bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa

Analysis

max time kernel
507s
max time network
390s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
03-05-2024 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42.zip
Size

41KB
MD5

1df9a18b18332f153918030b7b516615
SHA1

6c42c62696616b72bbfc88a4be4ead57aa7bc503
SHA256

bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa
SHA512

6382ca9c307d66ab7566acf78b1afd44b18b24d766253e1dc1cb3a3c0be96ecf1f2042d6bd3332d49078ffee571cf98869c1284c1d3e5c1c7dc3e4c64f71af80
SSDEEP

768:hzyVr8GSKL6O3QOXk/0u3wqOghrFCezL1VFJdbq2QTJTw02Q:hGx8DKXE//ZhhCirFi2cwK

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	SearchProtocolHost.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	SearchIndexer.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.jpeg = "1"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice\ProgId = "AppX6eg8h5sxqq90pv53845wmnbewywdqq5h"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mts\UserChoice\ProgId = "AppX6eg8h5sxqq90pv53845wmnbewywdqq5h"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice\ProgId = "AppXqj98qxeaynz6dv4459ayz6bnqxbyaqcs"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2t\UserChoice\ProgId = "AppX6eg8h5sxqq90pv53845wmnbewywdqq5h"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.wmv = "1"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c050ff98d9dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice\Hash = "3ut2qFOGbMs="	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mts\UserChoice\Hash = "27QNv64iIsc="	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice\Hash = "w1uhgt4ix88="	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\UserChoice	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2t\UserChoice\Hash = "bwmgN7vK5E4="	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009130fde58d9dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WPL	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d04f075f8e9dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WPL\UserChoice\Hash = "GA3DuOVQeVU="	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice\Hash = "4/T07hnqtms="	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice\Hash = "9H50VX1yMuY="	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.mp4 = "1"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice\Hash = "PGG8iI65jO8="	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice\Hash = "MHViEDfD2mk="	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.png = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.3g2 = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4496	taskmgr.exe
4496	taskmgr.exe
4496	taskmgr.exe
4496	taskmgr.exe
4496	taskmgr.exe
4496	taskmgr.exe
4496	taskmgr.exe
4496	taskmgr.exe
4496	taskmgr.exe
4496	taskmgr.exe
4496	taskmgr.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
2428	Process not Found
4368	Process not Found
4864	Process not Found
4660	Process not Found
2452	Process not Found
4308	Process not Found
3680	Process not Found
2332	Process not Found
4528	Process not Found
1884	Process not Found
220	Process not Found
4896	Process not Found
2464	Process not Found
5032	Process not Found
4212	Process not Found
4632	Process not Found
4432	Process not Found
5036	Process not Found
4596	Process not Found
3816	Process not Found
2196	Process not Found
4588	Process not Found
3972	Process not Found
3184	Process not Found
3788	Process not Found
2156	Process not Found
4948	Process not Found
4160	Process not Found
3544	Process not Found
2972	Process not Found
3296	Process not Found
4116	Process not Found
4188	Process not Found
3124	Process not Found
4356	Process not Found
4136	Process not Found
2848	Process not Found
4644	Process not Found
820	Process not Found
2328	Process not Found
1052	Process not Found
8	Process not Found
2352	Process not Found
4268	Process not Found
2448	Process not Found
1688	Process not Found
4964	Process not Found
2360	Process not Found
512	Process not Found
3636	Process not Found
364	Process not Found
3692	Process not Found
4900	Process not Found
1392	Process not Found
528	Process not Found
596	Process not Found
4592	Process not Found
4108	Process not Found
5016	Process not Found
4564	Process not Found
4612	Process not Found
1480	Process not Found
1088	Process not Found
3168	Process not Found

