Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2024 12:59
Static task
static1
General
-
Target
39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe
-
Size
625KB
-
MD5
90180f284c1a5dc94ac94cae1dbdbfcc
-
SHA1
dbeb50c4cf66722a01bc391c225bb930354a3fc4
-
SHA256
39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf
-
SHA512
4109c76b5d8c5cbe1a096e6ecdba4ff4813991d8471c85c0ff75f70be7aa20afe35f83bbc4d2019a9ea100dd5d2654d773b637f84c1ba66d0144223f9fd50a04
-
SSDEEP
12288:KVt+w8wyv/f66WoJMDMz+jEcRm0gVVbXI4cvsnFiOk3CwgQ51:It+w5yvDJB+jXm0a5TnFiOk3BV5
Malware Config
Signatures
-
Expiro payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1676-0-0x00000000004BC000-0x000000000054F000-memory.dmp family_expiro1 behavioral1/memory/1676-1-0x0000000000400000-0x000000000054F000-memory.dmp family_expiro1 behavioral1/memory/1676-3-0x0000000000400000-0x000000000054F000-memory.dmp family_expiro1 behavioral1/memory/1676-47-0x00000000004BC000-0x000000000054F000-memory.dmp family_expiro1 behavioral1/memory/1676-49-0x0000000000400000-0x000000000054F000-memory.dmp family_expiro1 -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 10 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exemsiexec.exeSearchIndexer.exeSearchIndexer.exepid process 408 alg.exe 1516 DiagnosticsHub.StandardCollector.Service.exe 728 fxssvc.exe 3000 elevation_service.exe 548 elevation_service.exe 4800 maintenanceservice.exe 2072 msdtc.exe 4296 msiexec.exe 3608 SearchIndexer.exe 4104 SearchIndexer.exe -
Processes:
alg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1194130065-3471212556-1656947724-1000 alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1194130065-3471212556-1656947724-1000\EnableNotifications = "0" alg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
alg.exe39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exedescription ioc process File opened (read-only) \??\T: alg.exe File opened (read-only) \??\P: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\I: alg.exe File opened (read-only) \??\W: alg.exe File opened (read-only) \??\Y: alg.exe File opened (read-only) \??\E: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\I: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\K: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\O: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\T: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\U: alg.exe File opened (read-only) \??\X: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\V: alg.exe File opened (read-only) \??\X: alg.exe File opened (read-only) \??\U: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\R: alg.exe File opened (read-only) \??\M: alg.exe File opened (read-only) \??\R: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\Y: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\E: alg.exe File opened (read-only) \??\L: alg.exe File opened (read-only) \??\Q: alg.exe File opened (read-only) \??\Z: alg.exe File opened (read-only) \??\H: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\L: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\K: alg.exe File opened (read-only) \??\N: alg.exe File opened (read-only) \??\S: alg.exe File opened (read-only) \??\J: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\Q: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\W: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\J: alg.exe File opened (read-only) \??\H: alg.exe File opened (read-only) \??\P: alg.exe File opened (read-only) \??\G: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\N: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\S: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\G: alg.exe File opened (read-only) \??\M: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\V: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\Z: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\O: alg.exe -
Drops file in System32 directory 64 IoCs
Processes:
39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exealg.exemsdtc.exedescription ioc process File opened for modification \??\c:\windows\SysWOW64\dllhost.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\diagsvcs\dobeocaj.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\jqcgiddf.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\spectrum.exe alg.exe File opened for modification \??\c:\windows\system32\tieringengineservice.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\locator.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\openssh\ssh-agent.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\jijfjjok.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\wbengine.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\dllhost.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\SysWOW64\libkpdid.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\fxssvc.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\wbengine.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\alg.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\fdicbmoc.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\vds.