Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
31-08-2024 06:07
Static task
static1
Behavioral task
behavioral1
Sample
a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe
Resource
win7-20240708-en
General
-
Target
a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe
-
Size
406KB
-
MD5
c8a46327ca3a8a0a5db01c32ba508f20
-
SHA1
0e737ae39d373dda72816d12737163ca068a7716
-
SHA256
a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625
-
SHA512
468b8b3a828a43e073af6d4c02eb356e608262b1496044e94d0d161eb1976f6d03f6fc23254086e74673a4ffea5ab9054813feb8c5ab0e18e3c5a93cef55e980
-
SSDEEP
6144:KIzfx0tsmxGjd9suGjWIDhAJSbnVrw8/LppZ2oqIqOEhspJ:1fqOwGTlW9N0Qrw62obqap
Malware Config
Signatures
-
Expiro payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2328-0-0x00000000006DA000-0x000000000076D000-memory.dmp family_expiro1 behavioral2/memory/2328-1-0x0000000000670000-0x000000000076D000-memory.dmp family_expiro1 behavioral2/memory/2328-2-0x00000000006DA000-0x000000000076D000-memory.dmp family_expiro1 behavioral2/memory/2328-4-0x0000000000670000-0x000000000076D000-memory.dmp family_expiro1 behavioral2/memory/2328-5-0x0000000000670000-0x000000000076D000-memory.dmp family_expiro1 -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 9 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exemsiexec.exeSearchIndexer.exepid process 4160 alg.exe 2728 DiagnosticsHub.StandardCollector.Service.exe 1616 fxssvc.exe 3024 elevation_service.exe 2456 elevation_service.exe 3932 maintenanceservice.exe 912 msdtc.exe 212 msiexec.exe 1756 SearchIndexer.exe -
Processes:
alg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-656926755-4116854191-210765258-1000\EnableNotifications = "0" alg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-656926755-4116854191-210765258-1000 alg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
alg.exea993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exedescription ioc process File opened (read-only) \??\U: alg.exe File opened (read-only) \??\L: a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened (read-only) \??\Q: a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened (read-only) \??\Q: alg.exe File opened (read-only) \??\V: alg.exe File opened (read-only) \??\U: a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened (read-only) \??\V: a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened (read-only) \??\E: alg.exe File opened (read-only) \??\M: alg.exe File opened (read-only) \??\N: alg.exe File opened (read-only) \??\P: alg.exe File opened (read-only) \??\K: alg.exe File opened (read-only) \??\Y: alg.exe File opened (read-only) \??\H: a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened (read-only) \??\I: a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened (read-only) \??\W: alg.exe File opened (read-only) \??\J: a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened (read-only) \??\N: a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened (read-only) \??\O: a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened (read-only) \??\G: alg.exe File opened (read-only) \??\J: alg.exe File opened (read-only) \??\L: alg.exe File opened (read-only) \??\T: alg.exe File opened (read-only) \??\R: a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened (read-only) \??\T: a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened (read-only) \??\X: a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened (read-only) \??\E: a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened (read-only) \??\G: a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened (read-only) \??\K: a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened (read-only) \??\W: a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened (read-only) \??\H: alg.exe File opened (read-only) \??\I: alg.exe File opened (read-only) \??\R: alg.exe File opened (read-only) \??\X: alg.exe File opened (read-only) \??\Y: a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened (read-only) \??\O: alg.exe File opened (read-only) \??\S: alg.exe File opened (read-only) \??\Z: alg.exe File opened (read-only) \??\M: a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened (read-only) \??\P: a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened (read-only) \??\S: a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened (read-only) \??\Z: a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe -
Drops file in System32 directory 64 IoCs
Processes:
a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exealg.exemsdtc.exedescription ioc process File opened for modification \??\c:\windows\SysWOW64\sgrmbroker.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created \??\c:\windows\system32\openssh\bnbjqpie.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created \??\c:\windows\SysWOW64\gebhkiga.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\system32\msdtc.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\system32\wbengine.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\msiexec.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created \??\c:\windows\system32\mcaiamen.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\system32\lsass.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\system32\vssvc.exe alg.exe File opened for modification \??\c:\windows\system32\spectrum.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\system32\wbengine.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\SysWOW64\openssh\ssh-agent.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\system32\svchost.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\system32\fxssvc.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File created \??\c:\windows\system32\cokfdogg.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created \??\c:\windows\system32\jajflife.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\SysWOW64\vssvc.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\nlpafafh.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created \??\c:\windows\SysWOW64\omdddaek.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe alg.exe File opened for modification \??\c:\windows\system32\Agentservice.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created \??\c:\windows\system32\bifmbndg.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created \??\c:\windows\system32\jcdoacfn.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created \??\c:\windows\SysWOW64\cmpphcho.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\system32\lsass.exe alg.exe File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe alg.exe File opened for modification \??\c:\windows\system32\tieringengineservice.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\Agentservice.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created \??\c:\windows\system32\WindowsPowerShell\v1.0\hkmnfjgq.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created \??\c:\windows\system32\lggdanch.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created \??\c:\windows\system32\diagsvcs\pgbcpqnj.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created \??\c:\windows\system32\pjhjgiaa.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\system32\snmptrap.exe alg.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe alg.exe File opened for modification \??\c:\windows\system32\tieringengineservice.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\system32\locator.exe alg.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe alg.exe File opened for modification \??\c:\windows\system32\alg.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created \??\c:\windows\system32\cgkldjnn.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created \??\c:\windows\system32\lnpamkpe.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created \??\c:\windows\system32\pafeoiim.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\SysWOW64\wbengine.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\SysWOW64\svchost.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created \??\c:\windows\system32\cgcgnilg.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\system32\msdtc.exe alg.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\SysWOW64\dllhost.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\system32\dllhost.exe alg.exe File opened for modification \??\c:\windows\system32\msiexec.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\perfhost.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\system32\locator.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\SysWOW64\spectrum.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe -
Drops file in Program Files directory 64 IoCs
Processes:
a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exealg.exedescription ioc process File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\jkgaipki.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created C:\Program Files\7-Zip\nccafaqk.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\lhbjhkab.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files\7-Zip\7z.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created C:\Program Files\Java\jdk-1.8\bin\onbaidqf.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe alg.exe File created \??\c:\program files\windows media player\aedioipn.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created C:\Program Files\dotnet\ddnfppgh.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created \??\c:\program files (x86)\mozilla maintenance service\ibpjjjnc.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created C:\Program Files\Java\jdk-1.8\bin\ekchdkjb.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created C:\Program Files\Java\jdk-1.8\bin\dddilmae.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created C:\Program Files\7-Zip\gkooamha.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created C:\Program Files\Internet Explorer\hfoijjjp.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\miqfjfol.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\jmofaklb.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created C:\Program Files\Internet Explorer\dendjgfp.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created C:\Program Files\Internet Explorer\kjkookie.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe alg.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\obkakffi.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\oelcpmfj.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\kihlpche.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created \??\c:\program files\google\chrome\Application\123.0.6312.123\gpaekjco.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File created C:\Program Files\7-Zip\jgpijieg.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\jfjkgccl.tmp a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe -
Drops file in Windows directory 3 IoCs
Processes:
a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exealg.exemsdtc.exedescription ioc process File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe alg.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchFilterHost.exeSearchProtocolHost.exefxssvc.exeSearchIndexer.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006583774a6cfbda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0af024a6cfbda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000548774486cfbda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c64a98486cfbda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed0d084c6cfbda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004297114c6cfbda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe -
Modifies registry class 1 IoCs
Processes:
OpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
alg.exepid process 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe 4160 alg.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 660 660 -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exefxssvc.exealg.exemsiexec.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 2328 a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe Token: SeAuditPrivilege 1616 fxssvc.exe Token: SeTakeOwnershipPrivilege 4160 alg.exe Token: SeSecurityPrivilege 212 msiexec.exe Token: 33 1756 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1756 SearchIndexer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 1040 OpenWith.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 1756 wrote to memory of 4820 1756 SearchIndexer.exe SearchProtocolHost.exe PID 1756 wrote to memory of 4820 1756 SearchIndexer.exe SearchProtocolHost.exe PID 1756 wrote to memory of 2120 1756 SearchIndexer.exe SearchFilterHost.exe PID 1756 wrote to memory of 2120 1756 SearchIndexer.exe SearchFilterHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
