e347d1ec3026ecd96ac81f03212b793a9dbcb75ad5374179c5c72e0243d9fab4

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

973fc288b768f048db940d82f3e20489.exe
Size

705KB
MD5

973fc288b768f048db940d82f3e20489
SHA1

57379d21ddafd4922fd4158b76465002a9fa5789
SHA256

e347d1ec3026ecd96ac81f03212b793a9dbcb75ad5374179c5c72e0243d9fab4
SHA512

00d4b51223863c47de7c52d09bfeccc9faaeb733b79dd7f27bd815d732e80152919909e14e3e7b6b1e43f35bb6e025acb17db8b8d5f3fd1b35d5beb398d8fa6d
SSDEEP

12288:4DJnJM4OpSpnO8kTMlwYLySVlbkHxIvCSL/DEtnwApno8lTdnZZLWF0:MJnJM4OqTW2zdL/D5ARoKTA

Score

8^/10

discovery evasion trojan

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 5 IoCs

pid	Process
1592	alg.exe
2036	DiagnosticsHub.StandardCollector.Service.exe
4804	fxssvc.exe
1960	elevation_service.exe
2764	elevation_service.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3791175113-1062217823-1177695025-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3791175113-1062217823-1177695025-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\P:	973fc288b768f048db940d82f3e20489.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\T:	973fc288b768f048db940d82f3e20489.exe
File opened (read-only)	\??\U:	973fc288b768f048db940d82f3e20489.exe
File opened (read-only)	\??\Z:	973fc288b768f048db940d82f3e20489.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\R:	973fc288b768f048db940d82f3e20489.exe
File opened (read-only)	\??\S:	973fc288b768f048db940d82f3e20489.exe
File opened (read-only)	\??\Q:	973fc288b768f048db940d82f3e20489.exe
File opened (read-only)	\??\Y:	973fc288b768f048db940d82f3e20489.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\K:	973fc288b768f048db940d82f3e20489.exe
File opened (read-only)	\??\O:	973fc288b768f048db940d82f3e20489.exe
File opened (read-only)	\??\V:	973fc288b768f048db940d82f3e20489.exe
File opened (read-only)	\??\X:	973fc288b768f048db940d82f3e20489.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\E:	973fc288b768f048db940d82f3e20489.exe
File opened (read-only)	\??\H:	973fc288b768f048db940d82f3e20489.exe
File opened (read-only)	\??\J:	973fc288b768f048db940d82f3e20489.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\G:	973fc288b768f048db940d82f3e20489.exe
File opened (read-only)	\??\L:	973fc288b768f048db940d82f3e20489.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\I:	973fc288b768f048db940d82f3e20489.exe
File opened (read-only)	\??\M:	973fc288b768f048db940d82f3e20489.exe
File opened (read-only)	\??\N:	973fc288b768f048db940d82f3e20489.exe
File opened (read-only)	\??\W:	973fc288b768f048db940d82f3e20489.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	alg.exe
File created	\??\c:\windows\system32\pnmhpnif.tmp	973fc288b768f048db940d82f3e20489.exe
File created	\??\c:\windows\system32\omhlpckn.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File created	\??\c:\windows\system32\perceptionsimulation\hifclkgc.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	alg.exe
File created	\??\c:\windows\system32\mameincd.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	973fc288b768f048db940d82f3e20489.exe
File created	\??\c:\windows\system32\openssh\cbkdipmb.tmp	973fc288b768f048db940d82f3e20489.exe
File created	\??\c:\windows\system32\edmkhbcc.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	973fc288b768f048db940d82f3e20489.exe
File created	\??\c:\windows\system32\apnoihco.tmp	973fc288b768f048db940d82f3e20489.exe
File created	\??\c:\windows\system32\cochgpnd.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	973fc288b768f048db940d82f3e20489.exe
File created	\??\c:\windows\system32\bkmnjolc.tmp	973fc288b768f048db940d82f3e20489.exe
File created	\??\c:\windows\syswow64\ppkgdfce.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	973fc288b768f048db940d82f3e20489.exe
File created	\??\c:\windows\system32\kicmejkh.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File created	\??\c:\windows\system32\gnkdgqfb.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	973fc288b768f048db940d82f3e20489.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\lnhpeiia.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	973fc288b768f048db940d82f3e20489.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ieagbbje.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	alg.exe
File created	\??\c:\windows\system32\dbepcbao.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	973fc288b768f048db940d82f3e20489.exe
File created	\??\c:\windows\system32\nbpmobqb.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	alg.exe
File created	\??\c:\windows\system32\ibgbldfj.tmp	973fc288b768f048db940d82f3e20489.exe
File created	\??\c:\windows\system32\qlobbclb.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	973fc288b768f048db940d82f3e20489.exe
File created	\??\c:\windows\system32\diagsvcs\ckfclobj.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	973fc288b768f048db940d82f3e20489.exe
File created	\??\c:\windows\system32\ellkhilk.tmp	973fc288b768f048db940d82f3e20489.exe
File created	\??\c:\windows\system32\gifpione.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File created	\??\c:\windows\system32\bigkmknn.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File opened for modification	\??\c:\windows\system32\locator.exe	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	973fc288b768f048db940d82f3e20489.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	\??\c:\program files\common files\microsoft shared\source engine\bgmhlgoc.tmp	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	973fc288b768f048db940d82f3e20489.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\jkgaipki.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	973fc288b768f048db940d82f3e20489.exe
File created	C:\Program Files\Java\jdk-1.8\bin\onbaidqf.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	973fc288b768f048db940d82f3e20489.exe
File created	C:\Program Files\dotnet\pijgofaf.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	973fc288b768f048db940d82f3e20489.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	alg.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	973fc288b768f048db940d82f3e20489.exe
File created	C:\Program Files\7-Zip\cedpmnkl.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	973fc288b768f048db940d82f3e20489.exe
File created	C:\Program Files\7-Zip\jgpijieg.tmp	973fc288b768f048db940d82f3e20489.exe
File created	C:\Program Files\7-Zip\nccafaqk.tmp	973fc288b768f048db940d82f3e20489.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\jfjkgccl.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	973fc288b768f048db940d82f3e20489.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp	973fc288b768f048db940d82f3e20489.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	alg.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\jmofaklb.tmp	973fc288b768f048db940d82f3e20489.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jipjcfed.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\obkakffi.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	973fc288b768f048db940d82f3e20489.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\miqfjfol.tmp	973fc288b768f048db940d82f3e20489.exe
File created	C:\Program Files\Java\jdk-1.8\bin\cobmhpje.tmp	973fc288b768f048db940d82f3e20489.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nnbpngba.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	973fc288b768f048db940d82f3e20489.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\clmaedbq.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File created	C:\Program Files\Internet Explorer\hfoijjjp.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dakeokhg.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	973fc288b768f048db940d82f3e20489.exe
File created	\??\c:\program files\windows media player\hjnchajp.tmp	973fc288b768f048db940d82f3e20489.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\olemadei.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	973fc288b768f048db940d82f3e20489.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pppjqpbi.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	973fc288b768f048db940d82f3e20489.exe
File created	C:\Program Files\Internet Explorer\dendjgfp.tmp	973fc288b768f048db940d82f3e20489.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	973fc288b768f048db940d82f3e20489.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	973fc288b768f048db940d82f3e20489.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe
1592	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1212	973fc288b768f048db940d82f3e20489.exe
Token: SeAuditPrivilege	4804	fxssvc.exe
Token: SeTakeOwnershipPrivilege	1592	alg.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\973fc288b768f048db940d82f3e20489.exe
"C:\Users\Admin\AppData\Local\Temp\973fc288b768f048db940d82f3e20489.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1592