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\dbfmionb.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\Appvclient.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\mhojilhj.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\msiexec.exe alg.exe File opened for modification \??\c:\windows\system32\snmptrap.exe alg.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe alg.exe File created \??\c:\windows\system32\chmmkhll.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\Appvclient.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\vssvc.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\msiexec.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\sgrmbroker.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\msdtc.exe alg.exe File created \??\c:\windows\system32\jdpmbgeh.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\lsass.exe alg.exe File opened for modification \??\c:\windows\system32\locator.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\SysWOW64\mdabjdic.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\sensordataservice.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\spectrum.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\dllhost.exe alg.exe File opened for modification \??\c:\windows\system32\wbengine.exe alg.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\ecfmjpnk.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\svchost.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\ehfdhhcc.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\aplclpem.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\searchindexer.exe alg.exe File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe alg.exe File opened for modification \??\c:\windows\system32\msdtc.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\Agentservice.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\searchindexer.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\WindowsPowerShell\v1.0\djgcdqci.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\svchost.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\svchost.exe alg.exe File opened for modification \??\c:\windows\system32\tieringengineservice.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\lsass.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\perfhost.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\pjakkiae.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe -
Drops file in Program Files directory 64 IoCs
Processes:
39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exealg.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\program files\windows media player\bbjcofkf.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Common Files\microsoft shared\ink\nnbpngba.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Google\Chrome\Application\elidehmc.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\jqhcckeo.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\7-Zip\jgpijieg.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Java\jdk-1.8\bin\ekchdkjb.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clmaedbq.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Internet Explorer\hfoijjjp.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\7-Zip\7z.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Java\jdk-1.8\bin\dakeokhg.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Java\jdk-1.8\bin\lbhckibj.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\kihlpche.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe alg.exe File created C:\Program Files\7-Zip\gkooamha.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\obkakffi.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Common Files\microsoft shared\ink\hhfjjgab.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\dotnet\ddnfppgh.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Java\jdk-1.8\bin\mngianin.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\7-Zip\lncjookl.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\miqfjfol.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe -
Drops file in Windows directory 4 IoCs
Processes:
39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exealg.exemsdtc.exedescription ioc process File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe alg.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exefxssvc.exeSearchFilterHost.exeSearchProtocolHost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009bf014ec6efcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000fc5c4ea6efcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000768445eb6efcda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081d453eb6efcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054a88aeb6efcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b70147ec6efcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d2f1f5eb6efcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