alg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" alg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe"C:\Users\Admin\AppData\Local\Temp\a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1040
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4160
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2728
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3100
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3024
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2456
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3932
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:912
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:212
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4820 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 7882⤵
- Modifies data under HKEY_USERS
PID:2120
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD59b347e6bf8bd3ffa9e390d454aeb3976
SHA1f0960611fe2aadf21352737ba47fbe2ce61cf009
SHA256902230bb653ddd40a9d12c4e523de64e1e5ea33f35cf6c503c5115403da908cc
SHA512d533cd4eabc20fb948ba505f4f7834bf41342d42a38c3446cfd1a077adc8e4c144939d5ebddb3341e0c1bcdec8a9ba0a11a9cbed85f72edfe9267eec3c56050e
-
Filesize
621KB
MD5a9547ed4cfc4e0dec2318f585f9c7345
SHA12f903679a2faaa16fab41761170ede7dfcf3d77b
SHA256bf9fc0dab494fe471376df8fde2405e68ff942cb7d0f0f8014887ee2db4ee323
SHA51220f4baef62212fc7ec07f269f09a7a0dac1dd3d784b46272697cecda012939fff5fae7801b42a07e2f01615b272afd53a27160cbe2523f16f2546d31bdd01c8d
-
Filesize
940KB
MD5548bcdbf9eab7e825053be851fd0c5fe
SHA165d0e164e9477cea7a584031ff004a9cfc5e3022
SHA2562125b76602dff85f02d2cee68d2e037e748ec5089beba52ffeb86d3b14c9988e
SHA512f984388067355ca0ced63c955b4b18626253a7de8c41b18e022fefc24e8af88495ca340ee81bd1515ca16de959007fddff23a30329e8ece62e6224c9a9e6a1fc
-
Filesize
1.3MB
MD5f04b5eace639dcb9c1fecf36b355628f
SHA15f83bd6b8bcdb6b0c9a99b2e7a7b42fedfe96909
SHA2564878274fdc82122e4385a2fa2056029b81c26763c58f9524105b40288254392b
SHA5124b6add8efa852791066de6e7fad292ab0d68cfb24ab7c645aa9d2e9122c6057ce0d4e578cbaa9256a2e77d9a7ac725eb3b8dfb3fead216446489e48079f655e5
-
Filesize
1.1MB
MD55f34d5fed5ab57a6f2bb9361b506d7f2
SHA1fad4b3580438e8f506ec33cb077ba588f164ca64
SHA256cb177c803f0395de73e3c371f2e41ea746fe20a2c7a13fbede96f4ea76fe78e5
SHA512c355a14e7d5e1d4e7b832c546248561fa88e03998c6d0adfdadd6c207ffe8fd53f2fdc1e2e036c3cf8c58f47608f234c9e4950481bb2237f893e112a81a71703
-
Filesize
410KB
MD51260f6c29c945c6d9706dc2681fb6f60
SHA19ce122aa2038cd9eabd9c40d64b9c77713e904c6
SHA256673975f795a6d16d639f7ac00378d23fcbb86f1874dbaf17b4fd07913552c2b4
SHA51216ef2bf114f24ba012c5f09ace4ed95eaf04d65b1093bac8ff67b5cfaf1665199b8005bcfc92f6271c51fa01a7b95e5ea9a19c28e1a2e6d9b481fb8546a7d574
-
Filesize
672KB
MD525e8bbf74891bf48c3573c4913464a13
SHA1e7b71b6009fd75d2e1b934429a626b36c28ee0e1
SHA256f396abae1a8c4cfce0a771911cf66f1c7ef3dde673c2435e2b3b49165d8c2175
SHA512a052bfb0ed205249511a18835561d4f6ec5b6d1e0c87c7e60bae885968b5031f4ea4574764f7a6fc681ca64e1eb0bd4906cd9f606e20679368b2e01f814eebb2
-
Filesize
4.5MB
MD54bfb82077f4f2c6da214a5abc7c77d89
SHA19e1d4fc4908e28aebb49a7452460a4682fb44b41
SHA256601c7f285d68562824851b53700582eac8b486bc633a1fe4bc165e5b1e12a726
SHA5129684069b76574297f26ca04440cb14f7047dee84d220f74c3260d77edafd40f9d7b1c1ff81445d173b3f1bf71a3d8350cd4f04becae409ffe0df5cb8a177698d
-
Filesize
738KB
MD552e6befc8868b6a7b7c055cbd3a620cb
SHA1a897d590a8ab42c3a67a6d5b6d6fe59b32d2395c
SHA25672e9d0ea2008329f3f4b6018d68d875c021b242cd571835e2a983617e809cb2c
SHA5122e4c9463d3794c80f33f0a566269faa11342abc4cfe60afea520420e9bea109742284bfa271ac50285e0c6f69c8d7adb0c368665bf75e552da332503764d9334
-
Filesize
23.8MB
MD52db94bcad48a134d23b0b10e81ae7aa9
SHA1e48a3715182e412aab1708b088d95566661bde8b
