sality | f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe

Windows security bypass 2 TTPs 6 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 7 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\E:	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2752-1-0x0000000002340000-0x00000000033FA000-memory.dmp	upx
behavioral2/memory/2752-5-0x0000000002340000-0x00000000033FA000-memory.dmp	upx
behavioral2/memory/2752-4-0x0000000002340000-0x00000000033FA000-memory.dmp	upx
behavioral2/memory/2752-15-0x0000000002340000-0x00000000033FA000-memory.dmp	upx
behavioral2/memory/2752-14-0x0000000002340000-0x00000000033FA000-memory.dmp	upx
behavioral2/memory/2752-20-0x0000000002340000-0x00000000033FA000-memory.dmp	upx
behavioral2/memory/2752-16-0x0000000002340000-0x00000000033FA000-memory.dmp	upx
behavioral2/memory/2752-7-0x0000000002340000-0x00000000033FA000-memory.dmp	upx
behavioral2/memory/2752-13-0x0000000002340000-0x00000000033FA000-memory.dmp	upx
behavioral2/memory/2752-3-0x0000000002340000-0x00000000033FA000-memory.dmp	upx
behavioral2/memory/2752-6-0x0000000002340000-0x00000000033FA000-memory.dmp	upx
behavioral2/memory/2752-23-0x0000000002340000-0x00000000033FA000-memory.dmp	upx
behavioral2/memory/2752-24-0x0000000002340000-0x00000000033FA000-memory.dmp	upx
behavioral2/memory/2752-25-0x0000000002340000-0x00000000033FA000-memory.dmp	upx
behavioral2/memory/2752-26-0x0000000002340000-0x00000000033FA000-memory.dmp	upx
behavioral2/memory/2752-27-0x0000000002340000-0x00000000033FA000-memory.dmp	upx
behavioral2/memory/2752-29-0x0000000002340000-0x00000000033FA000-memory.dmp	upx
behavioral2/memory/2752-50-0x0000000002340000-0x00000000033FA000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\e57921e	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
File opened for modification	C:\Windows\SYSTEM.INI	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR es-ES Lookup Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\VoiceActivation_it-IT.dat"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 aa 000a ae 000b ah 000c ao 000d aw 000e ax 000f ay 0010 b 0011 ch 0012 d 0013 dh 0014 eh 0015 er 0016 ey 0017 f 0018 g 0019 h 001a ih 001b iy 001c jh 001d k 001e l 001f m 0020 n 0021 ng 0022 ow 0023 oy 0024 p 0025 r 0026 s 0027 sh 0028 t 0029 th 002a uh 002b uw 002c v 002d w 002e y 002f z 0030 zh 0031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\VoiceActivation_de-DE.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Male"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\r1033sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "5223743"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Vous avez sélectionné %1 comme voix par défaut."	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR de-DE Lookup Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Katja - German (Germany)"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search\NumberOfSubdomains = "0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Traditional Chinese Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-3082-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1036"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft David - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\es-ES\\VoiceActivation_es-ES.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "5248260"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Japanese (Japan)"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "0"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "1033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{2984A9DB-5689-43AD-877D-14999A15DD46}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{BAE3E62C-37D4-49AC-A6F1-0E485ECD6757}"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total\ = "0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Female"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - Italian (Italy)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\MSTTSLocjaJP.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Mark - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\c1041.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "804"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Discrete;Continuous"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Katja"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; net=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; Name=NativeSupported; media=NativeSupported; message=NativeSupported; companyName=NativeSupported; computer=NativeSupported; math=NativeSupported; duration=NativeSupported"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\VoiceActivation_fr-FR.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1040"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\L1040"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search\ = "0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE/SOFTWARE\\Microsoft\\Speech_OneCore\\AudioOutput\\TokenEnums\\MMAudioOut\\"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{C6FABB24-E332-46FB-BC91-FF331B2D51F0}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Zira"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "16000"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR ja-JP Lookup Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1041"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\c1036.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\r1041sr.lxa"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\NumberOfSubdomains = "0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\AudioInput\\TokenEnums\\MMAudioIn\\"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "40A;C0A"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{81218F10-A8AA-44C4-9436-33A42C3852E9}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "You have selected %1 as the default voice."	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Pablo - Spanish (Spain)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\M1036Paul"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "French Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - German (Germany)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Zira"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - de-DE Embedded DNN v11.1"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
Token: SeDebugPrivilege	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4776	SearchApp.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
4776	SearchApp.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 780	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	8
PID 2752 wrote to memory of 788	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	9
PID 2752 wrote to memory of 316	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	13
PID 2752 wrote to memory of 2860	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	49
PID 2752 wrote to memory of 2936	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	50
PID 2752 wrote to memory of 2988	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	51
PID 2752 wrote to memory of 3380	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	56
PID 2752 wrote to memory of 3536	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	57
PID 2752 wrote to memory of 3736	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	58
PID 2752 wrote to memory of 3832	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	59
PID 2752 wrote to memory of 3908	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	60
PID 2752 wrote to memory of 3992	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	61
PID 2752 wrote to memory of 4176	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	62
PID 2752 wrote to memory of 372	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	75
PID 2752 wrote to memory of 3624	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	76
PID 2752 wrote to memory of 4200	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	81
PID 2752 wrote to memory of 780	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	8
PID 2752 wrote to memory of 788	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	9
PID 2752 wrote to memory of 316	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	13
PID 2752 wrote to memory of 2860	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	49
PID 2752 wrote to memory of 2936	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	50
PID 2752 wrote to memory of 2988	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	51
PID 2752 wrote to memory of 3380	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	56
PID 2752 wrote to memory of 3536	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	57
PID 2752 wrote to memory of 3736	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	58
PID 2752 wrote to memory of 3832	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	59
PID 2752 wrote to memory of 3908	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	60
PID 2752 wrote to memory of 3992	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	61
PID 2752 wrote to memory of 4176	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	62
PID 2752 wrote to memory of 372	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	75
PID 2752 wrote to memory of 3624	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	76
PID 2752 wrote to memory of 4200	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	81
PID 2752 wrote to memory of 2844	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	83
PID 2752 wrote to memory of 2844	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	83
PID 2752 wrote to memory of 2844	2752	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe	83

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:316

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2936

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2988

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3380
- C:\Users\Admin\AppData\Local\Temp\f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe
  "C:\Users\Admin\AppData\Local\Temp\f95bef472a4a27173950a59fbadfe3caf2afcbd27d52afa9503e415a1fb62c75.exe"
  2⤵
  - Modifies firewall policy service
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c \DelUS.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3536

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3736

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3832

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3908

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3992

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4176

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:372

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3624

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4200

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy
1⤵
PID:3620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:3388

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4776

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
1⤵
PID:4136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery