d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808

Analysis

max time kernel
150s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
Size

307KB
MD5

7a94b174414736f01e16901655337098
SHA1

15af50e4231263d8959a61b4ed4bf5e3be5d3d09
SHA256

d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808
SHA512

e8f39205d4cfd20b0aa475b3a6f051738c09658e0ef526d1eb0b2716a1ed09402554dd693e10df9191fa8bbc481a0911b172c4be612d808db1e10789928d3184
SSDEEP

6144:QXQP2B++PxQZDFZHnSMagSqNGb2/g4OZInzepIao:4DB+kxehaJqqpazx

Score

8^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1528	mscorsvw.exe
1400	mscorsvw.exe
276	OSE.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-2292972927-2705560509-2768824231-1000	OSE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-2292972927-2705560509-2768824231-1000\EnableNotifications = "0"	OSE.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened (read-only)	\??\J:	OSE.EXE
File opened (read-only)	\??\U:	OSE.EXE
File opened (read-only)	\??\Z:	OSE.EXE
File opened (read-only)	\??\Q:	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened (read-only)	\??\R:	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened (read-only)	\??\E:	OSE.EXE
File opened (read-only)	\??\G:	OSE.EXE
File opened (read-only)	\??\L:	OSE.EXE
File opened (read-only)	\??\W:	OSE.EXE
File opened (read-only)	\??\V:	OSE.EXE
File opened (read-only)	\??\G:	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened (read-only)	\??\O:	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened (read-only)	\??\P:	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened (read-only)	\??\V:	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened (read-only)	\??\K:	OSE.EXE
File opened (read-only)	\??\R:	OSE.EXE
File opened (read-only)	\??\T:	OSE.EXE
File opened (read-only)	\??\E:	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened (read-only)	\??\L:	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened (read-only)	\??\N:	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened (read-only)	\??\S:	OSE.EXE
File opened (read-only)	\??\K:	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened (read-only)	\??\M:	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened (read-only)	\??\F:	OSE.EXE
File opened (read-only)	\??\Y:	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened (read-only)	\??\P:	OSE.EXE
File opened (read-only)	\??\Q:	OSE.EXE
File opened (read-only)	\??\Y:	OSE.EXE
File opened (read-only)	\??\S:	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened (read-only)	\??\T:	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened (read-only)	\??\U:	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened (read-only)	\??\F:	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened (read-only)	\??\H:	OSE.EXE
File opened (read-only)	\??\O:	OSE.EXE
File opened (read-only)	\??\N:	OSE.EXE
File opened (read-only)	\??\H:	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened (read-only)	\??\I:	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened (read-only)	\??\W:	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened (read-only)	\??\X:	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened (read-only)	\??\I:	OSE.EXE
File opened (read-only)	\??\Z:	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened (read-only)	\??\M:	OSE.EXE
File opened (read-only)	\??\X:	OSE.EXE

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	OSE.EXE
File created	\??\c:\windows\SysWOW64\svchost.vir	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	OSE.EXE
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	OSE.EXE
File opened for modification	C:\Program Files\7-Zip\7zG.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File created	C:\Program Files\7-Zip\Uninstall.vir	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	OSE.EXE
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	OSE.EXE
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	OSE.EXE
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	OSE.EXE
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	OSE.EXE
File opened for modification	C:\Program Files\7-Zip\7z.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	OSE.EXE
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{873CC15C-B2E7-4EA5-B6F0-4E59C075EEE5}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{873CC15C-B2E7-4EA5-B6F0-4E59C075EEE5}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\ehome\ehsched.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	OSE.EXE
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	OSE.EXE
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	OSE.EXE

