Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 17:45
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe
Resource
win7-20240508-en
General
-
Target
2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe
-
Size
5.5MB
-
MD5
14d08d46bd7e324c58a1162b75cfd126
-
SHA1
a576dcd6f5889c4cb8c5ed681466e53d0abfa4cc
-
SHA256
df54c8c36328948a77df913e7f1edaa9d36bef9e728f031f6f6b7680faca3027
-
SHA512
618cdb07f1d3efe9d3ee64063840f2f8e060d325c9810d6a66e8fa9299a2299e8dde5123ad61b1a379fb42bdeb9e2a5edbf1002532df99d9cc013cba5e344465
-
SSDEEP
98304:dAI5pAdVJn9tbnR1VgBVm7U7dG1yfpVBlH:dAsCh7XYuUoiPBx
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 1912 alg.exe 1056 DiagnosticsHub.StandardCollector.Service.exe 2400 fxssvc.exe 716 elevation_service.exe 4848 elevation_service.exe 4568 maintenanceservice.exe 1564 msdtc.exe 3520 OSE.EXE 508 PerceptionSimulationService.exe 2328 perfhost.exe 4796 locator.exe 4636 SensorDataService.exe 4584 snmptrap.exe 3364 spectrum.exe 3032 ssh-agent.exe 3748 TieringEngineService.exe 3620 AgentService.exe 4444 vds.exe 4876 vssvc.exe 1720 wbengine.exe 1688 WmiApSrv.exe 1332 SearchIndexer.exe 5600 chrmstp.exe 5712 chrmstp.exe 5828 chrmstp.exe 5908 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 25 IoCs
description ioc Process File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\56c08b5eb4b1389a.bin alg.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaws.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038fada3027bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d55d1b3127bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb77073827bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f78503127bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035c6153827bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c734a83127bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1488 chrome.exe 1488 chrome.exe 1680 chrome.exe 1680 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1488 chrome.exe 1488 chrome.exe 1488 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1784 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe Token: SeTakeOwnershipPrivilege 4952 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe Token: SeAuditPrivilege 2400 fxssvc.exe Token: SeRestorePrivilege 3748 TieringEngineService.exe Token: SeManageVolumePrivilege 3748 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3620 AgentService.exe Token: SeBackupPrivilege 4876 vssvc.exe Token: SeRestorePrivilege 4876 vssvc.exe Token: SeAuditPrivilege 4876 vssvc.exe Token: SeBackupPrivilege 1720 wbengine.exe Token: SeRestorePrivilege 1720 wbengine.exe Token: SeSecurityPrivilege 1720 wbengine.exe Token: 33 1332 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1332 SearchIndexer.exe Token: SeShutdownPrivilege 1488 chrome.exe Token: SeCreatePagefilePrivilege 1488 chrome.exe Token: SeShutdownPrivilege 1488 chrome.exe Token: SeCreatePagefilePrivilege 1488 chrome.exe Token: SeShutdownPrivilege 1488 chrome.exe Token: SeCreatePagefilePrivilege 1488 chrome.exe Token: SeShutdownPrivilege 1488 chrome.exe Token: SeCreatePagefilePrivilege 1488 chrome.exe Token: SeShutdownPrivilege 1488 chrome.exe Token: SeCreatePagefilePrivilege 1488 chrome.exe Token: SeShutdownPrivilege 1488 chrome.exe Token: SeCreatePagefilePrivilege 1488 chrome.exe Token: SeShutdownPrivilege 1488 chrome.exe Token: SeCreatePagefilePrivilege 1488 