Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
31-08-2024 15:27
Static task
static1
General
-
Target
3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe
-
Size
625KB
-
MD5
d0880ec1ab1627d23202ee86d33b7356
-
SHA1
a8dae933bdf12ccdd8f1c763d3be932186fe8966
-
SHA256
3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af
-
SHA512
1d833b5f77b8cbb66224effe69daaa78e2b3fcfd2bde89c6d3bced4dcef83687b1cbeacd22f0055003ed0935a3cc83972f5b16a1fc476a896beae7d620c50549
-
SSDEEP
12288:bVt+w8wyv/566WoJMOYeRqmyfq5M7I4XbDhyGdPiMbSLJj2xshdFSRO:ht+w5yJDJGeRMhjdudaKh
Malware Config
Signatures
-
Expiro payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2808-0-0x00000000004BC000-0x000000000054F000-memory.dmp family_expiro1 behavioral1/memory/2808-1-0x0000000000400000-0x000000000054F000-memory.dmp family_expiro1 behavioral1/memory/2808-3-0x0000000000400000-0x000000000054F000-memory.dmp family_expiro1 behavioral1/memory/2808-47-0x00000000004BC000-0x000000000054F000-memory.dmp family_expiro1 behavioral1/memory/2808-49-0x0000000000400000-0x000000000054F000-memory.dmp family_expiro1 -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 8 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemsdtc.exemsiexec.exeSearchIndexer.exepid process 696 alg.exe 2248 DiagnosticsHub.StandardCollector.Service.exe 1144 fxssvc.exe 1572 elevation_service.exe 2600 elevation_service.exe 2144 msdtc.exe 2580 msiexec.exe 2092 SearchIndexer.exe -
Processes:
alg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4182098368-2521458979-3782681353-1000\EnableNotifications = "0" alg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4182098368-2521458979-3782681353-1000 alg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
alg.exe3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exedescription ioc process File opened (read-only) \??\V: alg.exe File opened (read-only) \??\Z: alg.exe File opened (read-only) \??\K: 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened (read-only) \??\L: 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened (read-only) \??\P: 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened (read-only) \??\V: 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened (read-only) \??\H: alg.exe File opened (read-only) \??\R: alg.exe File opened (read-only) \??\S: alg.exe File opened (read-only) \??\U: alg.exe File opened (read-only) \??\W: alg.exe File opened (read-only) \??\I: 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened (read-only) \??\X: 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened (read-only) \??\Z: 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened (read-only) \??\E: alg.exe File opened (read-only) \??\L: alg.exe File opened (read-only) \??\G: 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened (read-only) \??\H: 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened (read-only) \??\M: 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened (read-only) \??\Q: 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened (read-only) \??\J: alg.exe File opened (read-only) \??\E: 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened (read-only) \??\M: alg.exe File opened (read-only) \??\O: alg.exe File opened (read-only) \??\N: 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened (read-only) \??\G: alg.exe File opened (read-only) \??\I: alg.exe File opened (read-only) \??\J: 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened (read-only) \??\R: 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened (read-only) \??\U: 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened (read-only) \??\P: alg.exe File opened (read-only) \??\T: alg.exe File opened (read-only) \??\X: alg.exe File opened (read-only) \??\O: 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened (read-only) \??\S: 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened (read-only) \??\T: 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened (read-only) \??\K: alg.exe File opened (read-only) \??\N: alg.exe File opened (read-only) \??\Q: alg.exe File opened (read-only) \??\Y: alg.exe File opened (read-only) \??\W: 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened (read-only) \??\Y: 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe -
Drops file in System32 directory 64 IoCs
Processes:
alg.exe3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exemsdtc.exedescription ioc process File opened for modification \??\c:\windows\system32\spectrum.exe alg.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\SysWOW64\perfhost.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\system32\searchindexer.exe alg.exe File created \??\c:\windows\SysWOW64\cnoepfkj.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created \??\c:\windows\system32\ciehkjoe.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\system32\svchost.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\system32\spectrum.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File created \??\c:\windows\system32\hmpedqle.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\SysWOW64\Agentservice.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe alg.exe File opened for modification \??\c:\windows\system32\snmptrap.exe alg.exe File created \??\c:\windows\system32\fepqiagi.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\system32\Agentservice.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\system32\vds.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\system32\wbengine.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\SysWOW64\tieringengineservice.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created \??\c:\windows\system32\openssh\hgaienbo.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\system32\dllhost.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\Appvclient.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\system32\lsass.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created \??\c:\windows\system32\wbem\lcbacbpp.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\SysWOW64\svchost.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\system32\msdtc.exe alg.exe File opened for modification \??\c:\windows\system32\locator.exe alg.exe File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\vssvc.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\system32\lsass.exe alg.exe File created \??\c:\windows\system32\pnggjicn.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\system32\fxssvc.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\system32\svchost.exe alg.exe File created \??\c:\windows\SysWOW64\djjjglap.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created \??\c:\windows\system32\lbpafgab.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created \??\c:\windows\system32\diagsvcs\icfkqcoe.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created \??\c:\windows\system32\mijphgfp.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created \??\c:\windows\SysWOW64\cemdkpbo.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\system32\tieringengineservice.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\system32\tieringengineservice.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\locator.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\SysWOW64\msdtc.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created \??\c:\windows\system32\fiplhikn.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\system32\vssvc.exe alg.exe File opened for modification \??\c:\windows\system32\fxssvc.exe alg.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\msiexec.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created \??\c:\windows\system32\elepifgc.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created \??\c:\windows\system32\perceptionsimulation\jmkhqfgm.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\SysWOW64\openssh\ssh-agent.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created \??\c:\windows\system32\ahilkilc.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\system32\locator.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\system32\alg.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\SysWOW64\sensordataservice.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created \??\c:\windows\SysWOW64\qnoipebh.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe alg.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe -
Drops file in Program Files directory 64 IoCs
Processes:
3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exealg.exedescription ioc process File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created C:\Program Files\Java\jdk-1.8\bin\mngianin.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe alg.exe File created C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created C:\Program Files\Common Files\microsoft shared\ink\hhfjjgab.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created C:\Program Files\Java\jdk-1.8\bin\pppjqpbi.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created C:\Program Files\Java\jdk-1.8\bin\dakeokhg.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\obkakffi.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\pijgofaf.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\kihlpche.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe alg.exe File created C:\Program Files\Internet Explorer\kjkookie.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created C:\Program Files\Java\jdk-1.8\bin\lbhckibj.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe alg.exe File created \??\c:\program files\common files\microsoft shared\source engine\khfkggln.tmp alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created C:\Program Files\Internet Explorer\hfoijjjp.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created C:\Program Files\Java\jdk-1.8\bin\imamgieo.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created C:\Program Files\Java\jdk-1.8\bin\ekchdkjb.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created C:\Program Files\7-Zip\nccafaqk.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created C:\Program Files\Java\jdk-1.8\bin\dddilmae.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created C:\Program Files\7-Zip\gkooamha.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created C:\Program Files\Java\jdk-1.8\bin\jipjcfed.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created C:\Program Files\Google\Chrome\Application\elidehmc.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\lhbjhkab.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File created C:\Program Files\Java\jdk-1.8\bin\cobmhpje.tmp 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe -
Drops file in Windows directory 4 IoCs
Processes:
3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exealg.exemsdtc.exedescription ioc process File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe alg.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd7c3377bafbda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005bee5c7ebafbda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd3a2d76bafbda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035ed1e76bafbda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044b12376bafbda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6dc7377bafbda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000631c1277bafbda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035cb4177bafbda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3c69e77bafbda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089f2ff7dbafbda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
