Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 18:06
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe
-
Size
5.5MB
-
MD5
b9f84dfc85391aba7e487dabb54a724b
-
SHA1
a098d42c1b156823404d05c4622ab2eea6734c11
-
SHA256
f309b77c920b5a5fee1011c77c7540196f27b5b73745f23f5ee2b02db25cde31
-
SHA512
b69684d796fbb93c9e830b5e233601e6b595ab62e7bf7e064503461f9ef4c0958faba8686b5e20738568c5b914f8666793862f4843a63a2a4d7b1e1ca3a5d617
-
SSDEEP
49152:nEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfa:zAI5pAdVJn9tbnR1VgBVmE/iyB
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 1140 alg.exe 3852 DiagnosticsHub.StandardCollector.Service.exe 4864 fxssvc.exe 2024 elevation_service.exe 440 elevation_service.exe 3664 maintenanceservice.exe 2120 msdtc.exe 4028 OSE.EXE 4748 PerceptionSimulationService.exe 3144 perfhost.exe 3952 locator.exe 2100 SensorDataService.exe 3328 snmptrap.exe 3544 spectrum.exe 3040 ssh-agent.exe 3148 TieringEngineService.exe 4868 AgentService.exe 3760 vds.exe 3664 vssvc.exe 2748 wbengine.exe 4216 WmiApSrv.exe 2116 SearchIndexer.exe 5372 chrmstp.exe 5548 chrmstp.exe 5768 chrmstp.exe 5720 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\7a3ef8fe1ed82f9f.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaws.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{38ACDD0D-FF02-4A34-B36C-7A103582B8C1}\chrome_installer.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a613f32d2abcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6f8992e2abcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ad6352e2abcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000274e0d2e2abcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000169c1b2e2abcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2df022f2abcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133626028193119657" chrome.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006801e02d2abcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2148 chrome.exe 2148 chrome.exe 6132 chrome.exe 6132 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 668 Process not Found 668 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 2148 chrome.exe 2148 chrome.exe 2148 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1316 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe Token: SeTakeOwnershipPrivilege 848 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe Token: SeAuditPrivilege 4864 fxssvc.exe Token: SeRestorePrivilege 3148 TieringEngineService.exe Token: SeManageVolumePrivilege 3148 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4868 AgentService.exe Token: SeBackupPrivilege 3664 vssvc.exe Token: SeRestorePrivilege 3664 vssvc.exe Token: SeAuditPrivilege 3664 vssvc.exe Token: SeBackupPrivilege 2748 wbengine.exe Token: SeRestorePrivilege 2748 wbengine.exe Token: SeSecurityPrivilege 2748 wbengine.exe Token: 33 2116 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2116 SearchIndexer.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2148 chrome.exe 2148 chrome.exe 2148 chrome.exe 5768 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1316 wrote to memory of 848 1316 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe 82 PID 1316 wrote to memory of 848 1316 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe 82 PID 1316 wrote to memory of 2148 1316 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe 83 PID 1316 wrote to memory of 2148 1316 2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe 83 PID 2148 wrote to memory of 708 2148 chrome.exe 84 PID 2148 wrote to memory of 708 2148 chrome.exe 84 PID 2116 wrote to memory of 4228 2116 SearchIndexer.exe 112 PID 2116 wrote to memory of 4228 2116 SearchIndexer.exe 112 PID 2116 wrote to memory of 2672 2116 SearchIndexer.exe 113 PID 2116 wrote to memory of 2672 2116 SearchIndexer.exe 113 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4700 2148 chrome.exe 115 PID 2148 wrote to memory of 4180 2148 chrome.exe 116 PID 2148 wrote to memory of 4180 2148 chrome.exe 116 PID 2148 wrote to memory of 2132 2148 chrome.exe 117 PID 2148 wrote to memory of 2132 2148 chrome.exe 117 PID 2148 wrote to memory of 2132 2148 chrome.exe 117 PID 2148 wrote to memory of 2132 2148 chrome.exe 117 PID 2148 wrote to memory of 2132 2148 chrome.exe 117 PID 2148 wrote to memory of 2132 2148 chrome.exe 117 PID 2148 wrote to memory of 2132 2148 chrome.exe 117 PID 2148 wrote to memory of 2132 2148 chrome.exe 117 PID 2148 wrote to memory of 2132 2148 chrome.exe 117 PID 2148 wrote to memory of 2132 2148 chrome.exe 117 PID 2148 wrote to memory of 2132 2148 chrome.exe 117 PID 2148 wrote to memory of 2132 2148 chrome.exe 117 PID 2148 wrote to memory of 2132 2148 chrome.exe 117 PID 2148 wrote to memory of 2132 2148 chrome.exe 117 PID 2148 wrote to memory of 2132 2148 chrome.exe 117 PID 2148 wrote to memory of 2132 2148 chrome.exe 117 PID 2148 wrote to memory of 2132 2148 chrome.exe 117 PID 2148 wrote to memory of 2132 2148 chrome.exe 117 PID 2148 wrote to memory of 2132 2148 chrome.exe 117 PID 2148 wrote to memory of 2132 2148 chrome.exe 117 PID 2148 wrote to memory of 2132 2148 chrome.exe 117 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8e7e7ab58,0x7ff8e7e7ab68,0x7ff8e7e7ab783⤵PID:708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1908,i,6788484449345383161,7135989274943636801,131072 /prefetch:23⤵PID:4700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1908,i,6788484449345383161,7135989274943636801,131072 /prefetch:83⤵PID:4180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2196 --field-trial-handle=1908,i,6788484449345383161,7135989274943636801,131072 /prefetch:83⤵PID:2132
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=1908,i,6788484449345383161,7135989274943636801,131072 /prefetch:13⤵PID:3424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3000 --field-trial-handle=1908,i,6788484449345383161,7135989274943636801,131072 /prefetch:13⤵PID:4196
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4344 --field-trial-handle=1908,i,6788484449345383161,7135989274943636801,131072 /prefetch:13⤵PID:5648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=1908,i,6788484449345383161,7135989274943636801,131072 /prefetch:83⤵PID:2536
