Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29/06/2024, 16:50
Static task
static1
General
-
Target
2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
-
Size
4.6MB
-
MD5
98782e5a1ff07499541f24473553bef0
-
SHA1
876af4e3631e267d73182915db34993ea855edc2
-
SHA256
85ad9534fcce96cf6c5c552a16caf7477c09182b66642769ba7c90d89024ef80
-
SHA512
1e696526fddcb911f029ac5b831f898411b4a39459ade10f5937b36ec6a27bdc1d0f1352c1dfec9ef5a26f911236e14308645c866de8d85540118ecd8a4f5128
-
SSDEEP
49152:4ndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGX:y2D8siFIIm3Gob5iEkehgL5
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 2688 alg.exe 3128 DiagnosticsHub.StandardCollector.Service.exe 2336 fxssvc.exe 3232 elevation_service.exe 4636 elevation_service.exe 4908 maintenanceservice.exe 3360 msdtc.exe 1048 OSE.EXE 3052 PerceptionSimulationService.exe 372 perfhost.exe 4844 locator.exe 1344 SensorDataService.exe 4924 snmptrap.exe 3600 spectrum.exe 4012 ssh-agent.exe 1952 TieringEngineService.exe 4248 AgentService.exe 4888 vds.exe 3836 vssvc.exe 3856 wbengine.exe 3768 WmiApSrv.exe 540 SearchIndexer.exe 1544 chrmstp.exe 5468 chrmstp.exe 5612 chrmstp.exe 5704 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\fef093604ba38143.bin alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{939A4C0B-9326-4B5C-9760-544EC9BBB40C}\chrome_installer.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108875\javaws.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b908d8844cada01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7bc9f8944cada01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a847a98944cada01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3f08f8844cada01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb88098944cada01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cec8a78844cada01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079dd9b8844cada01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000332e8b8844cada01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c733b58944cada01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab419e8844cada01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4920 chrome.exe 4920 chrome.exe 5408 chrome.exe 5408 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 4920 chrome.exe 4920 chrome.exe 4920 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3040 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe Token: SeTakeOwnershipPrivilege 1144 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe Token: SeAuditPrivilege 2336 fxssvc.exe Token: SeRestorePrivilege 1952 TieringEngineService.exe Token: SeManageVolumePrivilege 1952 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4248 AgentService.exe Token: SeBackupPrivilege 3836 vssvc.exe Token: SeRestorePrivilege 3836 vssvc.exe Token: SeAuditPrivilege 3836 vssvc.exe Token: SeBackupPrivilege 3856 wbengine.exe Token: SeRestorePrivilege 3856 wbengine.exe Token: SeSecurityPrivilege 3856 wbengine.exe Token: 33 540 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 540 SearchIndexer.exe Token: SeShutdownPrivilege 4920 chrome.exe Token: SeCreatePagefilePrivilege 4920 chrome.exe Token: SeShutdownPrivilege 4920 chrome.exe Token: SeCreatePagefilePrivilege 4920 chrome.exe Token: SeShutdownPrivilege 4920 chrome.exe Token: SeCreatePagefilePrivilege 4920 chrome.exe Token: SeShutdownPrivilege 4920 chrome.exe Token: