8ef3b04176dc84f5a3c9b3d5aab39fd9ba424f335ce17e7e401e724758a45f4a

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hyperinjector-main.zip
Size

6KB
MD5

6ca50361462ac1991dd2baf066c8f939
SHA1

067d84c52b6d9d303a273cc2876fed48b6e2fc7f
SHA256

8ef3b04176dc84f5a3c9b3d5aab39fd9ba424f335ce17e7e401e724758a45f4a
SHA512

e57bff517275c99c3f8c95d4ab97217c45eb1dba36bac4de65d2cea408d44731c864fc68bc9e4e870e455672d6085fa374627bba0df3d8fe997f5968b0719731
SSDEEP

192:YjldYPMj0/AU3xcJDvQLoJM/NcuZtpo3pF:YjluWLUhcJMiocpF

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10305 = "Hearts is a trick-based card game in which the goal is to get rid of cards while avoiding points. The player with the lowest number of points wins."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\iscsicpl.dll,-5002 = "Connect to remote iSCSI targets and configure connection settings."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403 = "Windows DVD Maker"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002034a640e8f0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\recdisc.exe,-2001 = "Creates a disc you can use to access system recovery options."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201 = "Task Scheduler"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msconfig.exe,-126 = "System Configuration"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\ShapeCollector.exe,-299 = "Provide writing samples to help improve the recognition of your handwriting."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\displayswitch.exe,-321 = "Connect your computer to a projector by display cable."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-102 = "View monitoring and troubleshooting messages from windows and other programs."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10310 = "The aim of the game in Spider Solitaire is to remove cards from play in the fewest moves possible. Line up runs of cards from king through ace, in the same suit, to remove them."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101 = "Backup and Restore"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000 = "Create a System Repair Disc"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\Explorer.exe,-312 = "Play and manage games on your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-101 = "Chrysanthemum"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Journal\Journal.exe,-3075 = "Create notes in your own handwriting. You can leave your notes in ink and search your handwriting or convert your notes to typed text."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000 = "Sync Center"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.md\ = "md_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\md_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\md_auto_file\shell\open	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\py_auto_file\shell\edit	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\md_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.md	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\py_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\py_auto_file\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\md_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\md_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\py_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\py_auto_file\shell\edit\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\py_auto_file\shell\open	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\md_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\md_auto_file\shell\edit	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\py_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\md_auto_file\shell\edit\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\md_auto_file\shell\open\command	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2828	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2528	SearchIndexer.exe
Token: 33	2528	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2528	SearchIndexer.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1136	SearchProtocolHost.exe
1136	SearchProtocolHost.exe
1136	SearchProtocolHost.exe
1136	SearchProtocolHost.exe
1136	SearchProtocolHost.exe
1136	SearchProtocolHost.exe
1136	SearchProtocolHost.exe
1136	SearchProtocolHost.exe
1136	SearchProtocolHost.exe
1136	SearchProtocolHost.exe
1136	SearchProtocolHost.exe
1136	SearchProtocolHost.exe
1136	SearchProtocolHost.exe
1136	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 1136	2528	SearchIndexer.exe	35
PID 2528 wrote to memory of 1136	2528	SearchIndexer.exe	35
PID 2528 wrote to memory of 1136	2528	SearchIndexer.exe	35
PID 2528 wrote to memory of 768	2528	SearchIndexer.exe	36
PID 2528 wrote to memory of 768	2528	SearchIndexer.exe	36
PID 2528 wrote to memory of 768	2528	SearchIndexer.exe	36
PID 2424 wrote to memory of 2272	2424	rundll32.exe	41
PID 2424 wrote to memory of 2272	2424	rundll32.exe	41
PID 2424 wrote to memory of 2272	2424	rundll32.exe	41
PID 2828 wrote to memory of 2644	2828	rundll32.exe	48
PID 2828 wrote to memory of 2644	2828	rundll32.exe	48
PID 2828 wrote to memory of 2644	2828	rundll32.exe	48

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\hyperinjector-main.zip
1⤵
PID:1792

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2688

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1136
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 516
  2⤵
  - Modifies data under HKEY_USERS
  PID:768

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Temp1_hyperinjector-main.zip\hyperinjector-main\README.md
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_hyperinjector-main.zip\hyperinjector-main\README.md
  2⤵
  PID:2272

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Documents\hyperinjector-main\hyperinjector-main\start.bat" "
1⤵
PID:2840

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\hyperinjector-main\hyperinjector-main\hyperinjector.py
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\hyperinjector-main\hyperinjector-main\hyperinjector.py
  2⤵
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
cf9c2f860937ef409d320b78111a6590

SHA1
0572e7a11c9e818e9626e3e5438abf1728c3e0fa

SHA256
c15a955992021f4640e40f8aa18b459521458b904c2e0153d944f40118b5c660

SHA512
6e50d2894588f79d33ffd93e069d848ef9fe64b5dfbcbc1ed5379768555d5dfed4bc8d9e5cf9a58e56b14e73d80c49363a23966b0fe0ccd8c9e2ff08720618b7

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log

Filesize
1024KB

MD5
bd45f868c00dc340c8b970a2b0027e62

SHA1
f66b01c5f03959619fd8bcfda9934a5ced571671

SHA256
c012cc4e73ec2d93c0f861de59dd37995933f90c0a99c43a4b6cc6a5a963496f

SHA512
8b9fd9100e4bea23e934520d1e841028a0b0999920b05ba95f38f66b4bb9ced6c444008da4ffe5dd8e483c03491a371374006959164c7091b3da14f180986168

Download Submit
memory/2528-74-0x0000000005270000-0x0000000005278000-memory.dmp

Filesize
32KB

Download
memory/2528-75-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/2528-43-0x0000000001440000-0x0000000001441000-memory.dmp

Filesize
4KB

Download
memory/2528-49-0x0000000001440000-0x0000000001448000-memory.dmp

Filesize
32KB

Download
memory/2528-51-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/2528-60-0x0000000001490000-0x0000000001498000-memory.dmp

Filesize
32KB

Download
memory/2528-66-0x0000000003330000-0x0000000003338000-memory.dmp

Filesize
32KB

Download
memory/2528-71-0x0000000003810000-0x0000000003818000-memory.dmp

Filesize
32KB

Download
memory/2528-17-0x0000000001C90000-0x0000000001CA0000-memory.dmp

Filesize
64KB

Download
memory/2528-42-0x0000000001480000-0x0000000001488000-memory.dmp

Filesize
32KB

Download
memory/2528-77-0x00000000054C0000-0x00000000054C8000-memory.dmp

Filesize
32KB

Download
memory/2528-78-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/2528-86-0x00000000054B0000-0x00000000054B8000-memory.dmp

Filesize
32KB

Download
memory/2528-90-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/2528-98-0x0000000003960000-0x0000000003968000-memory.dmp

Filesize
32KB

Download
memory/2528-99-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/2528-0-0x0000000001B80000-0x0000000001B90000-memory.dmp

Filesize
64KB

Download
memory/2528-102-0x0000000003950000-0x0000000003958000-memory.dmp

Filesize
32KB

Download