alg.exepid process 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe 408 alg.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 652 652 -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exefxssvc.exealg.exemsiexec.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 1676 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe Token: SeAuditPrivilege 728 fxssvc.exe Token: SeTakeOwnershipPrivilege 408 alg.exe Token: SeSecurityPrivilege 4296 msiexec.exe Token: 33 4104 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4104 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4104 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4104 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4104 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4104 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4104 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4104 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4104 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4104 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4104 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4104 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4104 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4104 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4104 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4104 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4104 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4104 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4104 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4104 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4104 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4104 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4104 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4104 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4104 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4104 SearchIndexer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 4104 wrote to memory of 3672 4104 SearchIndexer.exe SearchProtocolHost.exe PID 4104 wrote to memory of 3672 4104 SearchIndexer.exe SearchProtocolHost.exe PID 4104 wrote to memory of 1584 4104 SearchIndexer.exe SearchFilterHost.exe PID 4104 wrote to memory of 1584 4104 SearchIndexer.exe SearchFilterHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
alg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" alg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe"C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:408
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1516
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2276
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:728
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3000
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:548
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4800
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2072
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4296
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2164 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 808 812 820 8192 816 7922⤵PID:1440
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3672 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 7882⤵
- Modifies data under HKEY_USERS
PID:1584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD50c9b82eeccebaf3088e9f328d8669dcb
SHA1f2dca1d8370763539d8b6e19eeea7eb222a594d0
SHA256dd1f1e961ef316b3c6944da5a5893f4062af202eef5454c409f91a6e576ea521
SHA512508d0d87579903961411dfea13fd455f5b08e28754f4c0d9ae97a952fca1044355c0cd76c9b9bbaf5b8126868a342e78ab0e633deefc28ea1dc41a5db1a04b6b
-
Filesize
621KB
MD53e32555b645b5dd97bb431684951f274
SHA1df637dc036e5a84e9c9dee1cb9be1ab5e2119e6f
SHA2568867b1f6bb82de00f4003ece23d9962d4c1b670c7d97da48b753fd53b22f98a6
SHA512e8726b76bda1b5e1a61d503c44873b6cd8e88372ecf508a4d65c9731ac79d8f06cdc74b26710aff9ab0ef2d678bff2bb8491ebc3c74d8ac6d5007be4d18e8440
-
Filesize
940KB
MD5d37b4746a153abe6008218dec220f462
SHA1a473b1701862c1c79207d7bb39291f3e37ce0db6
SHA256592b2864c29fab1a80d6789ce9e647c59b23809a4323499a43e63682dc3c25e7
SHA5125d64373cb70fe1acace04ffd8ab279ac74e28f0c415ba0355534082abbd9cb7609f537fab249a2af4e11ead0968e461c6fcfd2082a0220cebeba1f4ab873b714
-
Filesize
1.3MB
MD5ae644316de57b0c8bf380100fdf6201b
SHA18e0ed2070e0a948993a6a80a58d5ad2913430d06
SHA256e8d59b85e7a5efaafc9a5dfeb62f0e876567650acc11d8925635379268b6d651
SHA512d254be661526154c2c2e028371e53759d8ab674945124015408b6878e207c35293f222a8edc50384b7baf8ee1c026810d6fb42cb6aae761175138fcf5a8bb182
-
Filesize
1.1MB
MD5cf4b2a7fec07e59a61682fda102494a9
SHA18888ac4294f0e4299df1453aa02928261dd597dd
SHA2563b25dbb38185eb6501a47022e579e9a63befbbf9217aa7a27b78e068bf50d868
SHA51269f14a52e396cec44cd499041a80f14cf305a5a2405242d09846881e179dd1e86c9a8201eccd45d177a408641162c9599fdcfc102998247f832cb9b4ca36ec8e
-
Filesize
410KB
MD54e3d1b52c0977001b717300355b600cf
SHA1e3615160362af023a082b00f68ae9981437cea10
SHA256f7cd9fe1474a7e96cdf8029043d1641d76478b6caecb27253546e01d1e8e396f
SHA512855c4cc6eb21293b02e1f44a8e46855497054e5d4af3b8279d9eaec89f3d2c9e8ee93267634d97ff7ea85f6be00a04019906f4b58a104c630338997ae5ceadf4
-
Filesize
672KB
MD5ebaf6ab801a8bec40079f34477886c85
SHA136eea4c2c5bbb26327f4ec0f4c0c05831f167134
