Analysis
-
max time kernel
152s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/10/2022, 05:09
Behavioral task
behavioral1
Sample
d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe
Resource
win7-20220812-en
windows7-x64
14 signatures
150 seconds
General
-
Target
d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe
-
Size
524KB
-
MD5
6c53c0eb989f30db89ea1b91fb449d9e
-
SHA1
1efbdc78a91f98cfc00b00f0633938cda0a0733d
-
SHA256
d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231
-
SHA512
b404cd76199ead886e99efc228537487ff8f7d3228c5891fb1fb59273d876622b306a59874e6740976939ef39506303da9f876935bb8bd6bc655271a8ca1ef78
-
SSDEEP
6144:g1F5oXpcFb5DRsNxIJU4DGJWHenNMyuZ6KfglZTTA1h9NVkD:UFmZcZlyNGU46W+wZ6KqA1hPVk
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1736 mscorsvw.exe 2024 mscorsvw.exe 1480 OSE.EXE -
resource yara_rule behavioral1/memory/836-54-0x000000004AD00000-0x000000004ADC0000-memory.dmp upx behavioral1/files/0x00010000000050f4-56.dat upx behavioral1/files/0x00010000000050f4-57.dat upx behavioral1/memory/1736-58-0x0000000010000000-0x0000000010070000-memory.dmp upx behavioral1/memory/1736-59-0x0000000010000000-0x0000000010070000-memory.dmp upx behavioral1/files/0x000100000000ecbb-60.dat upx behavioral1/memory/2024-61-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral1/files/0x00010000000103e1-63.dat upx behavioral1/memory/1480-64-0x000000002E000000-0x000000002E086000-memory.dmp upx behavioral1/files/0x00010000000095de-66.dat upx behavioral1/files/0x000100000000ecbb-106.dat upx behavioral1/files/0x00010000000115d6-107.dat upx behavioral1/files/0x0001000000009560-108.dat upx behavioral1/files/0x000700000001048b-109.dat upx behavioral1/files/0x0001000000010544-110.dat upx behavioral1/memory/836-111-0x000000004AD00000-0x000000004ADC0000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-3845472200-3839195424-595303356-1000 OSE.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-3845472200-3839195424-595303356-1000\EnableNotifications = "0" OSE.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: OSE.EXE File opened (read-only) \??\R: d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened (read-only) \??\R: OSE.EXE File opened (read-only) \??\T: OSE.EXE File opened (read-only) \??\H: OSE.EXE File opened (read-only) \??\H: d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened (read-only) \??\I: d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened (read-only) \??\Q: OSE.EXE File opened (read-only) \??\Q: d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened (read-only) \??\Y: OSE.EXE File opened (read-only) \??\Y: d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened (read-only) \??\K: OSE.EXE File opened (read-only) \??\L: OSE.EXE File opened (read-only) \??\O: d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened (read-only) \??\P: d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened (read-only) \??\W: OSE.EXE File opened (read-only) \??\G: OSE.EXE File opened (read-only) \??\J: OSE.EXE File opened (read-only) \??\M: d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened (read-only) \??\U: OSE.EXE File opened (read-only) \??\V: OSE.EXE File opened (read-only) \??\N: d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened (read-only) \??\W: d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened (read-only) \??\X: OSE.EXE File opened (read-only) \??\Z: OSE.EXE File opened (read-only) \??\U: d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened (read-only) \??\F: d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened (read-only) \??\G: d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened (read-only) \??\I: OSE.EXE File opened (read-only) \??\K: d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened (read-only) \??\L: d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened (read-only) \??\S: d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened (read-only) \??\T: d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened (read-only) \??\X: d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened (read-only) \??\E: d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened (read-only) \??\F: OSE.EXE File opened (read-only) \??\J: d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened (read-only) \??\M: OSE.EXE File opened (read-only) \??\N: OSE.EXE File opened (read-only) \??\E: OSE.EXE File opened (read-only) \??\P: OSE.EXE File opened (read-only) \??\S: OSE.EXE File opened (read-only) \??\V: d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened (read-only) \??\Z: d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe -
Drops file in System32 directory 36 IoCs
description ioc Process File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\SysWOW64\msiexec.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\SysWOW64\locator.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\SysWOW64\vds.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File created \??\c:\windows\SysWOW64\searchindexer.vir d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\SysWOW64\wbengine.exe OSE.EXE File created \??\c:\windows\SysWOW64\svchost.vir d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\svchost.exe OSE.EXE File created \??\c:\windows\SysWOW64\msiexec.vir d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\SysWOW64\ui0detect.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\SysWOW64\locator.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\svchost.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\SysWOW64\vssvc.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\SysWOW64\ieetwcollector.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\vds.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\ieetwcollector.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File created \??\c:\windows\SysWOW64\dllhost.vir d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\SysWOW64\alg.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\SysWOW64\msdtc.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\SysWOW64\wbengine.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\SysWOW64\msdtc.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\ui0detect.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\dllhost.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe OSE.EXE File opened for modification \??\c:\windows\syswow64\perfhost.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\vssvc.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\alg.exe OSE.EXE -
Drops file in Program Files directory 23 IoCs
description ioc Process File opened for modification \??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe OSE.EXE File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe OSE.EXE File opened for modification C:\Program Files\7-Zip\7zFM.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File created \??\c:\program files (x86)\microsoft office\office14\groove.vir d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove.exe OSE.EXE File opened for modification \??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe OSE.EXE File opened for modification C:\Program Files\7-Zip\7z.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File created C:\Program Files\7-Zip\Uninstall.vir d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File created \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe OSE.EXE File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe OSE.EXE File opened for modification C:\Program Files\7-Zip\7zG.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe -
Drops file in Windows directory 27 IoCs
description ioc Process File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{9A0A7BB8-5365-4B28-B74C-D73189F5D700}.crmlog dllhost.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\ehome\ehrecvr.exe OSE.EXE File opened for modification \??\c:\windows\ehome\ehsched.exe OSE.EXE File opened for modification \??\c:\windows\servicing\trustedinstaller.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe OSE.EXE File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{9A0A7BB8-5365-4B28-B74C-D73189F5D700}.crmlog dllhost.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File created \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File created \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\ehome\ehsched.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe OSE.EXE File opened for modification \??\c:\windows\ehome\ehrecvr.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe OSE.EXE -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 1480 OSE.EXE 1480 OSE.EXE 1480 OSE.EXE 1480 OSE.EXE 1480 OSE.EXE 1480 OSE.EXE 1480 OSE.EXE 1480 OSE.EXE 1480 OSE.EXE 1480 OSE.EXE 1480 OSE.EXE -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 836 d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe Token: SeRestorePrivilege 1156 msiexec.exe Token: SeTakeOwnershipPrivilege 1156 msiexec.exe Token: SeSecurityPrivilege 1156 msiexec.exe Token: SeTakeOwnershipPrivilege 1480 OSE.EXE Token: SeManageVolumePrivilege 464 SearchIndexer.exe Token: 33 464 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 464 SearchIndexer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 456 SearchProtocolHost.exe 456 SearchProtocolHost.exe 456 SearchProtocolHost.exe 456 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 464 wrote to memory of 456 464 SearchIndexer.exe 34 PID 464 wrote to memory of 456 464 SearchIndexer.exe 34 PID 464 wrote to memory of 456 464 SearchIndexer.exe 34 PID 464 wrote to memory of 280 464 SearchIndexer.exe 35 PID 464 wrote to memory of 280 464 SearchIndexer.exe 35 PID 464 wrote to memory of 280 464 SearchIndexer.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe"C:\Users\Admin\AppData\Local\Temp\d677f28887b9c71aa1d23f92bf522b963d3435d79e242badd3ade46d68c48231.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:836
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1736
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
PID:2024
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Drops file in Windows directory
PID:1956
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3845472200-3839195424-595303356-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3845472200-3839195424-595303356-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:456
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 5202⤵PID:280
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
284KB
MD57ffeb68eb174c10b3f48898548a2f2a0
SHA16a02857cd6c936fe1566969450996e8d2d6af707
SHA2569f120500f86cd50bcfefd660dd2ddd192b7ec6909ec6d910978ed0b7c2d53269
SHA5123a7ee1ab3addb35746241579ab3713520900c8cc3d852532ae26c252b0821351158a0f2b97c8b37197351935c1e284b627912f675fffd0c8c8e5eee30a41627c
-
Filesize
1.2MB
MD581c19480abd4ea36763852ec1ee742d4
SHA15b9469f27c40c96d6a74de59ed6c4eafcaa1a08a
SHA256bdfe435ad5d00e55ea05332e2de62bd2aafc8bab6ec8925dbc0036226db700cd
SHA5123b71d6dc9d0f8c5d652b75db80078fee37c5e6b71cf1ad744b1b38c4ed553681ad50e6e6aaee8570cfef7c0b831e85b5156b44cb6c3f6d0a79c2ed1a7d1cbe58
-
Filesize
284KB
MD5e0adfcb42c00149f4225480435865f4d
SHA152067d921e719ab3b6034315fc59e73b6e8ca546
SHA2560883f613615a73563c641b4a07ae4141af565f8ab9c31d9ce0ef85b7859abf6e
SHA512936bde0490c1ffe9a22e707d37a3d5cb4d73106d1a8ad6b1ad61319004eda69a3b966b99b227b4c0dcf73d459e0b7c9f3a0b413db147e650b68cc2a74992ce31
-
Filesize
203KB
MD57b97fb68d98bdc9044809b097d36ae1d
SHA1adaa100817f483f947206402eb9c71f5fb0c12aa
SHA25644725dd445a471f18372b226fb55138adfd21be035cdea6e640daeaeba478ae4
SHA512e1addef37a38ddb121820987db42dc147b7eca2133a52c9cc66e8c84dcb3379a0b35ab3acb59b2d4fe1501667f64d9a568c6892ab39633bd1756f2123db42660
-
Filesize
203KB
MD57b97fb68d98bdc9044809b097d36ae1d
SHA1adaa100817f483f947206402eb9c71f5fb0c12aa
SHA25644725dd445a471f18372b226fb55138adfd21be035cdea6e640daeaeba478ae4
SHA512e1addef37a38ddb121820987db42dc147b7eca2133a52c9cc66e8c84dcb3379a0b35ab3acb59b2d4fe1501667f64d9a568c6892ab39633bd1756f2123db42660
-
Filesize
234KB
MD5bf27b17d779b048b193079c92acba343
SHA1dd95e1c502a24a474acf546b0d439f11f603254f
SHA25618143eb3e9c0246188e1b70697a3f48410d656124c4910c34d4bb0442032b630
SHA5126b469b2e2521b9051f2467df4776e464272462000285908f3bfc67b0198e40f24f9e64c408d1913c3ca7f0ab60de23507b1cf5253d263e7ab90f6f35d6a323eb
-
Filesize
29.7MB
MD536fbe0f37c45630a5dadd6262abb98db
SHA1cd1220179a384632ca90906a28ca4fa4500bf5d2
SHA2562352d853efb87ad8577cb1e7762573f2f806d5aa3c2baa5c19f545b8e0c153e7
SHA5128ed3b3873d60ba4114fd9bb31de4a0ffb5492d2b630825e683ec2820bed5e37065764529a30cbb27b2a8968866b7f86d09e8bbaab7f0c3f481dd6851348c2c8e
-
Filesize
562KB
MD5627ee431bcaeac7fec2987c3029ee4c0
SHA1132ab45f7867c2272f72280722c27ca9513bf99a
SHA256c09f49057a2e0bed6d85efe8e4a4698c16ffb94f224386a853ca1982054b7b4e
SHA51275042c3782c50515398b1dfa96557a11a862bf615b2758c619a97a54c2fc9bf62491615e01f89981a828a64b13c744b70da71f7a2e2c2d5b8872161ed7d5892a
-
Filesize
164KB
MD526d34ed7ac92a3643e866dee7908707b
SHA1eab78b81a0745a563d43d09261732e90f29bf4cb
SHA256f7178bc6380454e5c8c3d7090c027ccbafc733964a674e5209da6b821e00d57d
SHA51298a11f1fc568385422d969d121b17dd3e533e9f68de34098d8f5669cbd89267eceb99231a69c1ac3e6a9a1e0895cf3b8ea88e7c0fcee8d82ee8bffe7cf377ccc
-
Filesize
234KB
MD5bf27b17d779b048b193079c92acba343
SHA1dd95e1c502a24a474acf546b0d439f11f603254f
SHA25618143eb3e9c0246188e1b70697a3f48410d656124c4910c34d4bb0442032b630
SHA5126b469b2e2521b9051f2467df4776e464272462000285908f3bfc67b0198e40f24f9e64c408d1913c3ca7f0ab60de23507b1cf5253d263e7ab90f6f35d6a323eb