chrome.exe Token: SeShutdownPrivilege 1488 chrome.exe Token: SeCreatePagefilePrivilege 1488 chrome.exe Token: SeShutdownPrivilege 1488 chrome.exe Token: SeCreatePagefilePrivilege 1488 chrome.exe Token: SeShutdownPrivilege 1488 chrome.exe Token: SeCreatePagefilePrivilege 1488 chrome.exe Token: SeShutdownPrivilege 1488 chrome.exe Token: SeCreatePagefilePrivilege 1488 chrome.exe Token: SeShutdownPrivilege 1488 chrome.exe Token: SeCreatePagefilePrivilege 1488 chrome.exe Token: SeShutdownPrivilege 1488 chrome.exe Token: SeCreatePagefilePrivilege 1488 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1488 chrome.exe 1488 chrome.exe 1488 chrome.exe 5828 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1784 wrote to memory of 4952 1784 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe 82 PID 1784 wrote to memory of 4952 1784 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe 82 PID 1784 wrote to memory of 1488 1784 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe 84 PID 1784 wrote to memory of 1488 1784 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe 84 PID 1488 wrote to memory of 3772 1488 chrome.exe 85 PID 1488 wrote to memory of 3772 1488 chrome.exe 85 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3680 1488 chrome.exe 112 PID 1488 wrote to memory of 3476 1488 chrome.exe 113 PID 1488 wrote to memory of 3476 1488 chrome.exe 113 PID 1488 wrote to memory of 1492 1488 chrome.exe 114 PID 1488 wrote to memory of 1492 1488 chrome.exe 114 PID 1488 wrote to memory of 1492 1488 chrome.exe 114 PID 1488 wrote to memory of 1492 1488 chrome.exe 114 PID 1488 wrote to memory of 1492 1488 chrome.exe 114 PID 1488 wrote to memory of 1492 1488 chrome.exe 114 PID 1488 wrote to memory of 1492 1488 chrome.exe 114 PID 1488 wrote to memory of 1492 1488 chrome.exe 114 PID 1488 wrote to memory of 1492 1488 chrome.exe 114 PID 1488 wrote to memory of 1492 1488 chrome.exe 114 PID 1488 wrote to memory of 1492 1488 chrome.exe 114 PID 1488 wrote to memory of 1492 1488 chrome.exe 114 PID 1488 wrote to memory of 1492 1488 chrome.exe 114 PID 1488 wrote to memory of 1492 1488 chrome.exe 114 PID 1488 wrote to memory of 1492 1488 chrome.exe 114 PID 1488 wrote to memory of 1492 1488 chrome.exe 114 PID 1488 wrote to memory of 1492 1488 chrome.exe 114 PID 1488 wrote to memory of 1492 1488 chrome.exe 114 PID 1488 wrote to memory of 1492 1488 chrome.exe 114 PID 1488 wrote to memory of 1492 1488 chrome.exe 114 PID 1488 wrote to memory of 1492 1488 chrome.exe 114 PID 1488 wrote to memory of 1492 1488 chrome.exe 114 PID 1488 wrote to memory of 1492 1488 chrome.exe 114 PID 1488 wrote to memory of 1492 1488 chrome.exe 114 PID 1488 wrote to memory of 1492 1488 chrome.exe 114 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff5a4eab58,0x7fff5a4eab68,0x7fff5a4eab783⤵PID:3772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1908,i,8386706413199259181,16683728508607092848,131072 /prefetch:23⤵PID:3680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1908,i,8386706413199259181,16683728508607092848,131072 /prefetch:83⤵PID:3476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1908,i,8386706413199259181,16683728508607092848,131072 /prefetch:83⤵PID:1492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1908,i,8386706413199259181,16683728508607092848,131072 /prefetch:13⤵PID:4128
