Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 00:36
Static task
static1
Behavioral task
behavioral1
Sample
d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
Resource
win7-20220812-en
General
-
Target
d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe
-
Size
307KB
-
MD5
7a94b174414736f01e16901655337098
-
SHA1
15af50e4231263d8959a61b4ed4bf5e3be5d3d09
-
SHA256
d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808
-
SHA512
e8f39205d4cfd20b0aa475b3a6f051738c09658e0ef526d1eb0b2716a1ed09402554dd693e10df9191fa8bbc481a0911b172c4be612d808db1e10789928d3184
-
SSDEEP
6144:QXQP2B++PxQZDFZHnSMagSqNGb2/g4OZInzepIao:4DB+kxehaJqqpazx
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1528 mscorsvw.exe 1400 mscorsvw.exe 276 OSE.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-2292972927-2705560509-2768824231-1000 OSE.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-2292972927-2705560509-2768824231-1000\EnableNotifications = "0" OSE.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened (read-only) \??\J: OSE.EXE File opened (read-only) \??\U: OSE.EXE File opened (read-only) \??\Z: OSE.EXE File opened (read-only) \??\Q: d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened (read-only) \??\R: d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened (read-only) \??\E: OSE.EXE File opened (read-only) \??\G: OSE.EXE File opened (read-only) \??\L: OSE.EXE File opened (read-only) \??\W: OSE.EXE File opened (read-only) \??\V: OSE.EXE File opened (read-only) \??\G: d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened (read-only) \??\O: d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened (read-only) \??\P: d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened (read-only) \??\V: d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened (read-only) \??\K: OSE.EXE File opened (read-only) \??\R: OSE.EXE File opened (read-only) \??\T: OSE.EXE File opened (read-only) \??\E: d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened (read-only) \??\L: d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened (read-only) \??\N: d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened (read-only) \??\S: OSE.EXE File opened (read-only) \??\K: d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened (read-only) \??\M: d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened (read-only) \??\F: OSE.EXE File opened (read-only) \??\Y: d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened (read-only) \??\P: OSE.EXE File opened (read-only) \??\Q: OSE.EXE File opened (read-only) \??\Y: OSE.EXE File opened (read-only) \??\S: d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened (read-only) \??\T: d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened (read-only) \??\U: d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened (read-only) \??\F: d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened (read-only) \??\H: OSE.EXE File opened (read-only) \??\O: OSE.EXE File opened (read-only) \??\N: OSE.EXE File opened (read-only) \??\H: d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened (read-only) \??\I: d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened (read-only) \??\W: d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened (read-only) \??\X: d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened (read-only) \??\I: OSE.EXE File opened (read-only) \??\Z: d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened (read-only) \??\M: OSE.EXE File opened (read-only) \??\X: OSE.EXE -
Drops file in System32 directory 36 IoCs