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
276	OSE.EXE
276	OSE.EXE
276	OSE.EXE
276	OSE.EXE
276	OSE.EXE
276	OSE.EXE
276	OSE.EXE
276	OSE.EXE
276	OSE.EXE
276	OSE.EXE
276	OSE.EXE
276	OSE.EXE
276	OSE.EXE
276	OSE.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1460	d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
Token: SeRestorePrivilege	1340	msiexec.exe
Token: SeTakeOwnershipPrivilege	1340	msiexec.exe
Token: SeSecurityPrivilege	1340	msiexec.exe
Token: SeTakeOwnershipPrivilege	276	OSE.EXE
Token: SeManageVolumePrivilege	680	SearchIndexer.exe
Token: 33	680	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	680	SearchIndexer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
668	SearchProtocolHost.exe
668	SearchProtocolHost.exe
668	SearchProtocolHost.exe
668	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 680 wrote to memory of 668	680	SearchIndexer.exe	34
PID 680 wrote to memory of 668	680	SearchIndexer.exe	34
PID 680 wrote to memory of 668	680	SearchIndexer.exe	34
PID 680 wrote to memory of 932	680	SearchIndexer.exe	35
PID 680 wrote to memory of 932	680	SearchIndexer.exe	35
PID 680 wrote to memory of 932	680	SearchIndexer.exe	35

C:\Users\Admin\AppData\Local\Temp\d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
"C:\Users\Admin\AppData\Local\Temp\d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1400

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:1156

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:276

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:680
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2292972927-2705560509-2768824231-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2292972927-2705560509-2768824231-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:668
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 520 524 532 65536 528
  2⤵
  PID:932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
320KB

MD5
50e454c5b7193908c64188b5c591eefb

SHA1
52cad792a334af589537e7f3ace94ce54f17711d

SHA256
ef99b8f78cef9463d01b2e88aa79c93d611d3dded7b6e4f37d0882676ecd3ddf

SHA512
3edfb4c32a272b93543302bf14cbda8d512795d7db893197dd8019cd95e6861508db1242d4888643faa75f955f8cf4377464570c245263cf9a184e75ef212c42

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.2MB

MD5
4e66c15bac80f91924c6f08276a5a300

SHA1
3c08ea2bd6f393c0e5908c6b405e6cc99af644a2

SHA256
4584dab8de33cbfc1846c3167451ac514613a209bd790b2c2670438f2be32ea4

SHA512
3135f6d944935d0a6ff20a4eb572bce9611c60270077eb19adfe13839b413df1f9ed866748ada47b5f1a2b7ba62afaff27c0d24acc3f55e9c6200085c371abc2

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
320KB

MD5
48c36c1464c35687bd181740bf17e9a5

SHA1
101f71bcc7f95cac291fa65f870ee4b80b2db148

SHA256
07242c683bce90656a251bf059fcfa2a731351477c2e6184c62fa47e88e2e7d6

SHA512
6a4820ca082488983a0f9c13da82fcef236dfaea2a5b21defc9bf13760a3bab54d8d412d874fe180da172dd008bb88291b29deb7e5384ca11543f240da6c5e52

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
239KB

MD5
503c4b1dbdc9374076a28fdcd806f8f1

SHA1
b12066dafdd11699ea68530212351d46f2f47d90

SHA256
5400948b87fa6b72948ced12a82da1a189756a1e090c9830877017bd899ec1d6

SHA512
a30fcc81dde750de39efa4a4d6e9ba141ae5eec3b77376450cecf6a33e7d23b050fa19f04a64b34bb098c10fd5e1aec24f48c6f5b62e281d350f56b6ab0053aa

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
239KB

MD5
503c4b1dbdc9374076a28fdcd806f8f1

SHA1
b12066dafdd11699ea68530212351d46f2f47d90

SHA256
5400948b87fa6b72948ced12a82da1a189756a1e090c9830877017bd899ec1d6

SHA512
a30fcc81dde750de39efa4a4d6e9ba141ae5eec3b77376450cecf6a33e7d23b050fa19f04a64b34bb098c10fd5e1aec24f48c6f5b62e281d350f56b6ab0053aa