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1908,i,8386706413199259181,16683728508607092848,131072 /prefetch:13⤵PID:3920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3916 --field-trial-handle=1908,i,8386706413199259181,16683728508607092848,131072 /prefetch:13⤵PID:4616
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1908,i,8386706413199259181,16683728508607092848,131072 /prefetch:83⤵PID:5584
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:5600 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x2a0,0x298,0x288,0x29c,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:5712
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5828 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x2a4,0x2a8,0x2ac,0x2a0,0x2b0,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:5908
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1908,i,8386706413199259181,16683728508607092848,131072 /prefetch:83⤵PID:5952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1564 --field-trial-handle=1908,i,8386706413199259181,16683728508607092848,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1680
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1912
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1056
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:844
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:716
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4848
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4568
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1564
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3520
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:508
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2328
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4796
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4636
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4584
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3364
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3032
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3728
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3748
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3620
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4444
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4876
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1688
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1332 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5324
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5440
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5948655463bd5e46e4f53f16f404ff713
SHA1dfa89f899c0f6a6a36655a38e23bf345e98cf4f2
SHA256814bb446eea4ad33d5dc891cbade0fe58e8c795beeea21419434077b61454971
SHA51201cf5628d504e69c12875f9634dc9c561e19c8ea7c55f7a350c4bfacf478fe90782c3974cdd76927d085dca7b9a0eaaa1dcc4e85d42c48d8c381a1a88bf443fd
-
Filesize
1.7MB
MD5a18edb99178cec59bd41d043b973115a
SHA1553a8834d1ed7adb4cfc2c61fe10761a32778053
SHA2565ea4b1bfa45cf45e8dee7ebf2203741640908381bab7d7cb26b9dd57c3db6e38
SHA5129666c8812b2253a1a3a8f7cc828b92a852a8abc100e688d77f5cf831c9338ee7a726257a91465099534a260ebbdeb0707eeb06e0d4c59868592ffa8b1693076e
-
Filesize
1.7MB
MD5fe28f8a05d14c113b7c29321db661382
SHA137013a18297303314b9342dd579f13910a852841
SHA256c9aa8a7db489e8366e990a93e8d5aef07c7d0f0f331440ef824c18865e28bad9
SHA5123aa0511173fb1b56e6ea9e057a4ff6446708b828954229d12bb842990923f16809234b29e7631042c38b3e3ac8260cc1d91065cb771d2816a8a636ff40eacf46
