Analysis
-
max time kernel
151s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07/11/2022, 17:13
Static task
static1
Behavioral task
behavioral1
Sample
fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
Resource
win7-20220812-en
General
-
Target
fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
-
Size
588KB
-
MD5
025387dd4f24847516237f55e913bad5
-
SHA1
2010e8f192449436731f14fd756239f7bad03755
-
SHA256
fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce
-
SHA512
fef98c75716596bf6d0b77ce8ca63cca5558fe7aa679f7c7553408768b58fc8e1c2dcef8471451895416beed9413cee103f3118155afdeb531755e73f9d9665c
-
SSDEEP
12288:qXR2D/HOcfxGk5e3fbbREgC8VrtuqN/IrjD6yVQihlg:qEzOcfxGk5ePbygCI7NUVC
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1316 mscorsvw.exe 1088 mscorsvw.exe 1868 OSE.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-999675638-2867687379-27515722-1000 OSE.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-999675638-2867687379-27515722-1000\EnableNotifications = "0" OSE.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened (read-only) \??\G: fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened (read-only) \??\R: fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened (read-only) \??\T: fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened (read-only) \??\S: OSE.EXE File opened (read-only) \??\U: OSE.EXE File opened (read-only) \??\F: fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened (read-only) \??\J: fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened (read-only) \??\N: fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened (read-only) \??\F: OSE.EXE File opened (read-only) \??\H: OSE.EXE File opened (read-only) \??\K: OSE.EXE File opened (read-only) \??\X: fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened (read-only) \??\Y: fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened (read-only) \??\J: OSE.EXE File opened (read-only) \??\L: OSE.EXE File opened (read-only) \??\T: OSE.EXE File opened (read-only) \??\X: OSE.EXE File opened (read-only) \??\E: OSE.EXE File opened (read-only) \??\W: fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened (read-only) \??\G: OSE.EXE File opened (read-only) \??\Z: OSE.EXE File opened (read-only) \??\I: fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened (read-only) \??\K: fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened (read-only) \??\L: fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened (read-only) \??\O: fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened (read-only) \??\Q: fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened (read-only) \??\M: OSE.EXE File opened (read-only) \??\N: OSE.EXE File opened (read-only) \??\P: OSE.EXE File opened (read-only) \??\H: fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened (read-only) \??\M: fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened (read-only) \??\U: fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened (read-only) \??\V: fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened (read-only) \??\I: OSE.EXE File opened (read-only) \??\Z: fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened (read-only) \??\Q: OSE.EXE File opened (read-only) \??\V: OSE.EXE File opened (read-only) \??\Y: OSE.EXE File opened (read-only) \??\P: fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened (read-only) \??\O: OSE.EXE File opened (read-only) \??\R: OSE.EXE File opened (read-only) \??\S: fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened (read-only) \??\W: OSE.EXE -
Drops file in System32 directory 36 IoCs