SHA25659742c6b75db910ede74740bbd1f4acdb92e6a1b9e85197c21ec96609fd44011
SHA512eceb94773f02f466141e9563fb00bd6d5c4bc3261e7097b3f20386700d5b279bd438ad74fc807d3ed75040acdd2ff6292207e16a50badbf4a59bcabac41bab5f
-
Filesize
4.5MB
MD529d58cfec058511f5c97e5342d8aac13
SHA1e8bfce0354a518e444c2397abe4700855515b676
SHA256a477d3fedbb1cf10a251e05e7c2a9538fceffa463b430cc8faff19ee4bb9d691
SHA512ad6f3edf5cbbd92a711c0fcc465056b6a7e66389a68df81e33f71958d8cd470ac69e81e582aa350ae676cb07e428babbf2f8e9763fc186d8dec79561081eff10
-
Filesize
738KB
MD5b95a3115be79e0a681e206df9d2a70f0
SHA1646946a39585c2f6b2234edd60dcc8e2fcf512d8
SHA2569661f8b126bb3e8f7450f6a41da24f5958cc48a44bc6c5ffeb40742a929c701a
SHA5125081618735bf94cbc9eb5f47e49101aa9d534c8958fd1d4a6a7a363df46c0ce10b89ec73c47e60d1ffe5e6aeaaff1883f942f716cbd00790f0dfcf95f2663602
-
Filesize
23.8MB
MD5a14df0b641a9d2b9941d492749fa4744
SHA1a126c239d21f0478ff61a601039faa868e1d4a04
SHA256c147e846f372f5b696ced2bea6d03beb1210b04b890a54781f25b387cbafabcd
SHA512b995a37bc8dc313bda8af0f174cc2d6f97340661d1b35a4169420dc1a3bf4ef61553a8734ef8da419865d65e1a84394082fba43843b4da9372c2c7cfaf9f7d54
-
Filesize
2.5MB
MD5cd98bf3cf0569b3979037e8460f89245
SHA19ef80255655214f32685c42aefa33c39737237cd
SHA256ae8d09070e85210d7d0382d6ed2b3c375d1c0eb80c0b75c4752db5aafea94ab9
SHA5120760868de032a8c64497988e47b59061895e74e9dbb21ad57fba6f33d3602f344f3b1602df0937a6fda9572b7e86fcf68e3e5d95f3e2656bb51392d7f8ec49ff
-
Filesize
637KB
MD52c0d704db7f81fa758edfd31f82d4b67
SHA1b8e438b8383c7af870d4bcc917d71dce595974ae
SHA25659f73bf69297f1d8f808973dfb9e1dc0d8e9cb04300d4afe436da97a35469945
SHA512208c5635ca552b8ca27f3255e78088359cee630f0336b4f87a2e2def772fce270f5b334e3bbaade2d60fd18a9321fdbbea5ca6d30a87532e948331262745c571
-
Filesize
2.0MB
MD5c576552ff119e19dd3f368b98b64f3e9
SHA1e9db3cff21fefe532d8673d7f14dbf7c16c5a062
SHA2565f95cb0adce15d226b9a0a976e26990b4b972fad7c4c84178d511b98da2824c0
SHA51277981a2e60be7831b306cb0324ac3f191c81a20334c4c828ac1eb2efef71c4eb87e61fd0fa67cd42b2442a4a462c1a9e8f72cadba868ce6a424d2e73e772f783
-
Filesize
625KB
MD5dad6df2d16e2ba34a3da348efe47d6ca
SHA175ca0afeeed4f992cd19f261529c5c2946a54f6f
SHA256751ac4da6dbab19d3cdf5a44fd3537f74660e72a598db4325523e0522caa5552
SHA512adf60d25d22a7a098225a9465ed255b3f9020e532947ec84e894db0047ed27a6ef60fabb862869a47f105530d7df6d39e750a266c9eb9e20a0faf8f72a45850e
-
Filesize
818KB
MD573d43241d49b7575fafc4afb3683aa3e
SHA17ccfebf8252f24980b80a59f3f7ac12de0db770a
SHA2561f278dfb721f07f3010d772002d7855271031250db977a9a81535b24c7e45c59
SHA5124a74d1df98383ba4588a09f00c51d1488fa49411b3a135218e4e2958673b9a9ad6ed2b5dddd279c1625833860773a7b53c701907aac5060d08ec9e3ac3cbdf94
-
Filesize
487KB
MD5efd00b355ebc10165621b0152cc93574
SHA196288333d6b20de6645a11126a72d2ef004997e9
SHA25673fe735cfa0a07f672c0673efcb104bc7485c29ed376e021183b1fa54072b5e3
SHA512bf85d7865f35c257cf2b771ecc11b01d31498ba064f235582a66381b821c756e7e06bd5a73f2f1b60abf341e7501b8606c4f8e653470de26f4bf1718fa380ee3
-
Filesize
1.0MB
MD5a883f58f270a23a16587b100dd3c4933
SHA12b8f7a9b63db5ae8ab867c7107a86503dc2da4c0
SHA256e843c2d48ff1a1e12e6c921c20038291308bf55b695aff4ea98b38d938d185d6
SHA51264ac41ebba677f28a682cbcd360a9388f4cee5ddf2f456313e08525cd3c73c025156c4f0ae49cc4214302b72444cfc53cee2cfd996f5837dac0359acbaec1c1e
-
Filesize
1.3MB
MD5fb17dd5c25836a81643736eb6e66a97e
SHA1ac2cd2476df8e50042b3f1d5cb2021dba5572428
SHA256a26b6359345f591135c64f1bbd1f973cd9f25824e74f2f3975e59481a70775a2
SHA512dda735fd2b1dd04912fe58bb49b32b6e01a07b8b6cfc49ad8b3ede30d96063a27b04634356276bbd48acc6f4ab23a77ef90663056b9e6ce2a352c2b786e563b8
-
Filesize
489KB
MD567b2d1ce0dd8fb7726089def1fe0b787
SHA1a3e56ecce10a5e782feab809d4b63a2e548ded76
SHA256f9ad1ee6fe6a9d26a14a5aa629ec64b38cb0ac8f86072e92b6feb80e17ee03b6
SHA512a18d0e346a1cd36d12d1fa9b807ec8af11aad2cb207855488d4cdc2cae35c3a79ba77c29415aa569995b7e7859679781fb29308784721c5b04b8174b1db6fe62
-
Filesize
540KB
MD50aa77de80806a542f472edb0dce4a17e
SHA18df3e09df7e85171d0aabe45be6bef414d36f164
SHA256566ed33949719ec372325c828c845f94b8ca714ade47227b748b6b0410b044a8
SHA512a7c302404ee241e786ea813674702070560a97cf4441ca8ef31b6ba12d370e65e236181157039612a9005ed1ef03ea0fb57ceffec8d0810ad6ecd4106b112026
-
Filesize
463KB
MD5d84b344bf7925553e950bcb099930b80
SHA1c5eddaeb00bf9e28232de95ec053c25069814a81
SHA25628c60478899713a41852fe47805251b81a69be7bee5fd77f4cba9a0f32863353
SHA5127ec4df5e723a504805bfe8c433ba6f5de42fc189e083ed3175a2c6183a61f5f8c0998e46d5d68805ed6e6378490b0c1c6ba26a3d86de3ae547d82c003e3fcf90
-
Filesize
839KB
MD5e8a63952b999c9578136f9a7ce6b0654
SHA100e6fe8a0d43a683d43d5d3c8c3708edee12ba7b
SHA25655b097da49d177957b70829acc9e3570aa0ecbbd668a53a8059953e159db18a5
SHA5122c4226eae2d1e62b759b4b2478384dc90a1985ac7b7f73eb6d9d750a2aeb5ae7247783e72b7f3156241af7510a001b817af61deb1795aa72346b658cb87deb4c
-
Filesize
1.1MB
MD56b5a21eab6bd115a3a026bb73120f70b
SHA12ef3017d8456dec25305866b46c06eebcc039e2f
SHA2561a1f69e7881b8b282072bbbc9dd30dba24e939b370869f7f98a1a1e0c1fddb2b
SHA51225ee4c6f1737530d03c8986e13a0f3f254b6f34785fbe6f2ba892fc020c0df5ff7868ffd6b7eee6c40afc796559234a27feb958bd0dabc5b4d991eb203873102