description ioc Process File opened for modification \??\c:\windows\SysWOW64\lsass.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File created \??\c:\windows\SysWOW64\msiexec.vir d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\ui0detect.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\windows\SysWOW64\alg.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\vds.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\wbengine.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\ieetwcollector.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\windows\SysWOW64\vds.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File created \??\c:\windows\SysWOW64\searchindexer.vir d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\windows\SysWOW64\alg.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\windows\SysWOW64\dllhost.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\windows\SysWOW64\msiexec.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\ui0detect.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe OSE.EXE File created \??\c:\windows\SysWOW64\svchost.vir d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File created \??\c:\windows\SysWOW64\dllhost.vir d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\windows\SysWOW64\msdtc.exe OSE.EXE File opened for modification \??\c:\windows\syswow64\perfhost.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\svchost.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\windows\SysWOW64\svchost.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\locator.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\locator.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\windows\SysWOW64\vssvc.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\windows\SysWOW64\vssvc.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\ieetwcollector.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\windows\SysWOW64\msdtc.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\windows\SysWOW64\wbengine.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe -
Drops file in Program Files directory 28 IoCs
description ioc Process File created \??\c:\program files (x86)\microsoft office\office14\groove.vir d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe OSE.EXE File opened for modification C:\Program Files\7-Zip\7zG.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File created C:\Program Files\7-Zip\Uninstall.vir d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File created \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove.exe OSE.EXE File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe OSE.EXE File opened for modification \??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe OSE.EXE File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe OSE.EXE File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe OSE.EXE File opened for modification C:\Program Files\7-Zip\7z.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe -
Drops file in Windows directory 27 IoCs
description ioc Process File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\windows\ehome\ehrecvr.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe OSE.EXE File opened for modification \??\c:\windows\ehome\ehrecvr.exe OSE.EXE File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{873CC15C-B2E7-4EA5-B6F0-4E59C075EEE5}.crmlog dllhost.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{873CC15C-B2E7-4EA5-B6F0-4E59C075EEE5}.crmlog dllhost.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe OSE.EXE File opened for modification \??\c:\windows\ehome\ehsched.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe OSE.EXE File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe OSE.EXE File created \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File created \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\windows\ehome\ehsched.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe OSE.EXE -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 276 OSE.EXE 276 OSE.EXE 276 OSE.EXE 276 OSE.EXE 276 OSE.EXE 276 OSE.EXE 276 OSE.EXE 276 OSE.EXE 276 OSE.EXE 276 OSE.EXE 276 OSE.EXE 276 OSE.EXE 276 OSE.EXE 276 OSE.EXE -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1460 d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe Token: SeRestorePrivilege 1340 msiexec.exe Token: SeTakeOwnershipPrivilege 1340 msiexec.exe Token: SeSecurityPrivilege 1340 msiexec.exe Token: SeTakeOwnershipPrivilege 276 OSE.EXE Token: SeManageVolumePrivilege 680 SearchIndexer.exe Token: 33 680 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 680 SearchIndexer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 668 SearchProtocolHost.exe 668 SearchProtocolHost.exe 668 SearchProtocolHost.exe 668 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 680 wrote to memory of 668 680 SearchIndexer.exe 34 PID 680 wrote to memory of 668 680 SearchIndexer.exe 34 PID 680 wrote to memory of 668 680 SearchIndexer.exe 34 PID 680 wrote to memory of 932 680 SearchIndexer.exe 35 PID 680 wrote to memory of 932 680 SearchIndexer.exe 35 PID 680 wrote to memory of 932 680 SearchIndexer.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe"C:\Users\Admin\AppData\Local\Temp\d781c6cc95f4b995adc4c996a32fc6072d21e947f69c9d7ef1ac09650ac46808.exe"1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1528
