Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2024 10:39
Static task
static1
General
-
Target
39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe
-
Size
625KB
-
MD5
90180f284c1a5dc94ac94cae1dbdbfcc
-
SHA1
dbeb50c4cf66722a01bc391c225bb930354a3fc4
-
SHA256
39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf
-
SHA512
4109c76b5d8c5cbe1a096e6ecdba4ff4813991d8471c85c0ff75f70be7aa20afe35f83bbc4d2019a9ea100dd5d2654d773b637f84c1ba66d0144223f9fd50a04
-
SSDEEP
12288:KVt+w8wyv/f66WoJMDMz+jEcRm0gVVbXI4cvsnFiOk3CwgQ51:It+w5yvDJB+jXm0a5TnFiOk3BV5
Malware Config
Signatures
-
Expiro payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/4028-0-0x00000000004BC000-0x000000000054F000-memory.dmp family_expiro1 behavioral1/memory/4028-1-0x0000000000400000-0x000000000054F000-memory.dmp family_expiro1 behavioral1/memory/4028-3-0x0000000000400000-0x000000000054F000-memory.dmp family_expiro1 behavioral1/memory/4028-48-0x00000000004BC000-0x000000000054F000-memory.dmp family_expiro1 behavioral1/memory/4028-56-0x0000000000400000-0x000000000054F000-memory.dmp family_expiro1 -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 9 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exemsiexec.exeSearchIndexer.exepid process 4540 alg.exe 732 DiagnosticsHub.StandardCollector.Service.exe 3164 fxssvc.exe 4052 elevation_service.exe 1384 elevation_service.exe 4896 maintenanceservice.exe 2940 msdtc.exe 4516 msiexec.exe 4112 SearchIndexer.exe -
Processes:
alg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2718105630-359604950-2820636825-1000\EnableNotifications = "0" alg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2718105630-359604950-2820636825-1000 alg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
alg.exe39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exedescription ioc process File opened (read-only) \??\H: alg.exe File opened (read-only) \??\W: alg.exe File opened (read-only) \??\H: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\O: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\T: alg.exe File opened (read-only) \??\X: alg.exe File opened (read-only) \??\W: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\Y: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\E: alg.exe File opened (read-only) \??\J: alg.exe File opened (read-only) \??\M: alg.exe File opened (read-only) \??\N: alg.exe File opened (read-only) \??\U: alg.exe File opened (read-only) \??\N: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\P: alg.exe File opened (read-only) \??\S: alg.exe File opened (read-only) \??\V: alg.exe File opened (read-only) \??\L: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\S: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\Z: alg.exe File opened (read-only) \??\G: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\Q: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\Z: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\R: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\X: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\G: alg.exe File opened (read-only) \??\I: alg.exe File opened (read-only) \??\K: alg.exe File opened (read-only) \??\J: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\M: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\P: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\Q: alg.exe File opened (read-only) \??\R: alg.exe File opened (read-only) \??\Y: alg.exe File opened (read-only) \??\T: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\U: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\V: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\L: alg.exe File opened (read-only) \??\O: alg.exe File opened (read-only) \??\E: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\I: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\K: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe -
Drops file in System32 directory 64 IoCs
Processes:
39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exealg.exemsdtc.exedescription ioc process File opened for modification \??\c:\windows\system32\dllhost.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\fxssvc.exe alg.exe File opened for modification \??\c:\windows\system32\msdtc.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\sgrmbroker.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\pkdaikce.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\perfhost.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\vssvc.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\msdtc.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\msdtc.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\vds.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\ghddnipp.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\searchindexer.