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
270KB

MD5
3186e0eaf5fc5352b4eeb23400e5234e

SHA1
05457dd4069e3d2d9ab9a4068c2359313113cfd3

SHA256
54a64b3f3e95d5830372b32fc5732489b286cfb51f56f0c79391db669dc36ee4

SHA512
625f437bd017353cb288dce020a4e00224ca2eb12762d11eeb8313903057f62acb52e0bc1f235bc94e84947e4dc1deac671e140a3583e45b6ad6524113f7058b

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
29.7MB

MD5
93180023ef0723f27e038ac9f300f0c9

SHA1
2561ffbf5cfd7bd936e0db4531edffb8e89b6e5e

SHA256
82208bc0a7479f7145381d820b14fb3a4ce0ecb1e9534ae18bcb887a3d0c707a

SHA512
a59509a8fd5e2002ec09635630052b45657a1c9de7283263b37816d8414f405dcc2ba247606abfbe72fe48c769c5069f61964ed57b54bba791f3edd8db3c7c7f

Download Submit
\??\c:\windows\SysWOW64\searchindexer.exe

Filesize
598KB

MD5
e7c701e8604ba841c83621258500cc93

SHA1
f37e112fa89c236a4dafda7fa096a171584e5de1

SHA256
af0c6b954e0288ff0051a0fad703fd3c1f27e2926f309e4f74852bfab2e72635

SHA512
3c69535b5840534bf044d209af8aad4b4eb45b1ffb0f9b3a61a728d3f7ce908adada30c73704fe3459e7b74096fd6413825b45f322a51a4ba585bdb6ca3638df

Download Submit
\??\c:\windows\SysWOW64\svchost.exe

Filesize
200KB

MD5
48afa4e12ef99267672d3e1c06e5e9c8

SHA1
9296aa5de360443b317c2d2da1cf60b0dafb24a2

SHA256
d1431d7a77d2a6dddf8fd0614bf24818d72a84340f31234118faf96a0fc57530

SHA512
57e4d38510cdd3ff59c1bca134c86e1db9e65f82571e27a2e15f19e7d3584f8fb92865714c1f49c03652f07d79e245ea1979f339eacd542ade1daa92697dae08

Download Submit
\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe

Filesize
270KB

MD5
3186e0eaf5fc5352b4eeb23400e5234e

SHA1
05457dd4069e3d2d9ab9a4068c2359313113cfd3

SHA256
54a64b3f3e95d5830372b32fc5732489b286cfb51f56f0c79391db669dc36ee4

SHA512
625f437bd017353cb288dce020a4e00224ca2eb12762d11eeb8313903057f62acb52e0bc1f235bc94e84947e4dc1deac671e140a3583e45b6ad6524113f7058b

Download Submit
memory/276-66-0x000000002E000000-0x000000002E09D000-memory.dmp

Filesize
628KB

Download
memory/276-65-0x000000002E000000-0x000000002E09D000-memory.dmp

Filesize
628KB

Download
memory/276-109-0x000000002E000000-0x000000002E09D000-memory.dmp

Filesize
628KB

Download
memory/680-85-0x0000000002A30000-0x0000000002A40000-memory.dmp

Filesize
64KB

Download
memory/680-69-0x0000000002930000-0x0000000002940000-memory.dmp

Filesize
64KB

Download
memory/680-101-0x0000000003E70000-0x0000000003E78000-memory.dmp

Filesize
32KB

Download
memory/680-104-0x0000000003E70000-0x0000000003E78000-memory.dmp

Filesize
32KB

Download
memory/680-105-0x0000000003ED0000-0x0000000003ED8000-memory.dmp

Filesize
32KB

Download
memory/1340-63-0x000007FEFC1B1000-0x000007FEFC1B3000-memory.dmp

Filesize
8KB

Download
memory/1400-61-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1460-62-0x0000000001000000-0x0000000001098000-memory.dmp

Filesize
608KB

Download
memory/1460-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1460-55-0x0000000001000000-0x0000000001098000-memory.dmp

Filesize
608KB

Download
memory/1528-59-0x0000000010000000-0x0000000010087000-memory.dmp

Filesize
540KB

Download
memory/1528-57-0x0000000010000000-0x0000000010087000-memory.dmp

Filesize
540KB

Download