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:5372 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:5548
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5768 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:5720
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=1908,i,6788484449345383161,7135989274943636801,131072 /prefetch:83⤵PID:5588
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1908,i,6788484449345383161,7135989274943636801,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:6132
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1140
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3852
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4276
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4864
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2024
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:440
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3664
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2120
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4028
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4748
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3144
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3952
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2100
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3328
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3544
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1460
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3148
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4868
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3760
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3664
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4216
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4228
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2672
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD558dc8ccdc18b10c08ce8d4a59116358a
SHA1d8facafd6af7d2549a458849ca3a88ddeb25a76b
SHA2564ec96458299de5108ec44d150d3c2a62979138bb9688e36da329d0f246e83ec6
SHA5126daffefaff10753d3d60a58022d789bfeaf597ec9fb4c4a6067c3e09d88c75c7ea40c23dbe73f3f48860f7b9c02e14e3bceb4fdcf096d46d988d11b5964cb0e3
-
Filesize
797KB
MD5500a64553c15aa9bbcf424b2476b1277
SHA10722ed76e8f28fa33055016ae6235e9196f692da
SHA25604731a7881efe50907f7cf98b91f57f84edef935aac84758abcf784bb86be234
SHA512986b87860e989ac55cdb508e166e99ba1b0df4354635c04f3c83e59b51442114ed8be448df0f18edb9d357f585f4e164ee1266d9a650da10187ae8c7c731a647
-
Filesize
805KB
MD559dbd2354c6ebf2cd05faa52964a88a6
SHA1e70da277126cdf48dee49929c72c95d4e96c0186
SHA256dab6c70b095a496f71130c23f0f00f68d79d00ba3d2469f8c34c1bafe9bc358c
SHA5122fec1170132b6e65227e60ca8b29985783a878948473aa404517820c703fe66bd71cacaea88237d85f1d879626c3999a2d164ee6202d2f9fc79e52d903cb8987
-
Filesize
5.4MB
MD5b6cbeb708743b55ac082a6d9f667760c
SHA1e6cc17d5ac921aaa56ea60c658450f3158a17b59