-
Filesize
5.4MB
MD5e97ecf726eeb711822c700e550ab220f
SHA1cd0e566f6036c35fc2f2b3a3712438e6eb89c530
SHA2562164d7164a3356ceaae06c2b30849d601f9f252a8606e2dddccd870432929ffc
SHA512a5cedfa9c26ddb0e2b0dd04f33a0a255b2e3e0085acb27a6f79f4fc12a8390be364d38b66590112b7a10a6fc423d6bdfd802b9b3e4f59bbb119334ca464e055f
-
Filesize
2.2MB
MD5eae289476278e8dfbaa4ed84686d4b10
SHA14236d400c86b729263ab73807bd09b51bf7b793e
SHA256436e72421f8d8d0910f964e1995d60b60d078e958f63db31e31c207ab52aee8d
SHA512b3648cb39b82b3569abdfc3b447b458da9609d3a1551600986b2983efb70321e978489065d8a2b6454f9f014a464b1a6ff394df0562f8bf75a8d52ed0707a323
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
40B
MD52cd879c3b1b25f881f4b7ab71b67a095
SHA1e8c477526bb5bdddd659fdd44606060d83e703ad
SHA256d15ec0b42a1305238584533da0ddd5ec2959a76896cabc74599185af8af9e92a
SHA51295c25065ecb23b375e233d554beb9c5fb61d877f6b5586155d5b5931d270cedfd4508a8fde3dfee5073af2215b256d7cffde9f77923d41909d4168d9bc61123a
-
Filesize
44KB
MD564b4c3cca1f8c5dc777439bc23cf9a68
SHA15bc003bab7e5171043d8dad29fd613b37cb187a7
SHA2566cd6d31addb6f31fb26918d798e8bb9e0eb801d447e26d2e27cb7c65e48e2242
SHA51214cdbf6709a012852bbb04178a6d02491799141b7552d63b70cfe877ccde3e233fd86c7d0c2bc40f3edf28b68d4a273f1ee57dd324a0b3f9bbae8c87ef603e12
-
Filesize
264KB
MD5cd73efed37e42cf889ad0d96ac4de583
SHA168c76b01f8d74a71b8a420d599e72b1971c52831
SHA25691ed963430c5eb419299f1a0dcfcb62f593e981d8f9dd1949c2238dbc768ccb7
SHA51256eea03b30bc739a261031ffdaede0d78f2677e4b7f84eb1c4e5be1a4d89d6fb2f8f7c3785d150aca0ae901e0e114e3a3f55861686ed2dfe752557d3190069fd
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
5KB
MD5edb4bf2ca7f7a521c6606588bf7b5e99
SHA1907d67b1fea9d1d66d760d3e9592caa581119c1e
SHA256feb3d34e527c40ae964a6ee77e310ac7795e3b629681883449fd01d9b93a5001
SHA512abbbff9af0fadcb4e59ff9d234dda42180aa8901e22456586b5d66179f39531a673cb5dcf8baa38e111028391dcd8f871386f34169cf13fd67f9de1964dfea15
-
Filesize
5KB
MD5cbaacec3a01e966988abe4897477c995
SHA14c725e345cf9bcaee71241a5621a311e4446aaa0
SHA256eea8b9223bc8aed23a3193b2c7975dc80a3f0566e2e6e4b2632be884c996dbfe
SHA512849f5c848f5e91562099e76d73e2845d3d6dcf2e923f36e87eca4aa4d3fe6158bd329b904612dbfb8bf95abe00c07c6f8cc30ee811477165f42104a8858d5dc3
-
Filesize
5KB
MD5535e91ebd755c30741f0d381cc3f2465
SHA1dc7783345de5b0438aa69a50be8b4e21972ed871
SHA256b6435dfdae21da06ff49228831b0e925453926f0e10272b7c0c460fb5e58984e
SHA5129649a22fb5e42643c095f6102bd7989beb3935921c1c7bccf9ee06b945058889bfbf0f1c83a9ee4db2446fa01074291d583701325ac84268cc32f02d8ceb632f
-
Filesize
2KB
MD51f497c78bb1cefe5fae1f2d3e5c467dc
SHA112ec3f79d43fc239252d3812f8f0c2edc492bc51
SHA256e7fedf1f3f9f65c94434b56a0a6b0be4a9773cb80c1fe09b6391adaec9849dbc
SHA512f7ce6b59abe22c099ba4ded438dae24ad228fad07f742fe053c580f2c052a91d5af99bc7616681f0f377f8b5bbbe7ae2defab99203bd1af816724a1e63b62e92
-
Filesize
129KB
MD53a8dd9da54cbadbf4b3d68f6da6cc048
SHA1e753947c4c40e5e5f6f8de9b466e4412eda7e07d
SHA2569e21d2b29fdfa39660ea9faa77d5fb24da108bb947ef5804073a9184f2a028dd
SHA512eaca386041fca535b6c432d9705f9f53928a51b7db2ca3a11c7d84a8787352cd03c0237ad151dcd979ee2563337130f07682b0ff95f9f901addc52e77f4cb367
-
Filesize
7KB
MD54bd7e3fc295383805ab4e7c9d141c43b
SHA172d006bda7eed950662c7366152998fee5bedf8d
SHA256987e92177309d6cbae6d199dcbf12866a104b14336d7e4823b40345d45fda9d3