description ioc Process File opened for modification \??\c:\windows\SysWOW64\locator.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\windows\SysWOW64\vssvc.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\windows\SysWOW64\locator.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\lsass.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File created \??\c:\windows\SysWOW64\searchindexer.vir fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File created \??\c:\windows\SysWOW64\dllhost.vir fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\windows\SysWOW64\ieetwcollector.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\vssvc.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\dllhost.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\windows\SysWOW64\msdtc.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\windows\SysWOW64\vds.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\wbengine.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\msiexec.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\windows\SysWOW64\wbengine.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\windows\SysWOW64\svchost.exe OSE.EXE File opened for modification \??\c:\windows\syswow64\perfhost.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\alg.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File created \??\c:\windows\SysWOW64\svchost.vir fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File created \??\c:\windows\SysWOW64\msiexec.vir fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\windows\SysWOW64\alg.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\ui0detect.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\svchost.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\windows\SysWOW64\ui0detect.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\windows\SysWOW64\vds.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\ieetwcollector.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\msdtc.exe OSE.EXE -
Drops file in Program Files directory 27 IoCs
description ioc Process File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification C:\Program Files\7-Zip\7z.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File created \??\c:\program files (x86)\microsoft office\office14\groove.vir fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe OSE.EXE File opened for modification C:\Program Files\7-Zip\7zFM.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe OSE.EXE File opened for modification C:\Program Files\7-Zip\7zG.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe OSE.EXE File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File created \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File created C:\Program Files\7-Zip\Uninstall.vir fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe OSE.EXE File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe OSE.EXE File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove.exe OSE.EXE -
Drops file in Windows directory 27 IoCs
description ioc Process File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe OSE.EXE File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification \??\c:\windows\ehome\ehsched.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\windows\ehome\ehrecvr.exe OSE.EXE File opened for modification \??\c:\windows\ehome\ehsched.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5CEE6980-3C38-4A08-A057-F5E855F5CFC1}.crmlog dllhost.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5CEE6980-3C38-4A08-A057-F5E855F5CFC1}.crmlog dllhost.exe File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe OSE.EXE File created \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\windows\ehome\ehrecvr.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe OSE.EXE File opened for modification \??\c:\windows\servicing\trustedinstaller.exe OSE.EXE File created \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1868 OSE.EXE 1868 OSE.EXE 1868 OSE.EXE 1868 OSE.EXE 1868 OSE.EXE 1868 OSE.EXE 1868 OSE.EXE 1868 OSE.EXE 1868 OSE.EXE 1868 OSE.EXE 1868 OSE.EXE 1868 OSE.EXE 1868 OSE.EXE 1868 OSE.EXE -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1928 fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe Token: SeRestorePrivilege 996 msiexec.exe Token: SeTakeOwnershipPrivilege 996 msiexec.exe Token: SeSecurityPrivilege 996 msiexec.exe Token: SeTakeOwnershipPrivilege 1868 OSE.EXE Token: SeManageVolumePrivilege 1636 SearchIndexer.exe Token: 33 1636 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1636 SearchIndexer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1164 SearchProtocolHost.exe 1164 SearchProtocolHost.exe 1164 SearchProtocolHost.exe 1164 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1636 wrote to memory of 1164 1636 SearchIndexer.exe 32 PID 1636 wrote to memory of 1164 1636 SearchIndexer.exe 32 PID 1636 wrote to memory of 1164 1636 SearchIndexer.exe 32 PID 1636 wrote to memory of 924 1636 SearchIndexer.exe 33 PID 1636 wrote to memory of 924 1636 SearchIndexer.exe 33 PID 1636 wrote to memory of 924 1636 SearchIndexer.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe"C:\Users\Admin\AppData\Local\Temp\fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1316