SHA256f5d751740fca2af8f00eb8ae4a3f6e57fd8f72c4f608455aa146dd15a5713d17
SHA5125f9597019d25accbd3675e533bb7edaef698ca505f9fb74bcbfe2d1cbf17f84cfd3a399849451bdbf808ffc394b24eaf80c2daa2dbd82f1c510abd9d78c6ceca
-
Filesize
2.5MB
MD5ecbe3894fab03dd15a94272adb0f864f
SHA132833193c1cc59b0b19bb54efc96df75595d3832
SHA256c5efc1e80b0107fc2a58da465eba7ed1d5d9f2a04d2ae4056f872e719e6d5e1c
SHA5123f3507cff13bd093cd6cbc21145489f794cafe2a51bf359d0b9f78585d0c1759bac730541fdc21c2ee14259c93ffdd1da9971250001f7c3a7a0286f3954aba4a
-
Filesize
637KB
MD5c0a3de0c48ed478ce3f422cdbe4ccbf2
SHA130722b85156a3d3533e8b7423adf8b9ea1736708
SHA256b19478813773d34957a2d547b2f905f9e5a128bc7e2e3ad7049c7713b01cda51
SHA512cd94ef865dd521076a5332d2abc00f5fa39b9c64decd8e1247ccbe241b245aa867920f15bb8d899d2003ffed0396eae0ed2a8fa3f67e4267a250d6bd91ac1490
-
Filesize
2.0MB
MD58ccad9b3a36add26463dbd0933819e3c
SHA15b8bf794fd2296a6c417d37de98856e8abd77d64
SHA25664f2b5e882f783e45dc6a64bf000e98fa08658ee91ac32abf1a8489b4c030aef
SHA5128456bbeace624145032d3f04840a478b31205b557b6937f0cb4848f04c3b1ef0f8231baf8a27854dae47d405102b03357732da44ed24bec6989a20f528843942
-
Filesize
625KB
MD5d67ebcdb6fb579aacb66a3fbcada08e9
SHA11b32a0af7c15a9d67cfca081cb217d4faaed85d4
SHA256704024eaa2ffa8203b9ee83dbaf4a7b158dc1042ef29bb36e4e2afa99372ad41
SHA51202c1f1c63178700cee27ca0ae4c9deebb90f8d117d7404f945ec1685f6cba76b87be707c692cae949e88cc8fc886169f602644172e4845ef9c52b99dc69b9adf
-
Filesize
818KB
MD5ad137324736354f5b893b3560d62e854
SHA12b07050514a1f03f16439e49b0bd70d8edbbd9e4
SHA256482f97620670ce7ee85a3f4e011d7613048a3d138a60d176ac1c0bd1aeec16fa
SHA5128c36f79c09784a30c55cb11e45b5595fdd756ea0e07dd3d0d33c2ad48cd7cc0038395fb11d6ede425df90fc5f29bbd8bc7af12e2965692dbfd80487cb4ae9f4d
-
Filesize
487KB
MD50651010b8e5f5107a30c50f1cf01d862
SHA1339d62025126670fa7b4116a58a6b7615a6d5651
SHA256854391a8c791683c5e3266b776a016c3912566114d135792fcc4105384ec6a4c
SHA51223c7dea457dfca60efb3c60124101abc0a1b5ae95e22db533797972ea27bb68d3f9e260165b39ec6807fd11277f34f8b7bb0f880fb1818b51a4d60132c8456d3
-
Filesize
1.0MB
MD5fb5f16b4137ab0a10921ce6a2f057126
SHA11d51f6e394c28754909274944dc16eb6a69649c4
SHA2566e3f6e739cb71d1c306dbb80579e8fe16d56002f53a693dab32214ce8448924f
SHA512c83357baa3a8583bea742e9bbe40f62eb7e3c746081045c4c528263e9714ea38dfd32483555816a78e0a013aebfb90ef15014966a2604dd2a40aaa705ce0a256
-
Filesize
1.3MB
MD5d2efdd47face1a1fe6f978b707088dbb
SHA13d8a0f9e7531d35bd5d3f30b6dbb23dd23e86c27
SHA256e9b757f870bb25f7e21346dde21943dc2a236f83c5f10b3461b4f3d031920556
SHA512dc6831158765d0662d2291af58e844cc02099ad963bf1425517b107e3262ec8164f514318e831d21fc36ef537730ddede471244f5be929f8965eb80004a371f9
-
Filesize
489KB
MD544ea67931589e79c48675cae5b2e409f
SHA140fc590cb20999741268d61b5139781cd63b8f68
SHA2560c572934e7920f617e08fbcf183aad401f46f05686ba53d5f1b191cf1117be0c
SHA5120e2240c8ab28dcc9d47b204793449bdcde69a7fa381dd02a8e008e06ce1eb66dd26725c01d0ddd4d050dcfd43452fd28f789e8e6f05b2fbe60c5318f0376090e
-
Filesize
540KB
MD5001223cd27156051443ec23e7987bbc1
SHA1f5a55bbf5fae9edd62abae1e09984a8e15b700cd
SHA25664dba0ee4dba236aba84380c314a3e086aff38aca232a31c3fb1d5e9c0124243
SHA5121bca2141bd15a6b7dddef00ee6ec880130dec3788785ef3db2e2f90f61dbfa9d1a8f1346155d22eff0579c04790adc2dfcbfc548b21582d91528bc1a47d7253b
-
Filesize
463KB
MD56027b9c5a43a34e517fe0ad7d720a501
SHA129788ea03a6104c734fb85310584c2effdc320c2
SHA2560c24bc377e8f546bcd5bdc60e9e7f20029d7babbd2ac4a4e6e6c2d7faf500434
SHA51242f0b9bdadd6d507476a04c608407106abdc785823a31ab50a0ae61d6577f0ff359e46791a68b6cd79ef006a91a399ddc259037a9cef849c31650c05428563d0
-
Filesize
839KB
MD54eb54bea93599d4487bc229ebdac1906
SHA17ba0fc12859b011cf249ba9e383e261d88f9ff6b
SHA2560b517de39d28ae419de93357f65e0e22f932755393e27b2961e179a8c5dec6fc
SHA512aa91071c65e10b8f07d51a3cfaa0f748bb19f07350161addef82610cab191eff6859620bef96eb87dd9de86ed0e20ea5dbd68ab5ead00bc28c32a258b55a716b
-
Filesize
1.1MB
MD5e183dcf6ba80b74235a8bca5ab4a341c
SHA168eff27418f38cccd6bd36e489cbff773bc9f91b
SHA256acecc24bd6e088f6f773fc365651f68854fe1bc638a5428b4636f2da71df8c68
SHA5123fad7b435ec6600346fa9ad7e5a85f8b8284940d10dabef0eb285b8935099877c91197905174e8efceae1e2acbff04b6e460f0f4a0a15c9cf7519fd2cd89fc85