SHA256417391f22ab7a3599db23e652f9ba74a182de0da23e6d992460ca804dbcd779d
SHA512f32ddd648a79ab6eb00bac61f6733d179f71ada680dbfddbed713cb3be0b33da05e0e3caffc82430a16c122177289af45cd76518308228896c89196b79574068
-
Filesize
2.2MB
MD5949ff97675cd52214d2fd6b67e0db716
SHA1e4be5796148fe274c227fbb7182afc16f7d708c1
SHA256b12fc039f09afb1287b61c4abf42e8291afa41490a795b42429762ee16e09e2f
SHA512a8a388cbcfd190236f5ef14f2a2c01541b86ad07a83910b558ebe9ddec08812e91e1cae2860c24d8b5c99d98de4c11ece3a0f29d30d93541b2127e2d49fa6526
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
40B
MD50cd429098412849541cb95afaf497de7
SHA134fcdc8c1708981ab8e69a9ccc50ab898d7f7df3
SHA256d987cb1f82d1cfa20deebd5947b3ce1b9ae9ca25cb7df736727c507a3a17700a
SHA512955809ff9150048d9b739222dfe4c1cc7b4f330cab2858b74ba1b8af8514f1d97268812c0ef81a3d926c9928fab845515a0fbd834a8dd1d0db39359001ce5f03
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
5KB
MD5d4caf9bc6793eafa4c3fab14a1f894e6
SHA1d6d5e54be48681cbbb49c4405a399e362b30b252
SHA256a21b7805a1c09e994e0b02cec1611027d51676027d5650e8eabeb0c18c10bac7
SHA512c359599f9d4b394a1ad827ffb00d108df41d2952afddba705a2adae4426bcf1c2a7354b7622c8826ab9890c63f42ed3c1286af474d88b2587d471ba66be021be
-
Filesize
5KB
MD5cc0d68ba14563bc01a51cd9d022d6541
SHA153344264a22d28f6abd8024a03ebcf9a81566a7e
SHA25621d102ed03906e8418ec8923e9d2575fc14e81cb6ff7e7cc33bd315b7d0b3927
SHA5125526f03b5cfad87809446ad3837cdbfe8f6df8c8f29f5600b470c68bed2d2d5cfa244fc95b59b9e8e74fac556b01525be033dc1938db6d47de8a0a638e5fa9c1
-
Filesize
5KB
MD5eaeb58821efd67047b3f9c963aa74249
SHA1d3b2f798d35c912320e6d6be835b9146f5352e56
SHA2566afabde8d25227aa8bb003143aeb13fc0626b85ccb26765c8aed5b0d8bc6548c
SHA512135034d009d6817452e0bc20236f46a7945b5e2324d4831c6c40357bccf70d8054cbcaa119950585ff1667f861d25ac953055b46013f4c5f887bb9175107bc17
-
Filesize
2KB
MD5411ac782e18a3f8947b5bbdc13773829
SHA1d9a709bb6b79ade9df4024e8fb6e36190070bc21
SHA2560217b1195d87db614149675e331d00b581206641c58f6c7cd8cadb92e718f8cb
SHA51203cff6f4f72f375b34a35df614de1c0837ec423b3b232e5b863a2d85ccb2f2bc025d1954ae0ba9d117930a84e7fd1b44bc82b488e5acd58370c36e9c24717d5d
-
Filesize
129KB
MD5f7fcb07c41d10744e01ef2fec998ba3a
SHA12d823fa267245bd38246556a991eb6b5e71dfe59
SHA256e0a7f3056380089e69c45d9edfac8be1ec3c6ac3027a93ceb8bfddcc94b0ad8a
SHA512452f3db8413daa91e9dc3867692e72debdb1aa7f0e051572c05829d9ec1144b4b1696d5d0982bf9bb44064c0e6a994ade58072728b9f6b78f0aebf7f0ebadc87
-
Filesize
7KB
MD579b4acd8efcd9011ea765049c466d85f
SHA126563ce4b8721cd39c8ec2203d8c14551d6cd60b
SHA256b15d312c564d5788a10ac59c9c0714f852440866aa2cfea6d5036a1786ea28d0
SHA512f574ec2dc905284d7bd0cba6077454ce8c00939183cebbc9a1759381fc3355a79191aefe5405c9fe5468bb6d2668e779bfa0854a399e06687e7b123c736bd2a3
-
Filesize
9KB
MD5600d3ac91af811507b1e4f708f9c1b5f
SHA1ce8c2ee1421a238ec763e5de2fb23b3665df5a31
SHA256eb64d5e2280aa5a1f97a4e87057feed9fac849ba749deb7baa1a4ebcf70e0522
SHA5126ada0d15dd0e06f834930ef949dd9ecd8ef82c3b39530f78d111c58c3cde724185cfbf21e95b90e94b0ca41b4e45de6471ab58458445ac436acb779081dcdaf6
-
Filesize
12KB