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
PID:1400
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Drops file in Windows directory
PID:1156
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:276
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2292972927-2705560509-2768824231-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2292972927-2705560509-2768824231-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:668
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 520 524 532 65536 5282⤵PID:932
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
320KB
MD550e454c5b7193908c64188b5c591eefb
SHA152cad792a334af589537e7f3ace94ce54f17711d
SHA256ef99b8f78cef9463d01b2e88aa79c93d611d3dded7b6e4f37d0882676ecd3ddf
SHA5123edfb4c32a272b93543302bf14cbda8d512795d7db893197dd8019cd95e6861508db1242d4888643faa75f955f8cf4377464570c245263cf9a184e75ef212c42
-
Filesize
1.2MB
MD54e66c15bac80f91924c6f08276a5a300
SHA13c08ea2bd6f393c0e5908c6b405e6cc99af644a2
SHA2564584dab8de33cbfc1846c3167451ac514613a209bd790b2c2670438f2be32ea4
SHA5123135f6d944935d0a6ff20a4eb572bce9611c60270077eb19adfe13839b413df1f9ed866748ada47b5f1a2b7ba62afaff27c0d24acc3f55e9c6200085c371abc2
-
Filesize
320KB
MD548c36c1464c35687bd181740bf17e9a5
SHA1101f71bcc7f95cac291fa65f870ee4b80b2db148
SHA25607242c683bce90656a251bf059fcfa2a731351477c2e6184c62fa47e88e2e7d6
SHA5126a4820ca082488983a0f9c13da82fcef236dfaea2a5b21defc9bf13760a3bab54d8d412d874fe180da172dd008bb88291b29deb7e5384ca11543f240da6c5e52
-
Filesize
239KB
MD5503c4b1dbdc9374076a28fdcd806f8f1
SHA1b12066dafdd11699ea68530212351d46f2f47d90
SHA2565400948b87fa6b72948ced12a82da1a189756a1e090c9830877017bd899ec1d6
SHA512a30fcc81dde750de39efa4a4d6e9ba141ae5eec3b77376450cecf6a33e7d23b050fa19f04a64b34bb098c10fd5e1aec24f48c6f5b62e281d350f56b6ab0053aa
-
Filesize
239KB
MD5503c4b1dbdc9374076a28fdcd806f8f1
SHA1b12066dafdd11699ea68530212351d46f2f47d90
SHA2565400948b87fa6b72948ced12a82da1a189756a1e090c9830877017bd899ec1d6
SHA512a30fcc81dde750de39efa4a4d6e9ba141ae5eec3b77376450cecf6a33e7d23b050fa19f04a64b34bb098c10fd5e1aec24f48c6f5b62e281d350f56b6ab0053aa
-
Filesize
270KB
MD53186e0eaf5fc5352b4eeb23400e5234e
SHA105457dd4069e3d2d9ab9a4068c2359313113cfd3
SHA25654a64b3f3e95d5830372b32fc5732489b286cfb51f56f0c79391db669dc36ee4
SHA512625f437bd017353cb288dce020a4e00224ca2eb12762d11eeb8313903057f62acb52e0bc1f235bc94e84947e4dc1deac671e140a3583e45b6ad6524113f7058b
-
Filesize
29.7MB
MD593180023ef0723f27e038ac9f300f0c9
SHA12561ffbf5cfd7bd936e0db4531edffb8e89b6e5e
SHA25682208bc0a7479f7145381d820b14fb3a4ce0ecb1e9534ae18bcb887a3d0c707a
SHA512a59509a8fd5e2002ec09635630052b45657a1c9de7283263b37816d8414f405dcc2ba247606abfbe72fe48c769c5069f61964ed57b54bba791f3edd8db3c7c7f
-
Filesize
598KB
MD5e7c701e8604ba841c83621258500cc93
SHA1f37e112fa89c236a4dafda7fa096a171584e5de1
SHA256af0c6b954e0288ff0051a0fad703fd3c1f27e2926f309e4f74852bfab2e72635
SHA5123c69535b5840534bf044d209af8aad4b4eb45b1ffb0f9b3a61a728d3f7ce908adada30c73704fe3459e7b74096fd6413825b45f322a51a4ba585bdb6ca3638df
-
Filesize
200KB
MD548afa4e12ef99267672d3e1c06e5e9c8
SHA19296aa5de360443b317c2d2da1cf60b0dafb24a2
SHA256d1431d7a77d2a6dddf8fd0614bf24818d72a84340f31234118faf96a0fc57530
SHA51257e4d38510cdd3ff59c1bca134c86e1db9e65f82571e27a2e15f19e7d3584f8fb92865714c1f49c03652f07d79e245ea1979f339eacd542ade1daa92697dae08
-
Filesize
270KB
MD53186e0eaf5fc5352b4eeb23400e5234e
SHA105457dd4069e3d2d9ab9a4068c2359313113cfd3
SHA25654a64b3f3e95d5830372b32fc5732489b286cfb51f56f0c79391db669dc36ee4
SHA512625f437bd017353cb288dce020a4e00224ca2eb12762d11eeb8313903057f62acb52e0bc1f235bc94e84947e4dc1deac671e140a3583e45b6ad6524113f7058b