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:788

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1960

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.9MB

MD5
17008fc1e31ce5e2afa83520c32a474d

SHA1
e08b00f62b0f1b2ed587e542ff21252ab667b40a

SHA256
4d8b0328132e65ce2d2920bb3912f62614a2b431ee875f57a0793dc0a950a690

SHA512
4b68068b7d98f75dc0c5e5f2177cf244a17e5e8fb53a51b8cb0b00e24a915002655229c2cd5dd8429c867c5b35d519b3c948626ee857fd649909b3eaf12e4360

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
940KB

MD5
0b1d7c98c912bd8a1bf6bf77bf016e76

SHA1
be5a42c31c6bbf32fd9129e060a2005190608db8

SHA256
f5539815547bab82f758911544b78db15e3a953ca1903614e6b7170f4cad2e88

SHA512
25f5822dd73bf54b485f88a1f7a21c76030e9d9b3f122d4fb9ef03f3214b0bd68badf76b8763b48c057a50724d18f83b664a6136dd4ce16976fe24b5c0b3ce90

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
a27240c135079db56e89b0de2a269664

SHA1
ffbb38439ce3421ebf9a0280a7e4f1eab67334f8

SHA256
468e2eda1b862b74b131e7308c01846f4e3a5166e9aa5f688ce998bba3a2e5a3

SHA512
0f60eab7cd9789350fe4ea86c4048daf899e7c942e9e5d8244e0b39224ed52fd475c8ac17c7ad975b8cb3559c3a040e4d35670211f88254832c2d3d71b5d8a38

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
4f549aa64a23c89b1bb81904202373c6