MD50726ccdfddb6c334c98dfbf296be3877
SHA13d2e4e3d3a3df07984b201320ae07b65055d41c8
SHA25603ddabbcd65bbb103111bdac2b742bf50817d0916a2a14848c2e00beef81a788
SHA5123396541ab2ce63e65da8a3805e62f20b19648353d175d373298b3780b332d7eab7ad9a6dac6a70912da9a1d5144de1ae7793fbfcc835103b011cc33c32b586a6
-
Filesize
588KB
MD575d61616089bb1b73b46eda353f21fd1
SHA1f9983e291990592f485505abea3309afea8c81fd
SHA256daba13268f0b0843b5e1e845c6cc5e10bb00ab6681eb00a0010e531500fe4657
SHA512a38b509695c61e56de3a24b667fe09b8811d619a128a173a59f6c8ee4b5bd4e1e0724217ba5d26d8b21833dead81922fbb6aa98687054d46bf898f7d7365ed63
-
Filesize
1.7MB
MD580a54d8e44e7325d096d8f7379a5d2f7
SHA1f7330c486a48068a21570cf94c251282430fc473
SHA2569e8dac8171d47ab7515b7f4145015734229f83209795a2b5f1efdc0487f5ff5c
SHA512d2b075e8316221df23b084ce277612a3d5fb90ea147a19a88cfc05a02afdaefe11aa4dc07fa668c53bcde4cd0b5d5b768b500296bde78e8449314fb357ae289a
-
Filesize
659KB
MD525cdecc6a3d80e8224b2613a4fed78a9
SHA1941b82b9218d7f90fcd68c7b3b2ac6f5aa0fae90
SHA256edb09e284f8d4d737cc3b71c673331931dc16866001bdb68f0b5c722823aaab3
SHA512a49a5a65238f6c0aa69d0d107c42c4d0038ca32a518627ca07c3601cdfe9016c61015cdc0807140a37e8c23002816351a480bae86b134c37a828fefe46080fa2
-
Filesize
1.2MB
MD51d8707ea99c8ca6d083d185e39beb853
SHA177b2e6ac4b3009a07865c80f0bb2ea0a70bbf229
SHA25609ce99e571ff15702ae8a31f0a0d3aef96badc5d9a7ef795c8064798e3d2464f
SHA512c938a6606fa8c97bf846707c0d2b16d1686d2f0e30806bbb196ea9c88ea6bea0e1c2db94cd76985061e1235bfd51b57bf2f7af82a09b0e909c31a84963117551
-
Filesize
578KB
MD5b43937dc87568fed91c953bba2ae8bb8
SHA14419e11bfdf7a3b9a72ea147e4be632f54e99d7f
SHA2561b8302f859a1f70ead146ccf6cbf14663cf8a62342ec61703696c46914bfe24b
SHA512959e5ee1b2befcff9b97c03115bf89e8671e3b4613e954c425b5075562da92066424c647e6a319026f1512305f7467ddd4d3dd2a96fd3c5cbed7f29bb5c87c48
-
Filesize
940KB
MD5da76129c65268bcac2fc62cb357ebfc5
SHA1bb8b4bb630d1b1f77115486e38d33c7fbca6d094
SHA25622cc1297ee5d73b83ec2e6db9ab2171effb6712a4e98df30d5c194dd8ecee5be
SHA512953030d6da5ee736a600116a851cca68897f1434e90f030b566e085e7e6e744be0bd14d356b9c6490eff4ad8c43749af3dffdfa55c7126dfa2c5a324b0fec874
-
Filesize
671KB
MD551dcc5ae5533e9fb02b150c1823cc3c8
SHA13a3598780b059191912c8b026613bca60b444d48
SHA256f4d4139c48dfd5fbece9afedca06ae6e29616a2cdb8f34c7f30ee1b5cbee5bbc
SHA512ea6b3408070b8d773f9a16a4093d84a02ae30c40f64de0d9715bcc273cb77750e55fadd5a54b5826b182379e0490f22b95a336088af87871fa2ed976a887c9d0
-
Filesize
1.4MB
MD54d67e32ad4f4e7fae4a02eee6005dbf2
SHA1cbdb6639d87bda5ac06b58503f75b7fc648c5bcb
SHA2562f0d142a9bfa7545bb2b7e483cdd70ded6c93221ae04d312ca24f05b40e1c537
SHA5123a08ad088976a76ff43dc1032f89597e02c93fddfd8614f245f065cf25f81548d56acba345815692365bd73ffebe61df2bd5bebebf835336b941bf1ee762847e
-
Filesize
1.8MB
MD51dfa799c5345d5da2d893ba40ae36bef
SHA19c5a13faee0cbb65c7b6151d188f4e39deefec0e
SHA25636e57035561ff7c5ce5000e940d995b33654a72c4d29869ef2d58b72b5ec3277
SHA512897930126a1ce0b17809542c52e31c2a63a123f75225531c8773700f4f569aa4318a52fdb50c26ace5c89d582eebce092fa7c8e6b0f4c37e001bcae83f590666
-
Filesize