alg.exepid process 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe 696 alg.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 660 660 -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exefxssvc.exealg.exemsiexec.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 2808 3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe Token: SeAuditPrivilege 1144 fxssvc.exe Token: SeTakeOwnershipPrivilege 696 alg.exe Token: SeSecurityPrivilege 2580 msiexec.exe Token: 33 2092 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 2092 wrote to memory of 2952 2092 SearchIndexer.exe SearchProtocolHost.exe PID 2092 wrote to memory of 2952 2092 SearchIndexer.exe SearchProtocolHost.exe PID 2092 wrote to memory of 2488 2092 SearchIndexer.exe SearchFilterHost.exe PID 2092 wrote to memory of 2488 2092 SearchIndexer.exe SearchFilterHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
alg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" alg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe"C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:696
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2248
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2608
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1572
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2600
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2144
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2952 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 7882⤵
- Modifies data under HKEY_USERS
PID:2488
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD57d0b74452b5b82e0fe2e28e2c1fd2029
SHA14cca205c74ccba317461a0445a96685e8089a775
SHA2565a9709e68aabce988c8d95e2ece4bb55eb29497c2052fd6e605ca0d231d78816
SHA512f24895a21c5059fb3e1f0d868cf661584c21f5f82fc57af6f6095f326f0f3479edf4ca700ed65f59039df94f4db069032f202e3c4349dd15c51b2c1e82637bd1
-
Filesize
621KB
MD5394bd4f3344fedac858e3b3e930f615e
SHA14073b6b6f08e515c4efdb2c3be235c52e51563c5
SHA256c1beeea028eeba2670dfd6f8484c0973120e734f1e65000931bc62e5933eb764
SHA51266fc9703e034212b640fc8fcecbb9e8b91af7a1ab5d3007e3da5d77a4d3012419befbe616e10ec4530d4ea94dac31b2407bcfcae848dfce966f588205b0deb4b
-
Filesize
940KB
MD504aeac909638aee43acddb5833fc4207
SHA17c0096ef3ea0cf44b09eb0f68195b42affa10742
SHA256cfa2841d5733044b25bb8b680ee41e412ee645ee5f4b7d87fead672fed0e3551
SHA5122113a05de97738be2a0721ff53360e31c8a2258d9078639ce0a20a763a2fad6ee26365824eaa57e435108c8891428a8904636ec4851271a2e40556f57354c006
-
Filesize
1.3MB
MD5205cb92b74171f11a46bf5d625af1aa0
SHA17654ceccc5d9220eea1ddf663d18b2a48c65f863
SHA256c9a28e50d2b57896e185063f215bba980304ea23cda9b83d84f82878e756241f
SHA51254f7b81b2909352182b28c469b4817fce830ce34df0b2e9b446de00317f7f4d509fe28e0e2794ff9e397b658e4ddc689c361a916c5d02d13618bf7dd345f599c
-
Filesize
1.1MB
MD5dea09547ba96de90d61b37adf0b4fc67
SHA1ba9be74b45649f9a812eb9402169918170607577
SHA256da10496491cc0ff8faa1f0e35c616672533a1cabde7d68dbfda809a080773da6
SHA5128cf851bd1407f176432cca16e39b3c6d94e22e984ea41c8039f93318c5e5472511ceb27a434670078bdce68f460074bf384b786af6eeb75f8eff6ed2800b0954
-
Filesize
410KB
MD57776832995b3e30f757beb5d66433f38
SHA1128acb25bf1d2919179930edf9b75b6d940ea9f3
SHA25641b1081c1efa486136d91e0d10b17f52eddf12e425aa9b17a0490dacc5041044
SHA5128e87993512124110ca6f5fc256f8a645c5ea16bdad57c621e0e56d2ca1415ae17ea57eb552cf5b2366d530d1b44c920845a5b7ad310d5e9f00861099440972be
-
Filesize
672KB
MD58748b307e297382f5fa5eb44ebb2a971
SHA1a521155634a5f8b05c32b96edee41b52031e342a
SHA25681a80f827eebc82aaf174af86e773cd0bef6e5726776ac360fde5a4cc1ec02b2
SHA51267efccbf9c73fe517614983a32b1da39a38314c15b151909f1fa94f910203a2ccc769cbc631b493f9d90390698509b10deeaeb63209d18fcd1d523b5c4c3cee2
-
Filesize
4.5MB
MD5c5c148ea805961f1b3f92e4f662142af
SHA1594f3c81e9047c47676cb4387114a66080b920eb
SHA25626b525d0f45c10a23bf4c3487a2c4a1d8ebe16115a9d16a0ba0ec7705e835838
SHA5121df40ce6754694bda85dbe84f8ab9d5e26d571de3107ec1e81313e1bc0d7fa79e655711ef6a7b8fea9928d01441d6caf0188d7e562b4a9582e5fd15f51a7f385
-
Filesize
738KB
MD52c85e12bf48cd47f0f7603a46a649a66
SHA1d594947d16d029cdd8e8fd0a98dcff1eb00b9938
SHA2568190c49e50d5fdddb6e253edda5b408f60cf1bc54c7e754504fbf1455dfa8a23
SHA512b1ac1d870c61346906a2f59dc14d55d54a11091421c061b1f7c3f19c8db49d9fb21dbf0848f90fa518edbd98951ec412f923b70084d9787589fad6bccbddae01