SHA1
3f490f1a16f8b92344d7dec29521a97b4454741d

SHA256
3c47313587fbb9dce548a704ff0483576936640cd74e1fa16781c297316b629f

SHA512
1e51e691090ac26035cd6b63d5e7d8bc7b7cd6e7e38a4e797d5a0a94bae7e3adc49ae3e0ade79a86bab5931b21c839790e7d8cfc1b71ad3cd5cc3bf926358c6c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
410KB

MD5
fc11ab221a45075cc6d03795b36d520f

SHA1
8a778c2618e82d7644aacd745c4018b99b65977b

SHA256
e558c51085e96faf3b57fc0975280520c2b294d013bbdd0bf987ed15e76bbe9f

SHA512
f58481ff8b381b75db8dcce21ed614c55c6d1d7c6871ab1b01117d4fa742b9dd0bc535817f40574b67619854506c7ebdff4f948cb4eb1933db564172bf89c78d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
672KB

MD5
782e285a18778a5acb01e3eb4ea56115

SHA1
945538495188d01c4ff5fbb9f9479330c3d1ff06

SHA256
288d3c3d9bf583f14214b943e00bc11be5ca2208a20780c6bb7f32bbe911bee0

SHA512
5e01f6fa2986872e15a4161de061539af6339fe2127c5389326bd66a054e8cee489efce3f8ab56ddf8e3805806663b69fe19c2af310197ac6f55fdc00f6ae968

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.5MB

MD5
4ff5120dfd680d105fd63211d7c9b9c9

SHA1
ccb86f3b1d1b160944ac7a61b73d2460513b8289

SHA256
0dcfca081513e37cd225fa1e4e35b248f9a1baae9f0b0e42d0a2feacee10cf64

SHA512
bd3c581a04281f75d1b783c4aa14d4e996b16d48e047d2512caf3da25d940d0ecd8b8cd3ab6310275229f0026d5b05b016abdd4179ed7e0d0807ba9b42df8731

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
738KB

MD5
0f267cffac77d0eeed71be18c71125ae

SHA1
83c0173590f12d19f89404efc09a610ed2e9cf9a

SHA256
b89289824045f413959b4a1a15a952bcc0861ee9826d47961c3eaa24ba74b95b

SHA512
27e04085667df94268890a6e3dadbb9771dabe86ca5f04411c1062bbba5cfe703c2dc2234871fc99334f35e53e8c90cf509de0060a729c76880bacbb0cf9308c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
1.2MB

MD5
544152290f73a52632aa32f87d3dbdb6

SHA1
339c8f03e86af650002469d6f7e5777621e8e34f

SHA256
7018edd54ff6587d99c091a07a709d83698e23d93fa1160ca5a5f3a91b34a8d6

SHA512
a5d43f1b3ad818f7f277ae066bc44d8c2836565fcbf1bd12d853334168c2356577dfc1aab4a9f0e3a63ae1afdafbf367765300604d2503ee3fc4c1206720d386

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.5MB

MD5
acb410d49c2e477b19816514ec5369d9

SHA1
67705753c9ca325fb0dacde82aefa4d6be05e665

SHA256
cb3fa46fc055ef0c0db5e315d2f439827c62daec0dbedcd29cb65acd29da6c2e

SHA512
46c59b2a333349d3c50138a81568868fcb2c92d5aecd567183deeadba7ae9ef0324fcf9352b1c22ddb668c2f543a2e480974210f71fdb6384056e0cdc0247f29

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\bgmhlgoc.tmp

Filesize
637KB

MD5
f9a0af73e80d6b6e9d904d41832eaa1d

SHA1
33e702b3256a5a4297a1b5e711a3007cbc2a3c62

SHA256
2cb146d87b38bc524ddc69381703f456c1fa48d7121ce8ff8b0a3a8a3865e387

SHA512
9debd1c7b70dd6ce131e651eaf0af0a3f5dc8fab14a296e8ff065181bda6d9d04fadbc1206852e2ab79a09189d901f29022c6ecbd5bd14c110bef9d04847eb83

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.0MB

MD5
99a2f676b8a9f5c5d745c5fd981ae32f

SHA1
897aa268668e115d318ad3b8eb7a3c5a0b1ba9a7

SHA256
e1bebec42fee1504025564d228663c3bbee3230712cde95d0091ddc0c4b53c2e

SHA512
ec255d736f85b10b6a3ce0ca48514560a4135fe02779f6a9744ccee663f03e0ef22129ef09a519b314c20da500ee0212d34ec588735ce41386872f7484a183f0

