8c3b
SHA5128bfedd9ef4e1032141937b1ffc25c680297c5f2d34f23a089b46ad620af31b6f92064cc586b54d96f8bbb40936d30dc3f62feaee4c5ec9ec2818674dce263bf0
-
Filesize
5.4MB
MD57790eebba01aa38f985a8de877ddd223
SHA12895b95898ccca952b60e59704d94ed8e7b80088
SHA25634244364620f09b1ce8716e11e310ba609eeaae80112d96218290a454c1ec23a
SHA51205f5466b6a93bc9c826ce9fa2f31323e432c15ea14755d1c0e29129ee837c7ea9f6447748ad763f0a990555bc53637051748fe70c21caa95e1f1b6fd4b0526b5
-
Filesize
2.2MB
MD5e667085e1e8cd856c4d7655563092648
SHA13096475a1031368643dd968df482df867a397576
SHA256987da4b49c88e3aa51b52c38105f37c5887aba16f1658332f2cf7277641c694c
SHA5124fa01cef1274c3813cd8f744c05eaaa9f3fe7f0250be2dcb3fa99d400f97a584dfd1207ccfb42a0faaba1f8eea01ccc33e7d636b1ca490c3b77bfd0423f0de19
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
40B
MD523e6ef5a90e33c22bae14f76f2684f3a
SHA177c72b67f257c2dde499789fd62a0dc0503f3f21
SHA25662d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790
SHA51223be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD511fe6c5b61822f5f96f723af38bd1ece
SHA13b88fc4c26baf6125ec6cb38b51f56cebe5a901e
SHA2561f9438db413e435c16c098cd7cf056f3d9978959394594b818ed8257966acb9e
SHA512bc322660bfb14254795464df0bbd6343c228b0c44ccbda52d224925bfd76843468f5d669f78614fac7110f1dd942fb13b952c2a14ad51dfdb8bcc4fc7bc2ffe9
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD55cfde5a28427862bb9eee808cc84154c
SHA185343cb4a7f94d7e4b9438296b04d3655996d886
SHA2565cbed3a394cc94b07882a3d90df5f15d0d587af6da320bd41bb109e784fe6a85
SHA512ccf486f1233f701d4e99f7dc3e302a6ad53f73203e184e11b6642f715f690d4c86c737975a8377a14ed68697323014fd476ba32afe4294e6e29033f8401e39f3
-
Filesize
5KB
MD5aed51c49eb60990eac2f2a2bc76c5b13
SHA19d82a98ad5f9b12530a107ac342f31b879309e0f
SHA25621b99ced9d17c6cfaf84d4f952489b82ce7ae1bfca282d38a95dfc184b665e73
SHA51298d52427264701e851a1399a86c2530957242ddc4dee173c3f3f883b052071ae5d56d7c9b47b1ef62f830029ad0a53a4054d9de8e2c074897fdb0687857f3ca0
-
Filesize
2KB
MD58441fa327ce1f6c12f371a1535e655be
SHA17ccca62179f1eb9a2d47c3886ad8ad4bf5b15071
SHA256975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158
SHA512986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4
-
Filesize
16KB
MD5aafeb15d2660545105424bd2a212ea06
SHA1fd6ad7ca058023e13ea153c0c2e0ff1693af195a
SHA256f50b9bbd29a3a923c531a6c423d53fd3960ed58bad0caafa828f0e56dabd9408
SHA512e19863d44587f69a1e38970642163c81c625b734d01a5e3ab44f40f936edbaebc1f4e7f66c01b288f1d533c337fa126a703ca290a440bba3dfa306ed958f3a3b
-
Filesize
261KB
MD593e1292155b2dd2d4564278a2c8738e5
SHA16ce47aacc145813c4035e19f42cd8b19f32b9605
SHA2560361f03a75746c2c4b1e7f422e6f3e9107d6e1b0df43b3ff9c4107a1f22320a3
SHA512a01eee862a38bcc7b210f07dbf8002fb462b43b42ccae34b0ae631d6b38869dc6eca995975f2145f3fda13f86d5968c74c69ba387540a3c70ce9c2ffb15d4276
-
Filesize
7KB
MD56e46645538ed251d8c9408b95909f9dd
SHA1741dceb55aa6e4ecddb9223b3f9c9fec495212c1
SHA2565fad6f2610b2bd02b378fa9ed76ac16871268572be92b8bcfb9aae70c0ce463a
SHA512e4198437b4c555cf421d6329e9d7a12197d480d880d663da4db9b00a77644db1aba4c59ff874a7ae0113405a6e0f23e02af9da5cbf11219116d22c4196f370a6
-
Filesize
8KB
MD5c01459438cc79a7021f2796053d7d188