SHA51279eca89273e8f36705992128ef0499f92229ddca8eca7a0ecdc9dd02f5a0b95696042f5f2169ba244714117169c17771d4c3758ea02039985333b2eb622c0c36
-
Filesize
8KB
MD5d2f65dca6ea93691f77f6f3c8103c572
SHA1320b334def778e7cc8c0e44b33ddd3514b5dfe40
SHA2566e578b17a5653f42fcd1bfba7e4d425efba8ab683814ccbce66aa12803076efe
SHA51252a5c77d90d5f9fd6d9c4490a4fe0de6cb1c3fb1476b1f91f04bceece28f2b2598573f094f2608f0401b06ed478ab3cf3b82a67ae5cf576fdb5635198705eeb0
-
Filesize
12KB
MD555189096f09f854a817f8cf0aaa146b2
SHA17cc1fc44a92fdcdc66d3c2356e03a31ce87d18a7
SHA256dc0b0ca4c6b6b6dda201bc9ff94347b8b52ffe4cab87edc3bc73f1acef128c97
SHA5126a0d37aab97646f0709b09d215c4262bf1639cc6f2f9890ac1a2c07883d4f52486250d26ace5200577dd9a9056490eb074b24273c6676cfb469d0949771f9d9f
-
Filesize
1.4MB
MD55ff1fb764509f6f04ed23cdb41bc0fe2
SHA12eb3229c2a4d3129cda60e4418fd1f82415e3ebb
SHA256b3cc45e519f378559658843607e62ffc7e6ab376c9f8f91f25fdc2172744bea5
SHA512dc707e557d006bf1cea835169a08f75f925d663754f15b73abf52f23255a2b8dae3ba4ae4dcba86cef428a755c3ec56f7d7880e67114d7ee580ed3003baec601
-
Filesize
1.7MB
MD56a2b58e972b696cbcc2a8db8bc6f285c
SHA13b8b4825e9cf8ff3536f039024ebc81be0f1d8eb
SHA256c9615180692b42398138cfe6668bf2659e22216a7cd00fc1722238379748f6d5
SHA51289809e8d6537f67927188a913a3965c93da8ea66dbada43d713c0a3d5f92e007e0c1e9dddc94f24183f26d8f90a6136b396b41ff5806f8b0f717846d9b64ddb8
-
Filesize
1.5MB
MD5bd286f5c979e7defb0408f3a6b50b7ca
SHA133d25ebd3473eaf26f8b1f4ed9f55e01dfdf3e09
SHA256b0de17629bc39e4b0a498b03a30c04f41c1b3c2e15405ffb345d3b14f88db91f
SHA5124cf3cfd00072441efc09d3e60e2a2abc312523434706edb62f7b8fc12a85a9b051bc24ccad1c7b0fa477479cecbdb8f9923bcc9da9549484bc0acc7c5577a8e1
-
Filesize
1.2MB
MD514df5d71b03369a75dec99574008bdc7
SHA1d1fe7fbc7ae8b7eb14cd47cde7b8affd31842375
SHA256bc14324b51bda2b9b2504306d6f64515bb4ae2f02d3b6f21df57ef37fc00a899
SHA51268d3f1bbd0b9b5f1185275ee9bc98c7ee0451d659308bbbb281783139a3c66d1799b128bb7c5ce8f627c6f20a018193f06034cabbbb37c141200c2233fcae390
-
Filesize
1.4MB
MD5e0270c292758ca1ab7a5e3afa9b63deb
SHA1efeb9ff668be67932ded67297f6a651923a264dd
SHA25638de34b68bfa25107b08839774dea30d8bdf5f1f5b757b78ee172f1cfda3a830
SHA5122d851bd9df486eeadb578bb749a1f8c3f7d264927f35b600c358bdc790451da3f863fb9924bf3041957cc8ccbf31f5a93b97929520ee6c007f5ecf73f241c0ef
-
Filesize
1.8MB
MD5e767248af8af5e2457ce72d05f46cd22
SHA1c3d9296747ede9e56018d2058a2f90bb33bd1e9e
SHA25671a53bc7c71401b589eeace74f92985788faa9058ef80358704632e8b677efc1
SHA51271df2faee29c3495bbc548b89330dc4c37ddc9ab8f850fa3e8cf4d87d28442b6cbb477f78a054e2b54b81741a992d0351e5a7432817a958615d9d9e3d8bdd45d
-
Filesize
1.5MB
MD5ba9ed45e6a32567bd41b9aa71efa2989
SHA10c1ba0ed0cdd5bab4f874950869feb9f6afbf656
SHA25691e282a6f61ef7e1263922401dda2fa05817351970d88ac7ce440e53c5cd3b5c
SHA5122c7f1f92af840fc0b34cac2ebb9ca8cc788f85b1000ce3b47b691982cf1b6dfb57b1b36182a5b56d40db88f3b096872782bcb2788dd36effeef4a323dd4ded3c
-
Filesize
1.4MB
MD518fbe8440fe2067413eacb8608a70cf2
SHA143b9930b66edc36b31847a75a77212c7af76defa
SHA2564f1a09a52d5d91f6a96ffb092a5dcd44845f0da42aa4983562a8cbbeb8711d94
SHA512eba871449722b16442219864fdc3a1e8275b29c44e359ec69cd6bf579f2dcadd27805299878b6139bd401d44633bee261096d33546711c4aa99c1a78f5e39fad
-
Filesize
1.8MB
MD5fc5e816f1c56874792401c12b0afc2a4
SHA17c00238750a4234a60ed3b8162a8cbe25c0f1cfe
SHA256e518e98fe573e0a28e1c5f6a405ba2c48d3e2fc77a8f474d28083042df14408b
SHA51271a90247b1693413b853ff973e1c455778b4f609ad3d3a97a54921bbc3b7868cbf5bf4351ab1de6d863659950b21cd6475e9266f405cfbc529ed2a05d6e3583c
