fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce

Analysis

max time kernel
151s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
Size

588KB
MD5

025387dd4f24847516237f55e913bad5
SHA1

2010e8f192449436731f14fd756239f7bad03755
SHA256

fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce
SHA512

fef98c75716596bf6d0b77ce8ca63cca5558fe7aa679f7c7553408768b58fc8e1c2dcef8471451895416beed9413cee103f3118155afdeb531755e73f9d9665c
SSDEEP

12288:qXR2D/HOcfxGk5e3fbbREgC8VrtuqN/IrjD6yVQihlg:qEzOcfxGk5ePbygCI7NUVC

Score

8^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1316	mscorsvw.exe
1088	mscorsvw.exe
1868	OSE.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-999675638-2867687379-27515722-1000	OSE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-999675638-2867687379-27515722-1000\EnableNotifications = "0"	OSE.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened (read-only)	\??\G:	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened (read-only)	\??\R:	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened (read-only)	\??\T:	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened (read-only)	\??\S:	OSE.EXE
File opened (read-only)	\??\U:	OSE.EXE
File opened (read-only)	\??\F:	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened (read-only)	\??\J:	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened (read-only)	\??\N:	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened (read-only)	\??\F:	OSE.EXE
File opened (read-only)	\??\H:	OSE.EXE
File opened (read-only)	\??\K:	OSE.EXE
File opened (read-only)	\??\X:	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened (read-only)	\??\Y:	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened (read-only)	\??\J:	OSE.EXE
File opened (read-only)	\??\L:	OSE.EXE
File opened (read-only)	\??\T:	OSE.EXE
File opened (read-only)	\??\X:	OSE.EXE
File opened (read-only)	\??\E:	OSE.EXE
File opened (read-only)	\??\W:	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened (read-only)	\??\G:	OSE.EXE
File opened (read-only)	\??\Z:	OSE.EXE
File opened (read-only)	\??\I:	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened (read-only)	\??\K:	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened (read-only)	\??\L:	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened (read-only)	\??\O:	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened (read-only)	\??\Q:	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened (read-only)	\??\M:	OSE.EXE
File opened (read-only)	\??\N:	OSE.EXE
File opened (read-only)	\??\P:	OSE.EXE
File opened (read-only)	\??\H:	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened (read-only)	\??\M:	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened (read-only)	\??\U:	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened (read-only)	\??\V:	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened (read-only)	\??\I:	OSE.EXE
File opened (read-only)	\??\Z:	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened (read-only)	\??\Q:	OSE.EXE
File opened (read-only)	\??\V:	OSE.EXE
File opened (read-only)	\??\Y:	OSE.EXE
File opened (read-only)	\??\P:	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened (read-only)	\??\O:	OSE.EXE
File opened (read-only)	\??\R:	OSE.EXE
File opened (read-only)	\??\S:	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened (read-only)	\??\W:	OSE.EXE

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	OSE.EXE
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File created	\??\c:\windows\SysWOW64\svchost.vir	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	OSE.EXE

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	OSE.EXE
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	OSE.EXE
File opened for modification	C:\Program Files\7-Zip\7zG.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	OSE.EXE
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File created	C:\Program Files\7-Zip\Uninstall.vir	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	OSE.EXE
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	OSE.EXE
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	OSE.EXE

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	OSE.EXE
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	OSE.EXE
File opened for modification	\??\c:\windows\ehome\ehsched.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5CEE6980-3C38-4A08-A057-F5E855F5CFC1}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5CEE6980-3C38-4A08-A057-F5E855F5CFC1}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	OSE.EXE
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	OSE.EXE
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	OSE.EXE
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1868	OSE.EXE
1868	OSE.EXE
1868	OSE.EXE
1868	OSE.EXE
1868	OSE.EXE
1868	OSE.EXE
1868	OSE.EXE
1868	OSE.EXE
1868	OSE.EXE
1868	OSE.EXE
1868	OSE.EXE
1868	OSE.EXE
1868	OSE.EXE
1868	OSE.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1928	fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
Token: SeRestorePrivilege	996	msiexec.exe
Token: SeTakeOwnershipPrivilege	996	msiexec.exe
Token: SeSecurityPrivilege	996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1868	OSE.EXE
Token: SeManageVolumePrivilege	1636	SearchIndexer.exe
Token: 33	1636	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1636	SearchIndexer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1164	SearchProtocolHost.exe
1164	SearchProtocolHost.exe
1164	SearchProtocolHost.exe
1164	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1164	1636	SearchIndexer.exe	32
PID 1636 wrote to memory of 1164	1636	SearchIndexer.exe	32
PID 1636 wrote to memory of 1164	1636	SearchIndexer.exe	32
PID 1636 wrote to memory of 924	1636	SearchIndexer.exe	33
PID 1636 wrote to memory of 924	1636	SearchIndexer.exe	33
PID 1636 wrote to memory of 924	1636	SearchIndexer.exe	33

C:\Users\Admin\AppData\Local\Temp\fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
"C:\Users\Admin\AppData\Local\Temp\fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1088

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:1776

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-999675638-2867687379-27515722-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-999675638-2867687379-27515722-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1164
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
  2⤵
  PID:924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
284KB

MD5
e439430997faf032bb90db4cb3cfb85d

SHA1
f5faec3b5a9b6a72e3434ed146fe1cf6fbf692a8

SHA256
d15fafd0644267bcef470fe5eb5b87aac659560e973ed4843881b06f644afddb

SHA512
98f9d641157b47abf6a5046488da7c77a4a80875265267bd18395926ff167635c24a0c73e8979e9614a2b28a6126bafbc5364c9da43b6a242b9e7133c380801c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.2MB