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\msiexec.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\msiexec.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\spectrum.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\SysWOW64\ficmglmf.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\svchost.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\Agentservice.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\msiexec.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\wbengine.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\afhcleof.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\wbengine.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\neaaccnd.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\dciefecn.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\sensordataservice.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\clpfbmgn.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\wbengine.exe alg.exe File created \??\c:\windows\SysWOW64\benikjjb.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\Agentservice.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\SysWOW64\baednone.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\fxssvc.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\locator.exe alg.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe alg.exe File created \??\c:\windows\system32\openssh\kjakpnnj.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\jidnjojn.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\khhpcjcp.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\Appvclient.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\perceptionsimulation\qglcmndh.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\wbem\ohibkjlg.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\dllhost.exe alg.exe File opened for modification \??\c:\windows\system32\vssvc.exe alg.exe File opened for modification \??\c:\windows\system32\tieringengineservice.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\alg.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe alg.exe File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\vds.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\SysWOW64\jdjolced.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\svchost.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\diagsvcs\ioecmedd.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\pmlbelmg.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\vds.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification \??\c:\windows\SysWOW64\locator.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\Appvclient.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\lsass.exe alg.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe alg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exealg.exedescription ioc process File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\program files\google\chrome\Application\123.0.6312.123\bjaiapno.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\pijgofaf.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Internet Explorer\kjkookie.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\program files\windows media player\gohmecap.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File created C:\Program Files\Google\Chrome\Application\elidehmc.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Java\jdk-1.8\bin\cobmhpje.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Java\jdk-1.8\bin\ekchdkjb.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Java\jdk-1.8\bin\dddilmae.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Java\jdk-1.8\bin\lbhckibj.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Java\jdk-1.8\bin\imamgieo.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe alg.exe File created \??\c:\program files\common files\microsoft shared\source engine\pjolegip.tmp alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\dotnet\ddnfppgh.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\obkakffi.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\program files (x86)\mozilla maintenance service\polohqhj.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Common Files\microsoft shared\ink\nnbpngba.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Java\jdk-1.8\bin\knkmmeba.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Java\jdk-1.8\bin\ibkjjmkl.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\jfjkgccl.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe alg.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\jkgaipki.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe -
Drops file in Windows directory 5 IoCs
Processes:
39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exealg.exemsdtc.exedescription ioc process File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe alg.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe alg.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000429416545bfcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001fb1aa515bfcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000086a2e0525bfcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6cc03515bfcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000017a159515bfcda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000194e6d535bfcda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071986d505bfcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
alg.exepid process 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe 4540 alg.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 656 656 -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exefxssvc.exealg.exemsiexec.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 4028 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe Token: SeAuditPrivilege 3164 fxssvc.exe Token: SeTakeOwnershipPrivilege 4540 alg.exe Token: SeSecurityPrivilege 4516 msiexec.exe Token: 33 4112 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4112 SearchIndexer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 4112 wrote to memory of 4792 4112 SearchIndexer.exe SearchProtocolHost.exe PID 4112 wrote to memory of 4792 4112 SearchIndexer.exe SearchProtocolHost.exe PID 4112 wrote to memory of 2548 4112 SearchIndexer.exe SearchFilterHost.exe PID 4112 wrote to memory of 2548 4112 SearchIndexer.exe SearchFilterHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
alg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" alg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe"C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4028
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4540
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:732
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2616
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4052
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1384
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4896
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2940
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4516
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4792 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 7882⤵
- Modifies data under HKEY_USERS
PID:2548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5fda8474b548c77d02afdafc72a203d0d
SHA1aff0ffd4888b783c3739af0035ae8376c9481401
SHA25657fb8b571ce81a54fb71b472aa33c32325a499e8dda26de3603318ecd616b304
SHA512683533f72326ba64446c296d2fdd51fe58230328a8b39e6ea30337d3ad4529f622d3fe5696fd26ac3529111800e0b5457ae952d3f767af0fc5e9e2184fd393b7
-
Filesize
621KB
MD57aa5baf72deaa6d2d74b2477a1bf1ade
SHA1bfd25518baa095401f618ab9b2de643ce9ce0e49
SHA256b2a9c6342c614e58d3560b73a74df7999a6875840a242a6ed618c0d927b14430
SHA512bea71bd2af406239b2d22f52e73ede3fbb420ae1bee7d2c1e1ffb1eede6154e995f8fbc9680b63fdfef45fb040dc4e257dc0a2429e5706eae99fa514fb22f623
-
Filesize
940KB
MD5d37b4746a153abe6008218dec220f462
SHA1a473b1701862c1c79207d7bb39291f3e37ce0db6
SHA256592b2864c29fab1a80d6789ce9e647c59b23809a4323499a43e63682dc3c25e7
SHA5125d64373cb70fe1acace04ffd8ab279ac74e28f0c415ba0355534082abbd9cb7609f537fab249a2af4e11ead0968e461c6fcfd2082a0220cebeba1f4ab873b714
-
Filesize
1.3MB
MD5ae644316de57b0c8bf380100fdf6201b
SHA18e0ed2070e0a948993a6a80a58d5ad2913430d06
SHA256e8d59b85e7a5efaafc9a5dfeb62f0e876567650acc11d8925635379268b6d651
SHA512d254be661526154c2c2e028371e53759d8ab674945124015408b6878e207c35293f222a8edc50384b7baf8ee1c026810d6fb42cb6aae761175138fcf5a8bb182
-
Filesize
1.1MB
MD5cf4b2a7fec07e59a61682fda102494a9
SHA18888ac4294f0e4299df1453aa02928261dd597dd
SHA2563b25dbb38185eb6501a47022e579e9a63befbbf9217aa7a27b78e068bf50d868
SHA51269f14a52e396cec44cd499041a80f14cf305a5a2405242d09846881e179dd1e86c9a8201eccd45d177a408641162c9599fdcfc102998247f832cb9b4ca36ec8e
-
Filesize
410KB
MD54e3d1b52c0977001b717300355b600cf
SHA1e3615160362af023a082b00f68ae9981437cea10
SHA256f7cd9fe1474a7e96cdf8029043d1641d76478b6caecb27253546e01d1e8e396f
SHA512855c4cc6eb21293b02e1f44a8e46855497054e5d4af3b8279d9eaec89f3d2c9e8ee93267634d97ff7ea85f6be00a04019906f4b58a104c630338997ae5ceadf4
-
Filesize
672KB
MD5ebaf6ab801a8bec40079f34477886c85
SHA136eea4c2c5bbb26327f4ec0f4c0c05831f167134
SHA25659742c6b75db910ede74740bbd1f4acdb92e6a1b9e85197c21ec96609fd44011
SHA512eceb94773f02f466141e9563fb00bd6d5c4bc3261e7097b3f20386700d5b279bd438ad74fc807d3ed75040acdd2ff6292207e16a50badbf4a59bcabac41bab5f
-
Filesize
4.5MB
MD529d58cfec058511f5c97e5342d8aac13
SHA1e8bfce0354a518e444c2397abe4700855515b676