1.4MB
MD5d8f4751123bbf2ba0532588e5f75649f
SHA15712db8bc12666892c84ee581892cf448fbd71e9
SHA256490e73576f9beb359fd18dfc54fb191f6b6ae39c7381c22df23499351566879e
SHA512df6cf0848abad24ded2b67f4084b828e9283de16d4b84a44caeb867f60d34dd898d8391134e826210ff7f6278cb46dbe9af64886acbb50d1d198148d7553f68f
-
Filesize
885KB
MD5be3aecdae94843ac36d7ce99be90a95e
SHA15f47b14551710cb781ca7beb1b61e4e71fbee980
SHA256cd2d3418f6ccc877600240b5cedbc0384f7a83487c997f9253785b6641ca6fa9
SHA512c1747f45933366cf65d93c7fb5ab281a27431a86d948ee33d663944844775e2914f0b51a724de6916209877ae94f42930cf1f43232ca44e03536eb863ebb6a58
-
Filesize
2.0MB
MD5fb4e8ab14646d3056644842af621a8aa
SHA1db02740b586202c8016e8ac8cfdf197ff3b483a8
SHA25621fa6abd4cd4d59c54db2ed0c7bcdbe66235dad550774a990d5c4e712ac5cd97
SHA512bf24134489c5c642f0007d4cae3830fa98b7f2291826281b95b9608e04c5c538b191edfa3515133c635f19c4bbf9413f61deab9705bdab57dc3f5892afc6c156
-
Filesize
661KB
MD55977d96d12489406596332ee8e80dba2
SHA14c6e47c51ed29116db59ed9f217d44e78a71ea72
SHA25674bc515dadb37815c88027a15e7f46b927c3ba840e597b2d92e30e1ef461808f
SHA5120b589fdd5628af9d998b7b425dbf4285d40e8d767ee41fe39af902340e802d3fb8c2f24d715e29019966553bbd305d936b4009bd45a3676b0d091378ad1f7b4a
-
Filesize
712KB
MD51ab82c9becadbbdd6ab54adfa1ca7f8a
SHA1a08aee56716a8be8cfa8d75ca86c9cba8c737a3a
SHA25664a572d15c0de2da59638165520427f6a418d0fe44112465dad03caf1dbf4a45
SHA5125ff09905ee3c53065ff782da4797666d1f7071d08b6cadc3c199d7a0107c753d36161528c66d4859b6c6aaf1508f3173de4aec5f4db5ebfff99c44af0bcd7035
-
Filesize
584KB
MD5367c57aebd1eab502ad406627355b975
SHA1306b9ea45fb2bf7a1dfe6dc6bdb5f5ec4a44f547
SHA256b72677dfe3c5415e1555aba94e0536efc67e8ac778a7dd610638997885ac4be9
SHA512f7789b8ad666bb8d9027582bf1435ee545ce70c1c9ab03204384c51bff0d442b62d2fc77e80f5ea4f44fb3574f3c65ab9a1f03256eab0d3b15a9ddc1f847c4d7
-
Filesize
1.3MB
MD5e66ef816a55778156d7d63f617445d2b
SHA11d9c08883b673992bc66446177430b807e219b34
SHA2567821ad30ac1e891c5738e254f46347ec4c5bd892c43b4326f2755dd675dca6b0
SHA51200ea77a76f9b907f632a5683d70f27993d08e555b5e088afdce5905fb9ec7573df586ab174dc3b0cfc46ff042b8e09abb9be2c9524b85fe17b84236245a6924b
-
Filesize
772KB
MD548b89ebf6d0bef5145dbf295d4d9949c
SHA18a7f20a142f503a832ab0871c6c65d30ab6824dc
SHA2564060a233efba809badeb1c910dc805fbf0fab557fa0590bcf49bcc8af145ffc6
SHA512d8f753778a9ee6a9e739bd0b4a70c261f7a121765d922baca96fb156133c88830504f0c6b532a285c85cb6686465000d48ddcf6aa36bc61cc272e87347941b4a
-
Filesize
2.1MB
MD580defce893a068140d9577fc8605abcd
SHA1b8bfb29538dfbd6736ce976463a9d41bd0397472
SHA256659c0874a6139250af57d8f8b4103a4ab30284f20fae81ef1908f58affc4c74f
SHA512bf35fb5c5eb1f32cbc374bb206d844752cdaf42da9e22d8398a342a629424aa197425bb90940f4deb69c52367620f26b595e4351ea4baa7d0ddc655c837342a1
-
Filesize
40B
MD54d858969f9b63ec4e90b337affb40980
SHA1c5f517b47ddc66cf8fe32495fe14e425f905c252
SHA256d228412aca7296096c2db6c01dfe1e83ca0db6a7fc2512468473c94bbc3e50f9
SHA512df058b39862395921f86ab56ac87eec0ed1adb201b988f3bae0fb037e14a1c33d842b7fac2354f0daabe15cf41c5b6757ed9971dc8237e7a5e9377314c6b972f