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
PID:1088
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Drops file in Windows directory
PID:1776
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:996
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-999675638-2867687379-27515722-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-999675638-2867687379-27515722-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:1164
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 5202⤵PID:924
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
284KB
MD5e439430997faf032bb90db4cb3cfb85d
SHA1f5faec3b5a9b6a72e3434ed146fe1cf6fbf692a8
SHA256d15fafd0644267bcef470fe5eb5b87aac659560e973ed4843881b06f644afddb
SHA51298f9d641157b47abf6a5046488da7c77a4a80875265267bd18395926ff167635c24a0c73e8979e9614a2b28a6126bafbc5364c9da43b6a242b9e7133c380801c
-
Filesize
1.2MB
MD58174bc516ba6943da8e0f2daec453f27
SHA1414db3d2b6875d529a290517033fbf8002a4b319
SHA256f4a842742e5554defbac5cefa75c8d8313191d0ec0b7d6a3ddeb7a1dfbb1364a
SHA512a9b0a6951aa76a1cc37b470a9089237652e2c1c6f6dc9aa0200f1356e2653b0a216bc3082c14659be59657323ee890ae92338129837add13dc12e0bbdbafcb96
-
Filesize
284KB
MD530f405a97b08488c04efaa1d5213e20b
SHA1127df5dce302ba835d2d5bfdef7180bfe083c218
SHA256dfc58630836beff19714126044f49a9dad25bceaafaf6e6949c15c8b9d0df0ac
SHA5127a779f589def43261691af3e8615c7837cc7a474e5a6de64acc179e3a98d3d172e0a5cfb40948b4e589307a1ded1651d210789237944962049e62c014e124b80
-
Filesize
203KB
MD5044912029c19d62aeaf9696e5c7571e6
SHA1430fabb9a633844262f1cd98aa30e1e18bb94709
SHA2563192abec7dabc46ee9c560e9c98902077ed8b2dba0cd83a477aab146a0909b16
SHA512200fbee4e62fc40554fdac99009e863ac6ef46728b30a699190c87318f555c4cfd6722ee8b69e4a8fb5400b0e0a9eb0d4ce0ea25444008c9f933a19935926351
-
Filesize
203KB
MD5044912029c19d62aeaf9696e5c7571e6
SHA1430fabb9a633844262f1cd98aa30e1e18bb94709
SHA2563192abec7dabc46ee9c560e9c98902077ed8b2dba0cd83a477aab146a0909b16
SHA512200fbee4e62fc40554fdac99009e863ac6ef46728b30a699190c87318f555c4cfd6722ee8b69e4a8fb5400b0e0a9eb0d4ce0ea25444008c9f933a19935926351
-
Filesize
234KB
MD5a2c38d829b9067afb005940eafe982a8
SHA1cd2e5e49a74d876fe1b5acd38d32e15e6340a324
SHA2560f2ec75a593e529f080b4c6b533c6abf0ffda207b3b45cf8c57420b301a07687
SHA5122cb57abee85e74cbfc4d10134fa58c5269a8b2a12310108aac925793357641aaea227ea7753dd1233f4cec55e5240a3c9a22625b8f4275764359f50d7a29702a
-
Filesize
29.7MB
MD532d86ff57a319885eeafca506077062f
SHA13532be36569ce1a7205c950da66de8b5e1be236c
SHA2563370b81483892ac837875a0a0a8e18e64bc4671fd33a2149f1083f8d9da15020
SHA51258a0bcbd70bb617f80844c0959f30fd7aabff421f6ad939737f71630f38d825aeff897128f738a1c5435dbd0173bcc235a3fd05559a295dbfe972197bf0784c2
-
Filesize
562KB
MD57cfb902dffcb01be69c5360a7d57e939
SHA18c99f9e9eea3eb4c6a51e4c116fcccf02f0ac55e
SHA256f953077c916632917a7fec91b89b21d9d4cee2edb7ff963d2523ae1b4bb15382
SHA5122d259c9ff90fcfd02fb5510b57e1fa15b4b965dc04c308c6882c29a41e6b6b83b7b44e2939c9828e15167ef045ddb5109ab8dff1203b252390854321f2b24d70
-
Filesize
164KB
MD56ccf18585993893d348983304ea2fdd0
SHA1c9fd1b699fbddada9c4b07f28df717e1ecf66f4b
SHA2562d427900fc953820e9bee5b0902a27015bdf82b35d8cda8c7ef722551fa86df6
SHA512fc36bc1496768e2a4e66f19f584b6a55e547d3e70382aa00e4f4c504162ad0c90ec2ba53dbffdff6d4dc3e2c1434ee262f2d00993ba86e92b00912171741edd9
-
Filesize
234KB
MD5a2c38d829b9067afb005940eafe982a8
SHA1cd2e5e49a74d876fe1b5acd38d32e15e6340a324
SHA2560f2ec75a593e529f080b4c6b533c6abf0ffda207b3b45cf8c57420b301a07687
SHA5122cb57abee85e74cbfc4d10134fa58c5269a8b2a12310108aac925793357641aaea227ea7753dd1233f4cec55e5240a3c9a22625b8f4275764359f50d7a29702a