-
Filesize
23.8MB
MD55d6800283fc0a339b9dcaf17168a7ed5
SHA1aee8ffcabc943b6135008b0c7febcb4bc95e49e4
SHA256e7d6495c99ca67d737463f8c251d5b7abe7f829cdb0dc0d7d33b029a935ad12d
SHA51247a3f03a31a6cc3239bc24f1c8543270129e69a425093676e515eba57417d5a963d1373935b4f3b8b8e29686d425d737cf18761a2488dc1d7b57b4629bbf3a59
-
Filesize
2.5MB
MD5ac0897d022d3c27248370685370ae1ec
SHA124bf22db804346de25d32f4eaf0a34ce2f583e4c
SHA256143f6a0d9e2e73ea44fd8eb1e55dde308c7c90bdb9cff88bc16bb65be2ee683d
SHA51242dda251364cc78866c2f1746d907be2256774d5b3430d6f6d582d51a7f222a46cc57b4ce6ba4113c756cf51cb71fa097a350476f40b5f558a1e00a204a67987
-
Filesize
2.0MB
MD5a9b87b127961bffb729578b7e3a41375
SHA1e43418e1bee7971fa535c67b0caf1b8caf8ed79d
SHA256fbad2ded5111b67b5c92d2cbbfda1ea0a18eadbe6091df9b50dfd1d019d887be
SHA5122a61aa23bd176b90fa3f6955d457f50c095f050fb5d511c55c0dd94add6b21454d06856bc5905ecd31d7617820f6bf17b335b5191c22504030392d413218e418
-
Filesize
625KB
MD5bc4c920812a5c6adda5e824c5186119b
SHA19fd94462f5319ec6bfd83ef0ba373f9f56d49f73
SHA256065bc6d48047c3e2a37efd894e66d2a127b024b9cda05c13a77ba4270d281a72
SHA5123369210915b62cfd9f9076d95c7e2eb26b51524b1dd8e5c3b5a3b0453cef91fd5a6c18772538b9948b01ad17d0d2b6d3468fa7d8ceefc8c504e865ae1685af42
-
Filesize
818KB
MD5bdbb786bfbaac43d6ad1d5127c53b723
SHA183b5878593d4050914edec3e6c32311fee196635
SHA2562c06128e9f551b4b61257e19d605af9f32b76aef17178e6d353235ee41c90d5a
SHA512304e979d6fbccab74614542ebe3e85b33f6af40866758b4cf570a43746ce3c81784b0d789b8a5bcfbbfd67ae12f93de27ca352eda08eba6bf4aacac4768be808
-
Filesize
487KB
MD520e878859fc9f023b26ad656e69301c4
SHA1f0c25d98a2a052809b59b0bb46d285eb6f8f01d5
SHA256814ad5c2f5635962c5c6c6765b489d116e116df357cf70429e3bde5fa10b4c4d
SHA512b5d5cd7d6980da62368aa0788e85599db041e7407e3ea5570956c235c28d3e071cd76851c23ea349ac7732e081e0f00b4d66926bff6b338fba0e2a3651a829b7
-
Filesize
1.0MB
MD5b9bc05f0fae4a3ba4c63a60e93a28ac2
SHA1791f9c640903fc411627936e103e072f4a76d3dc
SHA25622c212c69876196d117f543df3263f3b9b39fe379493741b262d1667745a927e
SHA5129665292c63e0ae36465d0f61c2b1ffdcdeabd6803be0e9beefe16569a10eef43103a354b8b62a2129f4cd391570af32fb12cd48e805673c7a0d7a70c6bdbd858
-
Filesize
1.3MB
MD5fdb90b061d9db265d0f3570cada5b2a9
SHA15627d7934101fce9b3b0e497c4bf5c79a699e649
SHA25637bb254012a27f32ea8892afe4194b90232021e17c3db52faf348bd534e6544a
SHA51265eae1526b2f07f1686d6b2194ae94d497e08545fd1e18a18d0922a421108141fecbc5eab798df74571479d316b13ab89a26fa9175f1e1fb10b2713b2c62764d
-
Filesize
489KB
MD5fd9f5d8b1fbf9be94a640c346bafcd38
SHA128f90561cd1cf966af7826bea4604870179bb719
SHA256ca25d0890a9dfbc683a6f07650701e91765cea4e118e5c9e70fd1a20481981aa
SHA5120a24351d33c6faf48b07c8f957158f43e2af3b0a1d20946a2f01401e8347b6501ecb1d5450a361923e9176cf5e5b1f878223bbd1701e198a27ffc47055bd5378
-
Filesize
540KB
MD5b8b5e6a643c8069d37fe3fa68db485e7
SHA15844e976bf42bc90cbcc2e2954adaac92b2f710b
SHA2565e95f41f0a0738e03a8fdcb8aba713f8190703e584ef177650b94d4b4313c6a7
SHA512c7aaa8f63f079d40d623ceeef75d0bb60295c26dc482c2054ce2d9ffbb0071987b012156f4b1ac93baa0bcfa69a35c5edad15a922a4049b51a5ad3712f2cc29f
-
Filesize
463KB
MD5c6b0750173859425708c0a356fb74377
SHA11087c8eade1af80be55df01d8dc7141e3aad090d
SHA256aa0d4880d42e29f8ec2a597136b9d6f27080543c49fac73bc228d37a38fa747d
SHA512b0a46347d2c828d7bcf27c6bb77d7c1625d2fbf26a5ce154dc7e8445a50fee717671b19f9289daea9d0a926805abfe9a169039f0ba49785c9d863b795afd7913
-
Filesize
637KB
MD5113741dd913ba16272df427ca7680d3a
SHA1994d13cad760f05c50241c1d6a926afcb0888cd1
SHA2562f0d454a5be3edea590fb5bca7e5846fc72508177d29c21c598288b3dbbbfab6
SHA512ae56289c5dfce89d78be98c93cab377c95a83ce47b4a4a22deca3ed987737c42841321823c0fca41268e739b522b10acee71b9ed659c1c74481a4d604fc953e8
-
Filesize
1.1MB
MD551c63fbc53ec639ce19309376fcd8f40
SHA12299ef2f99ab7754872e0c26e517a51cac4ff5b7
SHA256c1094cd63b7f24d515379204b06c27788729f35dc06a537ed344300e419eef61
SHA51242aee4599b183f41de8d6d3f78f85cd5f93dc36801da330cfee24cbbffb65937b7c7a668758a5c4033b18eda8b93f22121deacd685a83f6e8ce0d6dc40f0bff1