SHA13d6635e8820ecf8aa7cdbab0154cdd66dfa3cb37
SHA2564bce21a33b06635a152503b8b4bfc0e06953c21dd3ef442181143265f3f36d73
SHA5126311986491eb12face3bd33092b78713dc2c05c769dec5a87196572d2fd6e33721640c0f94cedb6a7957142c2c6a2e8a98fad522423c7b9f4eedf9407eadabcb
-
Filesize
12KB
MD5a9059095ca5aa56ec078ec28ddaace7e
SHA102b57ef1cdbeb9776f93f0cca55c318fe0e89568
SHA2567621d7c4aa404394e8bdfbb19dda7530306df4306f77e7736bf21504b017ba78
SHA512a9de1234793feec1b38b83ffec4c81661f0fe7d35db3ae54ac68eebeaf04836cfa7213bc85f211654910343e63189a2fc9a6c5ff8f88c4a45dab0245adcbb769
-
Filesize
1.2MB
MD57ea349de09b5d41171900c82930149b8
SHA127bfc04e851dc45f32974309422cf8530aa1b170
SHA25603c87376e8ae81a6afd2b5e25b554251584ea613619f9a11215c17649cd86194
SHA512e45c9dab48f36ffa41584181733cee7f057f7231d8e9f8e3a98e4b4801dcc47a8f889531cd872124be159f24c0469058dd1853a6b56caa68b535b9008f37a2f3
-
Filesize
1.7MB
MD501f53854bbe3c32fab8595913a52f832
SHA18f971523a57daa11e6fb75f9e7ded0662a471d4e
SHA2567c78b23a4371f1c064e1f25ee0cd16bb2a167e599fc9458494a8950fe5f5b828
SHA5127628048eb2d5284613c889ee77533115312e8648cc53389885f17e8068966aca9bb8836af0789306866420d69cc460462215e6b79c1ff756e6eeef0f3a2b06d4
-
Filesize
1.3MB
MD556f6c718e3b7271ca13ba15140eac406
SHA1631ccabc45195824c59d156952f271f0820009a6
SHA256df8a5115949df055ee9178d9679b186571d33a230c66008dfe6e75f567bfb46d
SHA512da014871a339e85bfa6e1432886583785160fcf40fffea4e6cf66327b19460a28b014d37509393d93c2b5db6bcd0eba189af399a6ae8acea49d8c1c40e5cbb17
-
Filesize
1.2MB
MD5c38aced33a20952e7775f997cb4ea856
SHA14d130a46afcdbc315e8460158c35aa971cc04b3b
SHA25679225084fc1f941905444a5e700756e21cf4cd68328e0ef86959216b05e14998
SHA512e13e44de7a6321bd98a29cce2967c8ce9f8caa8782d0dddbe2dc00304e57e42d2ca44248be4f946a67bc9fccf3911a7d36d9ca23d83b930e8fc7c39070eda3ec
-
Filesize
1.2MB
MD5d100442e1977bf3ef7aa92aa78e16477
SHA106828ecf3671cd4dbd375252648966cb82319b1b
SHA2564947121ada114408430eea30985ee2b401c677554b9e06a6febe36810c069afa
SHA51202cdcbebfffac30d7d2fd8d78e11406e400de14a4db483c39241b37f645df1e04f214dc0e55a66078954b814f2fa2c4b3def9bbb3453b67cf76baea749b2fbdb
-
Filesize
1.5MB
MD5067c4438ba418db02a739367ce4ccd41
SHA1d784d9b4a81f0422c5e1158ef3accb901b63d02d
SHA2560488767b70c255839fb403545db095f7dc3a6a7d698f299d02046dac9bb54a66
SHA512a36ef19ccb4fe05f2c2c9b77185ee96556a5b7e76c12bab3d964997cbc57dd9bc7162df043a7221c2e0e62332eb7096bb50555b6c799e214f06a11aeb097e550
-
Filesize
1.3MB
MD50bcf6ad977b5826c14a477f2015c952b
SHA1b61dac4496f7d7ec8336bcc735902cc9d83eed31
SHA2566820152a5508c867ecbbd9260ac6c77794a23f1497b13f9031f42ecb048cb307
SHA5124679c287bcd5a530f1e75350924af7fafd7f92ad95c784749dfa583deabd4f1851f56d831b7f458b6cbfbb3dc9956d9c83805aef0171571ba3b48fa97860d73b
-
Filesize
1.4MB
MD539ce9ce81088671efe82a6972d9d6c5b
SHA1bc85c9ad9b503f20b48816a9bba6e2b16277ddca
SHA256e4b5e64f95bfe9a2b9b349a11d5704540f71212538c0989dc383f24fa4817cfb
SHA512b6d20af55b4db46f3d53a66833ffe2b4666353d61d10879b0f38f63c170321c2fb9febbafe195cc40161a081fae74f0fc91beaee550c5fb80193559e89e1963d
-
Filesize
1.8MB
MD51385535772d68c0cc94ec8d6b74ad1ef
SHA1dbc40c0567b7a0daefa2c838d21e08743e62a1e3
SHA256ece0de60a8f1cb082b811a91b2024d9d443dda4e7f7b8b1c333841bf20a4825a