SeCreatePagefilePrivilege 4920 chrome.exe Token: SeShutdownPrivilege 4920 chrome.exe Token: SeCreatePagefilePrivilege 4920 chrome.exe Token: SeShutdownPrivilege 4920 chrome.exe Token: SeCreatePagefilePrivilege 4920 chrome.exe Token: SeShutdownPrivilege 4920 chrome.exe Token: SeCreatePagefilePrivilege 4920 chrome.exe Token: SeShutdownPrivilege 4920 chrome.exe Token: SeCreatePagefilePrivilege 4920 chrome.exe Token: SeShutdownPrivilege 4920 chrome.exe Token: SeCreatePagefilePrivilege 4920 chrome.exe Token: SeShutdownPrivilege 4920 chrome.exe Token: SeCreatePagefilePrivilege 4920 chrome.exe Token: SeShutdownPrivilege 4920 chrome.exe Token: SeCreatePagefilePrivilege 4920 chrome.exe Token: SeShutdownPrivilege 4920 chrome.exe Token: SeCreatePagefilePrivilege 4920 chrome.exe Token: SeShutdownPrivilege 4920 chrome.exe Token: SeCreatePagefilePrivilege 4920 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4920 chrome.exe 4920 chrome.exe 4920 chrome.exe 5612 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3040 wrote to memory of 1144 3040 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe 83 PID 3040 wrote to memory of 1144 3040 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe 83 PID 3040 wrote to memory of 4920 3040 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe 84 PID 3040 wrote to memory of 4920 3040 2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe 84 PID 4920 wrote to memory of 3020 4920 chrome.exe 85 PID 4920 wrote to memory of 3020 4920 chrome.exe 85 PID 540 wrote to memory of 3032 540 SearchIndexer.exe 112 PID 540 wrote to memory of 3032 540 SearchIndexer.exe 112 PID 540 wrote to memory of 3356 540 SearchIndexer.exe 113 PID 540 wrote to memory of 3356 540 SearchIndexer.exe 113 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3144 4920 chrome.exe 114 PID 4920 wrote to memory of 3988 4920 chrome.exe 115 PID 4920 wrote to memory of 3988 4920 chrome.exe 115 PID 4920 wrote to memory of 2164 4920 chrome.exe 116 PID 4920 wrote to memory of 2164 4920 chrome.exe 116 PID 4920 wrote to memory of 2164 4920 chrome.exe 116 PID 4920 wrote to memory of 2164 4920 chrome.exe 116 PID 4920 wrote to memory of 2164 4920 chrome.exe 116 PID 4920 wrote to memory of 2164 4920 chrome.exe 116 PID 4920 wrote to memory of 2164 4920 chrome.exe 116 PID 4920 wrote to memory of 2164 4920 chrome.exe 116 PID 4920 wrote to memory of 2164 4920 chrome.exe 116 PID 4920 wrote to memory of 2164 4920 chrome.exe 116 PID 4920 wrote to memory of 2164 4920 chrome.exe 116 PID 4920 wrote to memory of 2164 4920 chrome.exe 116 PID 4920 wrote to memory of 2164 4920 chrome.exe 116 PID 4920 wrote to memory of 2164 4920 chrome.exe 116 PID 4920 wrote to memory of 2164 4920 chrome.exe 116 PID 4920 wrote to memory of 2164 4920 chrome.exe 116 PID 4920 wrote to memory of 2164 4920 chrome.exe 116 PID 4920 wrote to memory of 2164 4920 chrome.exe 116 PID 4920 wrote to memory of 2164 4920 chrome.exe 116 PID 4920 wrote to memory of 2164 4920 chrome.exe 116 PID 4920 wrote to memory of 2164 4920 chrome.exe 116 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2c8,0x2d4,0x2d8,0x2c4,0x2dc,0x1403796b8,0x1403796c4,0x1403796d02⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc808aab58,0x7ffc808aab68,0x7ffc808aab783⤵PID:3020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1908,i,3093009859181852775,5575163926528322704,131072 /prefetch:23⤵PID:3144