MD5
8174bc516ba6943da8e0f2daec453f27

SHA1
414db3d2b6875d529a290517033fbf8002a4b319

SHA256
f4a842742e5554defbac5cefa75c8d8313191d0ec0b7d6a3ddeb7a1dfbb1364a

SHA512
a9b0a6951aa76a1cc37b470a9089237652e2c1c6f6dc9aa0200f1356e2653b0a216bc3082c14659be59657323ee890ae92338129837add13dc12e0bbdbafcb96

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
284KB

MD5
30f405a97b08488c04efaa1d5213e20b

SHA1
127df5dce302ba835d2d5bfdef7180bfe083c218

SHA256
dfc58630836beff19714126044f49a9dad25bceaafaf6e6949c15c8b9d0df0ac

SHA512
7a779f589def43261691af3e8615c7837cc7a474e5a6de64acc179e3a98d3d172e0a5cfb40948b4e589307a1ded1651d210789237944962049e62c014e124b80

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
203KB

MD5
044912029c19d62aeaf9696e5c7571e6

SHA1
430fabb9a633844262f1cd98aa30e1e18bb94709

SHA256
3192abec7dabc46ee9c560e9c98902077ed8b2dba0cd83a477aab146a0909b16

SHA512
200fbee4e62fc40554fdac99009e863ac6ef46728b30a699190c87318f555c4cfd6722ee8b69e4a8fb5400b0e0a9eb0d4ce0ea25444008c9f933a19935926351

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
203KB

MD5
044912029c19d62aeaf9696e5c7571e6

SHA1
430fabb9a633844262f1cd98aa30e1e18bb94709

SHA256
3192abec7dabc46ee9c560e9c98902077ed8b2dba0cd83a477aab146a0909b16

SHA512
200fbee4e62fc40554fdac99009e863ac6ef46728b30a699190c87318f555c4cfd6722ee8b69e4a8fb5400b0e0a9eb0d4ce0ea25444008c9f933a19935926351

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
234KB

MD5
a2c38d829b9067afb005940eafe982a8

SHA1
cd2e5e49a74d876fe1b5acd38d32e15e6340a324

SHA256
0f2ec75a593e529f080b4c6b533c6abf0ffda207b3b45cf8c57420b301a07687

SHA512
2cb57abee85e74cbfc4d10134fa58c5269a8b2a12310108aac925793357641aaea227ea7753dd1233f4cec55e5240a3c9a22625b8f4275764359f50d7a29702a

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
29.7MB

MD5
32d86ff57a319885eeafca506077062f

SHA1
3532be36569ce1a7205c950da66de8b5e1be236c

SHA256
3370b81483892ac837875a0a0a8e18e64bc4671fd33a2149f1083f8d9da15020

SHA512
58a0bcbd70bb617f80844c0959f30fd7aabff421f6ad939737f71630f38d825aeff897128f738a1c5435dbd0173bcc235a3fd05559a295dbfe972197bf0784c2

Download Submit
\??\c:\windows\SysWOW64\searchindexer.exe

Filesize
562KB

MD5
7cfb902dffcb01be69c5360a7d57e939

SHA1
8c99f9e9eea3eb4c6a51e4c116fcccf02f0ac55e

SHA256
f953077c916632917a7fec91b89b21d9d4cee2edb7ff963d2523ae1b4bb15382

SHA512
2d259c9ff90fcfd02fb5510b57e1fa15b4b965dc04c308c6882c29a41e6b6b83b7b44e2939c9828e15167ef045ddb5109ab8dff1203b252390854321f2b24d70

Download Submit
\??\c:\windows\SysWOW64\svchost.exe

Filesize
164KB

MD5
6ccf18585993893d348983304ea2fdd0

SHA1
c9fd1b699fbddada9c4b07f28df717e1ecf66f4b

SHA256
2d427900fc953820e9bee5b0902a27015bdf82b35d8cda8c7ef722551fa86df6

SHA512
fc36bc1496768e2a4e66f19f584b6a55e547d3e70382aa00e4f4c504162ad0c90ec2ba53dbffdff6d4dc3e2c1434ee262f2d00993ba86e92b00912171741edd9

Download Submit
\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe

Filesize
234KB

MD5
a2c38d829b9067afb005940eafe982a8

SHA1
cd2e5e49a74d876fe1b5acd38d32e15e6340a324

SHA256
0f2ec75a593e529f080b4c6b533c6abf0ffda207b3b45cf8c57420b301a07687

SHA512
2cb57abee85e74cbfc4d10134fa58c5269a8b2a12310108aac925793357641aaea227ea7753dd1233f4cec55e5240a3c9a22625b8f4275764359f50d7a29702a

Download Submit
memory/996-62-0x000007FEFC161000-0x000007FEFC163000-memory.dmp

Filesize
8KB

Download
memory/1088-60-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1316-58-0x0000000010000000-0x0000000010070000-memory.dmp

Filesize
448KB

Download
memory/1636-83-0x0000000002AC0000-0x0000000002AD0000-memory.dmp

Filesize
64KB

Download
memory/1636-99-0x00000000023F0000-0x00000000023F8000-memory.dmp

Filesize
32KB

Download
memory/1636-102-0x00000000023F0000-0x00000000023F8000-memory.dmp

Filesize
32KB

Download
memory/1636-103-0x0000000003ED0000-0x0000000003ED8000-memory.dmp

Filesize
32KB

Download
memory/1636-67-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/1868-64-0x000000002E000000-0x000000002E086000-memory.dmp

Filesize
536KB

Download
memory/1868-107-0x000000002E000000-0x000000002E086000-memory.dmp

Filesize
536KB

Download
memory/1928-61-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1928-54-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download
memory/1928-55-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download