-
Filesize
1.4MB
MD5119331fa89fc1a8ae984a8c26fd58116
SHA1ad1c8858d315260041d12b366f0ce6e5bcef848f
SHA256aa5358ddd9edf4f5c962385f9b76b7eff448ce2c9125d8d2702127ba4db0aed0
SHA512118a10723ebb091051453143f255b69121b6266d2292c9482990107aeb7ae7c3990fd858c905cd4b847697a1b713f5d59d2a08e61b3eed6bffa7d7921164db4d
-
Filesize
1.7MB
MD527a2b3524a0bd63deb99cbfcb1f7f053
SHA136fcc2b6cf7ff4d7141856feaec819ec637d1929
SHA25614067f83c19e46ec5386205aeab2d727b60657263f1122d8be36ea19efdf658e
SHA51272d535d5d59e57e1ff0960cd7f226cf783768372f8a284efe5805e55a7d07725acdefdab4fcef056c61862f93cc1fc854d4677821f3765444ca689aceac94f91
-
Filesize
2.0MB
MD5bb941e6e641ecd97f7e9197479c5d1f9
SHA11ca8bb4bd39ab6fd32feb4c4ba187b9e12fc4446
SHA2568c16a3d7b86fc78dcd9ee09dc33c73e690b8baa222fe36f2f9c7c59343141030
SHA5120857420c089dd7bad66f378c190c295d54be6cbc4fa62778915d9c62b5c8174e1c0691995bf21434240a8bae6a21b27d72bf1400b1d014d749b88b4527ad2ddc
-
Filesize
1.5MB
MD590081004d72d41d4ad950e5235ba77d3
SHA16a4b1c14138175dfb192cef262537165f69c630b
SHA2565b81603c9eeb974ec45644c3f7b3044d54f211ef03bd50669b485472fa51341c
SHA512ec6b9222235239420329b112ee73cdb91b94f6e0ce25186a2c978ab63ed61a017363eda4a12dc7c975382fbb54b82c6c5c127c3b4a73d065dcbfa35d00601a7c
-
Filesize
1.6MB
MD586988a50829a6395696d1a217fffaac4
SHA1b393d15e1a023f87371735daff95e21bc39bd350
SHA25696eb22116ad693f3f3b9f3d869ffae23cb524f2415292f1af0178cfd28598efc
SHA512e91be88ab3c5b7ca462ed55acb7a70f01b8897a9e172b2a75d4b319ed7297a518921f1e43eadbca1d99ab8e2dcb9541ab4a473c3fd2149d64a9707d70e956123
-
Filesize
1.4MB
MD53e34698ea63eec7d8b3b18a73a9caca7
SHA1029a096e8082fb82dd97eb9148c60cda223a852b
SHA256eb97dceb25e63629bec71868de33c6047b9a4b4e13196564bcf79fae35146651
SHA512b92be5fcdf3a2e28934fe49c709c33f011ed467c9886168663d018f68179986c8e515584baaedc6f08ac4a60ac2ed6572ce574fa76087ef54d7e11bb65230f9a
-
Filesize
1.3MB
MD58f85b3d1f79bd9fb76f509bfc48bfc53
SHA1ac675ef6ee2696cb0a06b01874aade53513b4055
SHA256caabf3e7806ccf56f5f143747ed265dfa306acb4b4d0cf956cb6092c84592a54
SHA512cc07f17d337fb8f804240d97103b7e29b6a851efa046beb77ee577c6c26d3c4a3309e0ce1275373e060065da9eefde518945ea97549a195dac88296d0af2c519
-
Filesize
1.6MB
MD545550e002e40b689fed3119d006d1180
SHA18eb04d3e55e9ae24ffc68e90544e31ab0abb557b
SHA25646f2962c90b24ee96fddd32182ae14719fc3075759752554ede4edadb8c74b56
SHA5122d8813c00ee26a6648119e2046418e2688c5849c8cbc3ae2656c1ecd6ff4e6c059154a656d3666e701a939eb67aa7cb18efe09cdd3d1e0ffcb30b8c210756142
-
Filesize
2.1MB
MD5b2faf9a0475f9ad73802ad890c95fef7
SHA12cd3ef0b82c7c1300e2518f268221fe7e5ab09d7
SHA256a1c5ec9ab2a177b4d2d717d25597a82c24a1d7e758ec953f40ec34eb1f896a96
SHA512df7364580a988cfe0dc08240496b84b7d1cace3d52c9437a75fe525bc62d81baa4cb26b5fdb833ba2eaf21eb3ba23c9e1d1fb2469af7926b441f9cf65af7a49e
-
Filesize
40B
MD5b2c359ffd4bf582baf62f6e8adf87a6e
SHA18e9a26cf9202a00b2f38b9cf92a2cc0fa2e76b79
SHA256ee8fad0e09119ff89b6f13fc18df351e81b41199adfc10acbfeccbbb88e02a9d
SHA5121b1cddd7353d0e9300f1c661feda7f8d1a71e6d90279cb72c3adb51a7bce9c64e2fc87777926db50a8d41cc945445821d1b3cc1628f7446a7c03e64bcf8aff92
-
Filesize
1.3MB
MD57ec4709cdf2015ca26075313309da235
SHA17b4f799b8125c2f472f06cedb8ceb72929bb430b
SHA2563e9c54bed4c838214a5b1a091abfced8de43d52ea53035a4a7d1fad2abbedd74
SHA5120cb788f2ed01254f64078d053b6104e09e68028861b669d3358e428c5339c88f0775560869c1b3445d440776a708fcfbd1df7b4df32673e0396da7718bcc2e57