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1908,i,3093009859181852775,5575163926528322704,131072 /prefetch:83⤵PID:3988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1908,i,3093009859181852775,5575163926528322704,131072 /prefetch:83⤵PID:2164
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1908,i,3093009859181852775,5575163926528322704,131072 /prefetch:13⤵PID:5028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1908,i,3093009859181852775,5575163926528322704,131072 /prefetch:13⤵PID:3692
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3600 --field-trial-handle=1908,i,3093009859181852775,5575163926528322704,131072 /prefetch:13⤵PID:5288
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4476 --field-trial-handle=1908,i,3093009859181852775,5575163926528322704,131072 /prefetch:83⤵PID:5372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4228 --field-trial-handle=1908,i,3093009859181852775,5575163926528322704,131072 /prefetch:83⤵PID:5448
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4680 --field-trial-handle=1908,i,3093009859181852775,5575163926528322704,131072 /prefetch:83⤵PID:6072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1908,i,3093009859181852775,5575163926528322704,131072 /prefetch:83⤵PID:6124
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:1544 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:5468
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5612 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:5704
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 --field-trial-handle=1908,i,3093009859181852775,5575163926528322704,131072 /prefetch:83⤵PID:5644
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2552 --field-trial-handle=1908,i,3093009859181852775,5575163926528322704,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5408
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2688
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3128
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2172
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3232
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4636
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4908
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3360
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1048
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3052
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:372
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4844
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1344
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4924
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3600
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4012
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4076
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4248
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4888
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3856
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3768
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3032
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3356
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD56b6724cd5e7902eb0c2b4526c3328fe6
SHA180616eb177f5ea4bff538bc0fc5f357fc46dd45a
SHA256cad5f1ec7d1341cd5d3d779e7c8a89fd5f882516bb9b4165196ff8b23fd443f8
SHA512510c84528673bd18955b924dcdff4aa6e2c57b0fb45189e5edc29c2a6e7ca826cf5f81b4d6d10940fda6d24de1a86ae357306e07aa431b0280f4ca5052f8a43c