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: 33	3176	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeDebugPrivilege	4368	taskmgr.exe
Token: SeSystemProfilePrivilege	4368	taskmgr.exe
Token: SeCreateGlobalPrivilege	4368	taskmgr.exe
Token: 33	4368	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4368	taskmgr.exe
Token: SeRestorePrivilege	5044	7zG.exe
Token: 35	5044	7zG.exe
Token: SeSecurityPrivilege	5044	7zG.exe
Token: SeSecurityPrivilege	5044	7zG.exe
Token: SeDebugPrivilege	4496	taskmgr.exe
Token: SeSystemProfilePrivilege	4496	taskmgr.exe
Token: SeCreateGlobalPrivilege	4496	taskmgr.exe
Token: 33	4496	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4496	taskmgr.exe
Token: SeRestorePrivilege	3624	7zG.exe
Token: 35	3624	7zG.exe
Token: SeSecurityPrivilege	3624	7zG.exe
Token: SeSecurityPrivilege	3624	7zG.exe
Token: SeRestorePrivilege	1820	7zG.exe
Token: 35	1820	7zG.exe
Token: SeSecurityPrivilege	1820	7zG.exe
Token: SeSecurityPrivilege	1820	7zG.exe
Token: SeDebugPrivilege	3632	taskmgr.exe
Token: SeSystemProfilePrivilege	3632	taskmgr.exe
Token: SeCreateGlobalPrivilege	3632	taskmgr.exe
Token: 33	3632	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3632	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4208	LogonUI.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 2412	3176	SearchIndexer.exe	78
PID 3176 wrote to memory of 2412	3176	SearchIndexer.exe	78
PID 3176 wrote to memory of 520	3176	SearchIndexer.exe	79
PID 3176 wrote to memory of 520	3176	SearchIndexer.exe	79
PID 3176 wrote to memory of 2480	3176	SearchIndexer.exe	85
PID 3176 wrote to memory of 2480	3176	SearchIndexer.exe	85
PID 3176 wrote to memory of 4376	3176	SearchIndexer.exe	86
PID 3176 wrote to memory of 4376	3176	SearchIndexer.exe	86
PID 3176 wrote to memory of 4092	3176	SearchIndexer.exe	92
PID 3176 wrote to memory of 4092	3176	SearchIndexer.exe	92
PID 3176 wrote to memory of 4056	3176	SearchIndexer.exe	93
PID 3176 wrote to memory of 4056	3176	SearchIndexer.exe	93

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\42.zip
1⤵
PID:212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3432

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2412
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 684 688 696 8192 692
  2⤵
  - Modifies data under HKEY_USERS
  PID:520
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2480
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 684 688 696 8192 692
  2⤵
  PID:4376
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:4092
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 684 688 696 8192 692
  2⤵
  PID:4056

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4368

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\42\" -ad -an -ai#7zMap22300:84:7zEvent26506
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap3663:84:7zEvent16439
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\42\" -ad -an -ai#7zMap8401:84:7zEvent30899
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a97855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\715946058.pri

Filesize
171KB

MD5
30ec43ce86e297c1ee42df6209f5b18f

SHA1
fe0a5ea6566502081cb23b2f0e91a3ab166aeed6

SHA256
8ccddf0c77743a42067782bc7782321330406a752f58fb15fb1cd446e1ef0ee4

SHA512
19e5a7197a92eeef0482142cfe0fb46f16ddfb5bf6d64e372e7258fa6d01cf9a1fac9f7258fd2fd73c0f8a064b8d79b51a1ec6d29bbb9b04cdbd926352388bae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\2290032291.pri

Filesize
2KB

MD5
b8da5aac926bbaec818b15f56bb5d7f6

SHA1
2b5bf97cd59e82c7ea96c31cf9998fbbf4884dc5

SHA256
5be5216ae1d0aed64986299528f4d4fe629067d5f4097b8e4b9d1c6bcf4f3086

SHA512
c39a28d58fb03f4f491bf9122a86a5cbe7677ec2856cf588f6263fa1f84f9ffc1e21b9bcaa60d290356f9018fb84375db532c8b678cf95cc0a2cc6ed8da89436

Download Submit
C:\Users\Admin\AppData\Local\Temp\42\lib 2.zip

Filesize
34KB

MD5
0a76bd3e26768bba68aca3d210997069

SHA1
753690994a18cf58ed0fe3749d16448b763047b8

SHA256
9056b87f079861d1b0f041317d6415927d9ffb6498ce2530ff90fda69fa64e78

SHA512
14408ea7f44bc365a58d7480fff9ea3b10fa21bfbd3363c6e30b74a4d4121677e20ce1108cce12c203f0760768aee1c1aa69b130e090c409f9a516ea02d70c49

Download Submit
memory/520-57-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-52-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-44-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-46-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-56-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-49-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-48-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-66-0x00000299D4BE0000-0x00000299D4BF0000-memory.dmp

Filesize
64KB

Download
memory/520-55-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-67-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-62-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-63-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-65-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-64-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-58-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-39-0x00000299D4BE0000-0x00000299D4BF0000-memory.dmp

Filesize
64KB

Download
memory/520-47-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-41-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-59-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-70-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-71-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-74-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-73-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-72-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-77-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-84-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-85-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-83-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-82-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-81-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/520-80-0x00000299D4C00000-0x00000299D4C10000-memory.dmp

Filesize
64KB

Download
memory/3176-0-0x000001E2C2390000-0x000001E2C23A0000-memory.dmp

Filesize
64KB

Download
memory/3176-32-0x000001E2C69F0000-0x000001E2C69F8000-memory.dmp

Filesize
32KB

Download
memory/3176-16-0x000001E2C2540000-0x000001E2C2550000-memory.dmp

Filesize
64KB

Download