Download Submit
C:\Users\Admin\AppData\Local\oodkqfqj\hhahobji.tmp

Filesize
678KB

MD5
c757eb9ddcd16e018b884a291fe2c8eb

SHA1
f9c7701a1db7c9f5a51de5e823b49923d4e1be3a

SHA256
6cc412c017e6806c001a0b801bc2262b88f3c793e3f30321ada321e76be99499

SHA512
581ae54e80d2272fcbdc0a6534e1de57100c87657d76d78dc232518c243ab5747617b03f604e43cc870e4808010fc3962b0fec134a5a3822a787e56187ac5564

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
487KB

MD5
139d3ec8c7a2af6ad8d1117c4dac58b6

SHA1
4b90f41dfb7150022aab41a987bc328b5d303594

SHA256
78b96898ce6499f04a53ce104f77c3ec1112d720af80e89f853b7224baa0f520

SHA512
14ae0af2fc056ac67364ef5028ff6a1ac0254d07ddb770859d7339d898c517f0a47b063c3e36ab9c1fc3daf23059f31cdffe6446257bafd5169c017b279a94c9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
d0e43f1c0c9382500e09952cc66af612

SHA1
822a71d3fd6181ec8f185a54c06a2a865118c1eb

SHA256
2ffbcbca90fb40f745cb7367cbf66df3ee34f7dcf68ae798279f60dd993e7f0b

SHA512
293f37b554a41e672ecb526639a8a00d3481acda29fa0901182f23fe0676bc147e96971e9384bea1485540639794c73c277219fbdb27ffdfed37374d7e3b9709

Download Submit
C:\Windows\System32\alg.exe

Filesize
489KB

MD5
c67c40ac3204151e4d6345ef375f8c5f

SHA1
13ce0058ef09d5d6ef11d5f1e95acf692f9f3f7c

SHA256
2378e2550efa3db7b8176165962426097b96eb929987a347181ec3177c3dc587

SHA512
bd93d0f9c4438664b3469c3f96be500351a12857d3a09e44724bbbbe633d3d48ff8e1e085bd3b965e0ee306652daf5c88c6e45026232f2902116fd546808d351

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
613KB

MD5
4396f57dc9847f78f656ad7bd29fc99e

SHA1
497fe853020bad26434de60950fb7812b1e5fcdb

SHA256
d1ac22a1f00654d51bcd5e310e1315d79e8396bc53d8ee665b0455faae006aa0

SHA512
d6cfc4183ceee4f56b128bb2bc1171812d14dbd50d1b4ecd5b5c2f263847d90da0d8c53fa14f8dd69feddbc455226e41bcec91fc19ff393a36479e8902f50d6b

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
444b99ac95e393797020610065c2edca

SHA1
e7431e8cf417242e1fd1499562c68f4e9fcc46fd

SHA256
33e56fa18386cce8fdd760b81cc87f247bdfcb78684379c5d746543528311682

SHA512
9880b59fd7e49bb7ede20d4ae90100aef8fa8f1d7df27bae622ea776d5c19b444f0d691351016ce95b99b192f1ec4b563395d8e621861ecc0012958e3a69f057

Download Submit
memory/1212-2-0x00007FF76CAB0000-0x00007FF76CBB9000-memory.dmp

Filesize
1.0MB

Download
memory/1212-94-0x00007FF76CAB0000-0x00007FF76CBB9000-memory.dmp

Filesize
1.0MB

Download
memory/1212-0-0x00007FF76CAB0000-0x00007FF76CBB9000-memory.dmp

Filesize
1.0MB

Download
memory/1592-150-0x00007FF636BD0000-0x00007FF636CA3000-memory.dmp

Filesize
844KB

Download
memory/1592-17-0x00007FF636BD0000-0x00007FF636CA3000-memory.dmp

Filesize
844KB

Download
memory/1592-45-0x00007FF636BD0000-0x00007FF636CA3000-memory.dmp

Filesize
844KB

Download
memory/1960-44-0x00007FF7957A0000-0x00007FF795A01000-memory.dmp

Filesize
2.4MB

Download
memory/1960-182-0x00007FF7957A0000-0x00007FF795A01000-memory.dmp

Filesize
2.4MB

Download
memory/2036-29-0x00007FF709DB0000-0x00007FF709E82000-memory.dmp

Filesize
840KB

Download
memory/2036-166-0x00007FF709DB0000-0x00007FF709E82000-memory.dmp

Filesize
840KB

Download
memory/2764-53-0x00007FF656770000-0x00007FF6569C5000-memory.dmp

Filesize
2.3MB

Download
memory/2764-188-0x00007FF656770000-0x00007FF6569C5000-memory.dmp

Filesize
2.3MB

Download
memory/4804-37-0x00007FF6FFF30000-0x00007FF70008F000-memory.dmp

Filesize
1.4MB

Download
memory/4804-36-0x00007FF6FFF30000-0x00007FF70008F000-memory.dmp

Filesize
1.4MB

Download