-
Filesize
797KB
MD574d7384264ef07d344346ea317eafd92
SHA1bcd3c52938bd081b92444e2838547a4c706cc62b
SHA256fc2ce4c946ade54dfbfe981ef8b0bb1c53ab326535c67e92a0fb465282c27f17
SHA512e1c08404d6047c6dd8b5c2d28b1dda756ee6a094c01f6ba595e7b4a646ff8ba6a0aa2a33ac796f31a5f4180b84da1b4816f37ce5f3098735527f84dc8ca1fd8f
-
Filesize
805KB
MD5b184e761fa4906baa69cde3ef87858b7
SHA1f307cb35d1111a88a39b8b8461d5661abe61b6d0
SHA2564d0699c6bb4ca7bd6c76174e3e7aa033b677b9d6adc674f76f601a9cd414f6b3
SHA512e7b8a3f63b4ba6abdefaa7c18f26147d188327c3ec6150c480e6066fb9d43c2e20d607f26accbf90029df53e799584e163f163f6cfd778b998ba2630d34a090b
-
Filesize
5.4MB
MD5f09e58a312784385db429ccfe03ee882
SHA1bac58345edd9c52135507b061d703071e4b44a61
SHA256a57bf6000d6324538dd4bd87d154991c14da08b7ebe089f5ca61a4be6d202bb3
SHA512f8f2885b7cec1c923f675fb99b3461e12f180ce8331ea185f17177df0b5ee98f060661df9b96c294d429b11e13ac60b1ed63ea535f2208507544a7f8220571cf
-
Filesize
2.2MB
MD5a49f1ccc1904a4c36dfca345b8d69fc2
SHA17e4d46749daec09db1d6e5c934ad4d0023ef84c3
SHA25653e7fc085a266c181745a4fc30c489bd5e21e9f2ee2f6ec81066c40c3d73d7c7
SHA512b679ce515c710fa6bfaf21bbca2d0a8a27e14ccad81ca0719fd13a4b9c73caa6460d881070fff6dced627a7daaf36e0a286b1d7b7e018cc20ba1f2e88fcc856e
-
Filesize
40B
MD5efdf336c3d3a1adb92b2ad84b9e0ddf8
SHA1d12684bf46d8efdc7fe65d72974a64f8cfc83aae
SHA256a3b64fe67ea4be6fd1cad4f43ab347f08f3c05afd11552101ddc5f80fd3e31cc
SHA512d47956132f95e0f8c31b0d8e8b23a7748b4fd39b6acf746e65600499bb6dac8bf3ba64843a090e41066de86eadd02aeb9c1ebd3ab9cdee4bd9d7867febbb696e
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD57e79c6e1c370941cdd0c80afc7e98b23
SHA1904214f44d02aa752f2e158858bf5a833b3061cd
SHA2568ae77c5ba7d994e19a0570d29866ab6c29a396d8e70a45abfbc7d26f7f9ea723
SHA5126fe84eeb8532ef447d5b4df27cac72439cdcb28510d7b8e38ea9ef8def687b4a717f437773945ce3ef804d8e1d882c5ea8e62b5570ae7359b55c7b8ec690362d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD5e1136fa6a422a4ad19c7112e8d4df127
SHA18533cd7fffa6b17a45fb71eba44ad74aff6990f2
SHA256bd185b5df47ac7990e2258520df8d810c87ba0ccdb9d6023e33fb01abe7071c5
SHA51203cb9f4800ede952665df59b3832cf1f52478147601dbba3bd3ff761e6d4c200494c66c8162d686a9e9c6acf87a80b8ba11a7e57e6b8fb27e433f02a9cdddcf1
-
Filesize
5KB
MD50f3f482c9660ae75d38f17fb094557f9
SHA19f0006db7310c1ab44071ff6753f11966ae192a2
SHA25681d8fbd9022f2b4df0068a51f763c6de5f72576b92fdb50c49f6c9d1dd75016c
SHA5127491516754e9b47aff14a0386511588c4ddad39289bf3469a2d1809954ea668746ebe9e0ee67ca8ebcb0a74159a118f408cdb649f159e9163b05726008bb4dd8
-
Filesize
2KB
MD5e51001326fdb734e7394cf6934f68920
SHA174a5c58398f50ab8cb348ab623ab2eabaf5479a7
SHA2566df4e90ac1fb8ee68b75eb0f6b8a930a9e812999a273e10c5e5bbe176c435292
SHA512dabd3ca58ec0bb351def0960f104150364f950ec29c33e090afbe542865bad9e08d2a19113b426f512970df237adc0ad5d188ac9c8fb42b17616630d3578d877
-
Filesize
16KB
MD59eeed4aa5ced85e35585e742ade0ca9c
SHA12960b7ab4277741a4675872bb00d1de6bafb3c0d
SHA256832e62dda3fa57b104adf30c738625d7ddc25f84434e837d3e12a20852691e1b
SHA512fee19e5a36bbf5978284e55dde075d15789e825c7053cb3b4cba7858ad0d0a466908c96b8862df002fc407fb37ee7987df1c9ec601e20aeb038ece31ff83f6c4
-
Filesize
281KB
MD53747d788d6b3c62be56f9bc4a8efded5
SHA1f440622c965516f568fc77c901ee422ba5c31f42
SHA256d4df24c34f631975e36d90e43a35644d270600619166f3624efa2a7a8b048a64
SHA512e13a1cb834c4d966e5c13cd9d72951fe1ca01cbefc39d03a3d9be3c94b6e2f66e2081221d55a209851e794e08b2efbb6827cc98b11fb0727d6bd8de22f0b40f5
-
Filesize
7KB
MD54172747145e80161e3c41920c71fb355
SHA15366c704088ecbeceed6f55009df9369888bdde2
SHA25692eef3d4904849941831b71f0bb3b7d83d7fcffc54b61d2da9d5981a57e37524
SHA5124736b0a9d8857c8cb441f17af2754742ee8800ef963800db4098565658b004760ace03bb0957def8b2bc375fc44b5b80eac292f477697962156c0156ff408580
-
Filesize
8KB
MD5c3d04667e96f89d0789dd24319c5fb85
SHA189431785135fe26479d98b0fec7db4020c30441f
SHA256358a9a5926d2ccb01d9596176e59c058ade03d970c8ce766c521f7daa70a1912
SHA51287a98f54a885e291de32810c29387c6751b5b73354d43fdbfa45b015ed261803368b6130aea9ec632050021a0157ce0d9d13ff7e1febcc389fdb99c6d456f437
-
Filesize
12KB
MD5796147d8f1347831971c7c1d42aadd7f
SHA194a65b3dc0219557fac9bec619e8d0ac7a2dc465
SHA256fb8cd8e4e205923c4043b1dc9dcef65cd07bf9161d7628b0a2b7ffef3bb17b43
SHA51299466bac62f80c3b0a18055e5df86c74bf49fe031d3151f3e370a835b9d849d9a3b4fde6ad40041c9c4fb3fafbb03098f364c793b1545b8362b1a5879c5bf332
-
Filesize
588KB
MD5f858cd9543996241ab288bc3745287c0
SHA11d7b82b1ca466ec53f001582e1a6ab3912f9b3f1
SHA2561ebe55eed1989bce68400322e7182b2a639225d0b90570b10efee1edbe0e2335
SHA512aa84c2963e4b5d353da86f775945af4ca5ee27b3e9fade39ba5a959abf59a567c333906613abe165565df0fe1a371161374a2101f447da0c5b1b4bd6cb6dac6a
-
Filesize
1.7MB
MD531d638fdfbe86c62ce91a97eba1a3b9c
SHA109be4691a83640343a9f26582b52cfd7ff16a584
SHA256fa25f9a44cfb138b41ec82f5a604ea8ab6f8a0c048bd691020a79740728734c8
SHA5122a15e6dcc4ddb461dfe83ab2fa3ab0e9c6f0c1501d962ae49cfe08cba8886ef33b6af31df96729f1e845489cfced79d51748bc5cdbf6ffd86c85ca7b4ccc6b50
-
Filesize
659KB
MD508dcba72d7c6eecfd666045e11ea77a5
SHA162be9f88859856f09fc589b0e0c5503e0a4c0bd3
SHA25618552a1a06d7a7b4c6c9d56ca09b2c2f2d4e886832e61070bf558409a94ea906
SHA512a63e7015ea198fc2101bc11167c0553da699d4a8f1d6ab3300f2fbb965caecd99892851f15773209d6b9655bbb3f933c0223d395801f42c6d82ffd8613467baf
-
Filesize
1.2MB
MD5f244feea28f856b89427aedcef5abfaf
SHA15bb0c732c0aca8a8928f73ede15683081404f135
SHA2565dd15375a64c48d313b65637c038e4e21d877d10544a1bbb53121c3a4ea38780
SHA5124989766e83b78a11f2dfab2d99aa5d27a70ce07357db089e2910885fa3736649768d76a33260cb9bbebadfb6cc42b7548cc75f2bae64a00018886299c282461e
-
Filesize
578KB
MD500aec099acf74a47a4187ebccac530ee
SHA181ba33a778c30e92bad3fddf1dce900a33ce23b8
SHA256152632b86350596b84d54cdce69cf393f61a22e8d86be91e572ebb24e67debe1
SHA5127434d32ab45709a1e862892b211eb6ce77d836c6eda82a1296e84200b1fc47c406d88bdd01e4faa6efad2a49e57cb8a866caf001936f935f656c19effc3f0f50
-
Filesize
940KB
MD5a3f00a8674bce57dbe40b04b2ae7beab
SHA12e03d0d2348cfec6e3688f6bad27a2c22f7ce9a2
SHA256d17fd0ef8f3052ccc10bbaa3f843ae88da3e5ea54308e96c8ae8086acec316a3
SHA51229bda6eee181d90cdde4517c25f3d035850ac117825f3735648c0f9c1ca94023449e26d4bc8c540a22cd786261ae4ffdd7ef98e08f8ee78423ee2c8af0c4fd23
-
Filesize
671KB
MD5ce474b182a131f474c8fa3b352fcc961
SHA197a702b42349fbdcfdb9e9934ca9e0f3b1e6c374
SHA256167ad96b0eadb9346141db7080157bd98cf0518ec339214accf35879073b9d6c
SHA5128f275333446464b1007912a27539dc015a3d30e0843eec873ee28350d247baa8fc2fe793ce99231991456e071a7925187c3e53d9b9a491f5501015a276fb090e
-
Filesize
1.4MB
MD53478c4d73e861023bcea4ee4ce496dfd
SHA1c53a2314169ff587ea09acc2d3d60cf3c6136533
SHA25619db67ca858dc380d6f99b9473544e41bfa81ed17243f137f617784732ba2ebd
SHA5129a63c3c5736cbf417be6faf8265938c1d97aba68bbe9d20a87935b2b6be3fac14a023d7980066d581a04b710b68568bc9369441da91b7a1b569bc8c189c47e06
-
Filesize
1.8MB
MD5480ac8192fb163cd863e0f56eecd7658
SHA1ee902e3d42f3733c046d82d3b63256a84066cda0
SHA2560e915373b9bec800aae656b3ef7986a94a60f8fcde30e464992311f97589f6a1
SHA51233b1b571d0dfdead399e9f15fdd72f4e4437125ed6a3483eb09982ce96fe31259aa7ba85af91c7cc9d64c4913d48a684bf1d2a3e01bcb71011e12175e37e794e
-
Filesize
1.4MB
MD5d09170a97dfac977577b42357e1f2090
SHA1c50e25d242f4f7539d30af76ac3aa5219ec33492
SHA256038b8cc3b62b3db6c47fa49606006ee0a39acaf0eb7534521cd58f372c9d14a3
SHA51221facbefebb0c18a02edc115a11b6257a07ccdfce9b625219ff37a7c61409f3f229fbefb8d5ad963ea0a185b5c2905842856a323c74208651101b56a5a4dfac5
-
Filesize
885KB
MD52052e73575bb8f85a3b80852e8891bd0
SHA104d9ddd7a4f73ab772deb84b26987d68d02a4c0e
SHA2569f5a4eb9354d3ee2364c760d247da23a1fb8658549a2bd0440f03362dd202f7d
SHA512b096ed0506317b43fcc4a8bac079146fad3899387bc7fc76efcc15e2638cdab0f0e1e3cdff9c445f6b7c07d30dc571333cbc6cbec3e2ff41b6105235a2dadc7b
-
Filesize
2.0MB
MD5cbf16f78248d8a78a1c7396f7c98dc35
SHA1551cfcdac10fb179eb55a0ccacc5ce5b9c157d02
SHA256f2573a8db01cf1288ca325d904941c50146fe1cdd65502798cd6cd0a748645ee
SHA512c14744053737419d217ab0acc0ccba8fefc0464bf649b7c9c667fccec1c4dba74a191e063773349a62010a078d7d5a6e85e16d592d45d7b2a650f78eaac009eb
-
Filesize
661KB
MD5f806fb9a909b0a75b4ec9e60c82ea33d
SHA1c0e4354d1465e12edfd26cdc16f8528267b369a9
SHA256e695d4975a50ff150b7ce8d390f89db0d0678b89651810a610c57ff588665d52
SHA512b7a636aa029a33d4e66d4984843e84ef3d00ca29d031923d9a2d74e6540edaaa0e056fa26129c8a2ee0fdb3c24867a4fa6f26886d667a4111b751904e2887ba8
-
Filesize
712KB
MD544e8d7896361818af686834b48a27c1e
SHA1e4632e9de4b4011a72ccfcfc8d1f1b91a2776bf5
SHA25600ec9aaa112fd38bfce763a9a2acc2a96220190c7be4f8b1258bac942dafc0b2
SHA512093a800fd040a7a230c26ec4d579a3287cbe032b8b8799860a57599a132b27f901847c9c2fba39205916299b847d3d7d562a1eaeae79430517e5e76ff77ef78c
-
Filesize
584KB
MD544859233ec081b51addda81040b0d7ee
SHA14bbdec86b10630fa9bcb750e45b4845462b40ffc
SHA2568bcfa8a45e9eeec0e8455ffb03d6fddde94bd859aaad1b324be8c35eabeeb565
SHA512f50af865bd6401a24c726c88baaa38e8f313a01d25704ddac66b9a55aa716505a0740dc3f934ca6698a9523b471b8d74c61d9cc761ea3dfb5d796c2dd7d034a0
-
Filesize
1.3MB
MD5e0470a333f631c6d381c4dc0148ff075
SHA17144e6c4aabf377008462e3c73817337036562b5
SHA256364a2f79e59cf2f30fd2274a2dd61d6adc3d9fe8241bf0ca445d0c545274bfbf
SHA512ce91083645393ce14cfc066623e5d8c6f28b613e76d3824d3d0cfdb70e75350b16ed65801f88eab844bbf8dc5b5ca3ae593772085c7f7dc1529ba68c7ac07870
-
Filesize
772KB
MD549bd4684d95c33ee3c689f4480e59ea8
SHA157cfb17f164aff1434f24bea80b5986485e50152
SHA2562cce636c790b4be61d18125a59e35c35a3d087f3ccd84441169118d2644e8a04
SHA5124cde047648b7cef96efa9baa628692e0399dfc1f953102fc5fbc13f5f083572645980e737ef58d5ddb51d9c632a052580480e3dbbeaab23d0b705d0893a1dd68
-
Filesize
2.1MB
MD5e8c29dc3c51a3ac2c93d8fc2aaa07388
SHA1fcd90dbc93821542e49e6b487df208fb0a822828
SHA256d86437ceed7d272fa85e49ef4082c658af321b4d82efc6d79017fa7ae455ca18
SHA5128064373ff2f26481390894150824092e627ad62da2a8bf10177acebd2bb7c4e8249ee0985b3d0687f73b88555dd5a5869aaaf5005c09860e7899711e64ef9f1d
-
Filesize
40B
MD5260b0e3a53746be1616919a463e54706
SHA1b9072f17d21fda3f40461b4914c6db71da4eba8a
SHA256fb43de18f8770ea8ba236b039f9921a267775967cea473b62e288161988a1309
SHA5123963fe59b81b64a12fe5890d0dbc1154c574995dff77133c4a4477d76bf4f6fb6556f4cded428381936ad94494f94e3374413d500b2cf115740d80080fedf434