SHA256a477d3fedbb1cf10a251e05e7c2a9538fceffa463b430cc8faff19ee4bb9d691
SHA512ad6f3edf5cbbd92a711c0fcc465056b6a7e66389a68df81e33f71958d8cd470ac69e81e582aa350ae676cb07e428babbf2f8e9763fc186d8dec79561081eff10
-
Filesize
738KB
MD5b95a3115be79e0a681e206df9d2a70f0
SHA1646946a39585c2f6b2234edd60dcc8e2fcf512d8
SHA2569661f8b126bb3e8f7450f6a41da24f5958cc48a44bc6c5ffeb40742a929c701a
SHA5125081618735bf94cbc9eb5f47e49101aa9d534c8958fd1d4a6a7a363df46c0ce10b89ec73c47e60d1ffe5e6aeaaff1883f942f716cbd00790f0dfcf95f2663602
-
Filesize
23.8MB
MD5a14df0b641a9d2b9941d492749fa4744
SHA1a126c239d21f0478ff61a601039faa868e1d4a04
SHA256c147e846f372f5b696ced2bea6d03beb1210b04b890a54781f25b387cbafabcd
SHA512b995a37bc8dc313bda8af0f174cc2d6f97340661d1b35a4169420dc1a3bf4ef61553a8734ef8da419865d65e1a84394082fba43843b4da9372c2c7cfaf9f7d54
-
Filesize
2.5MB
MD5cd98bf3cf0569b3979037e8460f89245
SHA19ef80255655214f32685c42aefa33c39737237cd
SHA256ae8d09070e85210d7d0382d6ed2b3c375d1c0eb80c0b75c4752db5aafea94ab9
SHA5120760868de032a8c64497988e47b59061895e74e9dbb21ad57fba6f33d3602f344f3b1602df0937a6fda9572b7e86fcf68e3e5d95f3e2656bb51392d7f8ec49ff
-
Filesize
637KB
MD5246f82ad1ef21f759220a1a6c8476966
SHA13a9f6ac2dcbe45757fa0ab9cccdaa13fbd7242b7
SHA2566506aa2a65ef53b273f710c81980a40d0b7da121c3f8f6808f14ff88685fe2c5
SHA5128eac3e0ac2a93097e944c3c8b358a4c7ecd62f7c705a2797e9450515e4c38caf536eece7fb693ba9df1a4e440813a094731dc3fdb9c1caa503d4ff29cada220e
-
Filesize
2.0MB
MD536d55fd337a2eb640146bfba9f45fa89
SHA15216d49886fdd039bbc1e3a5723dc3dab7a03d5f
SHA2566571434c915b6cf37a73e9f92806b617a10773d0b87d67b57af1faee20c204ff
SHA5120152fc5f35236ecd232543a5317ce1e7b4ba04bd8e0760526cf97d4bdf2d8f0a4a11da61ba4ebc92643d204f0df911c5ae109691d8fbad35f750335895864787
-
Filesize
625KB
MD5c65c4dafe1bac11e3e2a49b3dc22575e
SHA1ebc3516e55af5449e428ed732040f2e2d3275db0
SHA2564eac4b15cee40543d7140bfd6c3d74f284b73f6f99609f5a55d9c75cb15440d5
SHA51244dfbea4cb7a81df543abca97d8f28c98a3206c0e3a8333eee58d2a0bd7b2f22676f5a600063000890b85f352b00fb1e0f4deb20f9c83ea14fad42c36881868c
-
Filesize
818KB
MD55dfd927d1bf3b6e44cbd232bd1e7cc47
SHA1667957f4a82527478eba4c8e9dc1cc854853a3b2
SHA256fb4f8187cfbe5c5cb35bbc45ce4810c61dd4bb877ed16c137bfaec23ca5b9562
SHA51291430f63a22195c0983ba31fca165dab380b8ff678755ffb19078af1976b176ea60c652ce707795e86616fee5bf19f5281ba04b779e70a6b1dd9f84b07427c4b
-
Filesize
487KB
MD5e0e6c4e0b12a1dec1e93dc63e46b5d8c
SHA1ee065af21c2c1692e7ac851ff3775e6918088aa9
SHA2564ac0a4a6b4886762fb527f3f4140aef1eb38faa336736b51f7fb6299ea305ef2
SHA5122574093acad92bbf10a50f3980a74feb7d40275ca49c5007c3f2eb395ef489b3fccd623968bca3a926ffca07cc27365ad31b1bfeeabb8f5a7b760f8cff810755
-
Filesize
1.0MB
MD5837a31332efa26e43fab43b9615423cc
SHA15f5521c6ec3fd3baf3d50421e57a0bf8b0155a9c
SHA2569ea4fdf917738f7e10c441559afdaced8e016ae6a63bcc7c725d73e61de9a533
SHA5128c1bb12b758f08f9fccfe12fba4477f26143b743bd18fce5e44cd13cd5935f801d2c12d025351c48e8d55cc235040b6d1fc78d90d9de7b05402dc7a5ba34da34
-
Filesize
1.3MB
MD538d541bcd2f4a3e42203bdf41cfdaad3
SHA173e8cf5fe0a1f5f996c68db840d754b605d1de75
SHA25651c1beb8841e227a680ff21ac571737654ecc34ace329c08b559fa51a9349ce6
SHA51257be56fdd84597b74af3d61eae5e7cc77830ed018d69376d314ec1a38cf9bc6acb07563ddbcbb8efc0b7010e9541489a3b82af57cf62553ecfc554fba62236bd
-
Filesize
489KB
MD56142e0b44fae115cf7913611bf36a4e6
SHA1f6be0c06432210068f8c9fa59cda87e230dc4610
SHA2562935b20e4c9dc38d0ac26689face0041fc7209b5c658e13cd001bf9cc5f2cfac
SHA51241d17e66a6c58a93da04ba1009b7d2ca324d5572cb8c54b35b764c2a47b133d4c4edd2ac5c79b1f24a641f6dce464f091788d166585d685821fbf61803fa0276
-
Filesize
540KB
MD5cf6f7808f27bbcb386f19fe55c591028
SHA11cfdd5e85ad4471f465aeaef078f023168bbe2a3
SHA2567a97abf004217d442d101e21b265409935bfa5bfa144b581804e54d2e667e399
SHA51208ca153cda10e6ca387041edb994a58c4b664f15e394aae67c6de85669ff45dc08b02bbf75520358e1f69b19166d62406f1e018e480ac8bef31707b7b792ba74
-
Filesize
463KB
MD5fe9be458f03957306533e12a9a2b2256
SHA16f44fd9d09e9af945c46bd231780038fd1526a34
SHA2567afbbeac914162e3a9c92fe96e536e243d661cbc3d04c8ebdb2ee83e6c55cc4c
SHA51296cc06b956083289fac1de52ef6928e77ae31f76938f5d941c92b8c8cda01af25fa305e40b52b90c824751a571424c0a28e3f5cb6de799afbfed4b84f16a9149
-
Filesize
839KB
MD591c60a5d9af9ec13645cc8b342e241dc
SHA14c16057c76f187e1528b0bd5131812ca226d0620
SHA256177fcb1534f7f581f7c960c4fa602d749341aeb5ad999ec50c4753c468d550cb
SHA512dffee364b8faf3930c7f84d092e5128c001d8b35efd4cf079fec0d5e9564148657040c9a80ca894dc07a15f7ee171086ebbc58ba89a532d27f7ce59442dc0e6c
-
Filesize
1.1MB
MD57c8d4ddeabb5a49a045d4723923d323a
SHA152f1683a53233af3a6345275cbaebf76538c3fc1
SHA256fa7429a5dfef0c78547781ee5efd62bceabf1849fbaef708a9e340ebe5596929
SHA512fb64fc86ce62916e1cda02ff822c73e5baee5ee91d8ee18aec0680acf05df660b4425ada9549973aaba12b111630eeaf257416401a01cfd35ec0e3069b99470e