SHA51271efa9b666f35915a0dd507676297a899cbbdae25f0ebf1736c8924b620c8d5fe34029ccc13b01cad386341aff4970d1edbb8dca3e78fa04c072a5f24a447386
-
Filesize
1.4MB
MD5152253fe1a84ff715839ec7be21a7e08
SHA1c039f9f5584bfd109f7c476cf2036bc54bcd2077
SHA2561cd33bea168835e8ffac2632814d6ee2e23c522c821ac3dfc55ec90519ce0ed1
SHA512bf8a8240906d55776be15acce048cc74e66ba1327a645a67a7bb90014536306366588bac6e2807df3b74af87ba46d48e0545ff1632192b9bc31df7643bc8ce56
-
Filesize
1.5MB
MD583fd0749c8aa7269f2d65d21e2841a73
SHA157b79dc9a2aeebeb602c9835fb5fd3c82f8c9b6b
SHA256db6db9e4c74af2ae95f6f328a64c3a1c10f67f0e38e65e730a189228c7ea9d04
SHA512f995b4a86df120cd5fe1b193ef68cd366ef2aafcc9be0f4ea643fe63883adfb0ad2d6d5d8ec6a47bc32eef979e4bafc8f554e0d5010e1e7e3f032c5136283684
-
Filesize
2.0MB
MD5a63b2d7be26400e3e3e7f606d8a04882
SHA1ea71908c282eaf6d04c58fdac977372a24a1760c
SHA2565f5e18666846cd8d9ed910f47e50a95c74d52b77c18dd9bd50cc6a698a8c8abe
SHA5120ce3534152b2fcf8ac9ebf22d7f10552a7bd0be0e68ff18f1e1f791f32d3a7657915a5e66305ea382cd6321fd0c279e7c0c5060c31e0f6cf38e6194f849d81a1
-
Filesize
1.3MB
MD57891795625d224cd35fe9fadb3ace8e2
SHA1c960617286cb42522b2746f7262a5cbd16966b9d
SHA25617b62a1bccfe17cd2d4e577b6b0b123a52e5075737427088978a15938109b8d1
SHA51290661aa2e99f848413ef4a4de7b04939d68bec5f73b29736a2a2e95ea0f4ae73e5b251e817d41e0ae02dd1d49ca2c42ed712b22ef00773f1f46a348d4f494d88
-
Filesize
1.3MB
MD50c77be11ca46ab40a4c994d61a35265d
SHA1f8d232bdef63c05c468131bc458807f8d0a47331
SHA256c4fccac0350ff14dcb9f29e3e24d453d415b7df9ab054e21de276ff948bebf18
SHA5124f8deb08f38a90a95b3a5813564425ec751a6ca884f862a3e5a0f3b74e8441972651d12ea7ea375794c69291a6c730ffd9b13e73580cb49cca456b8725d89b3d
-
Filesize
1.2MB
MD5fca81cd35f7338bec66a3643844b7b19
SHA1d73fc08096deb0438c6e7383c2dd0a9941d3ed38
SHA2569c5ae7897422d4ed8184aef08b98c7598d1fdd42a49be4edb6cdfea02eaa4b7d
SHA512d9aaaa830a84d71acebd123a5a98cf2ef04ff5b8ed8d8a4179c267f7039019c5b244a8dd00db65fb11e3842d4e8de48b2f62405cd4df4ab1de708cf2b09ba1d4
-
Filesize
1.3MB
MD5949833228aab2e0d633adc107bc43123
SHA17bcf354fe199aa0e9b453104681480731618f737
SHA25620c261686f12ce4fb3b6cdd502ac84ca5f4325e894e9f785c3c16048eeb8c826
SHA512bd38adc26efe409b9ac1e63aec75d22bd113fe2a378f076ea1ad32ca2410c627c8ff21be481a6f4b801fe084345622c25e3b02296ebec610ee47239643a73cff
-
Filesize
1.4MB
MD537d32b029bec31d0f50dc6923cc515be
SHA1023afc5fb3c2ba13eee80491e69e4e374e3a73cf
SHA256dc5dc4c58fc4434f688e7ead47131eaff950074106e52e7292102491bf5b00ee
SHA5120a827625574fd234c960e6a952c41db412e9f0bc550715c8f92d41dd52817981ad66bcd8d487c9e2f3495e835fd25ae319745b499d8e03ae9f1e93f03c68ae5f
-
Filesize
2.1MB
MD5383f5b3029cf68beebbea57aa8be01ee
SHA10170f06a70a5f334e95453317be541b59a708a82
SHA256c50862f016d8e979de2420577ba123711e60dc6a5c827b8c78029b7a6b360230
SHA5123bc0437da270bec46c6038be448189409067e5b088ac335adefd9a43ca0f5a79cb01ab39506dd770997535abbe407238ea671bb755eff0f54383c05317f2cb2a
-
Filesize
40B
MD5440112092893b01f78caecd30d754c2c
SHA1f91512acaa9b371b541b1d6cd789dff5f6501dd3
SHA256fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6
SHA512194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea