Analysis
-
max time kernel
151s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 16:42
Static task
static1
Behavioral task
behavioral1
Sample
19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe
Resource
win7-20220901-en
General
-
Target
19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe
-
Size
1.4MB
-
MD5
31cbddc2dc168ed87f5d7d597f6d054e
-
SHA1
d3c21ac8038e48c4c53b96c1d37921e28222ddcc
-
SHA256
19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac
-
SHA512
014e9562a764f01c29e71556df2c9ae9768e2547e83056d3f5eb3f82693aade10f437c75eee29b8eb841f11019e491408b2ef77fa990c5e239d960f4c605bdb0
-
SSDEEP
24576:Gwa2WYC3X9ovTzB4uOG6A4Sgt8G0+j4OHISDWjb5IsEi0cTG0tV0EZ:pd8X9Szd76A4S68o31DOm6TG0tV0EZ
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2040 mscorsvw.exe 1688 mscorsvw.exe 1508 OSE.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-4063495947-34355257-727531523-1000 OSE.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-4063495947-34355257-727531523-1000\EnableNotifications = "0" OSE.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: OSE.EXE File opened (read-only) \??\Q: OSE.EXE File opened (read-only) \??\X: OSE.EXE File opened (read-only) \??\T: 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened (read-only) \??\Z: 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened (read-only) \??\L: OSE.EXE File opened (read-only) \??\N: OSE.EXE File opened (read-only) \??\W: OSE.EXE File opened (read-only) \??\Z: OSE.EXE File opened (read-only) \??\E: 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened (read-only) \??\H: 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened (read-only) \??\Y: 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened (read-only) \??\O: OSE.EXE File opened (read-only) \??\Y: OSE.EXE File opened (read-only) \??\I: 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened (read-only) \??\L: 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened (read-only) \??\V: 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened (read-only) \??\F: 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened (read-only) \??\N: 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened (read-only) \??\Q: 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened (read-only) \??\S: 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened (read-only) \??\H: OSE.EXE File opened (read-only) \??\K: OSE.EXE File opened (read-only) \??\M: OSE.EXE File opened (read-only) \??\S: OSE.EXE File opened (read-only) \??\G: 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened (read-only) \??\O: 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened (read-only) \??\P: 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened (read-only) \??\R: 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened (read-only) \??\J: OSE.EXE File opened (read-only) \??\T: OSE.EXE File opened (read-only) \??\U: OSE.EXE File opened (read-only) \??\K: 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened (read-only) \??\W: 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened (read-only) \??\X: 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened (read-only) \??\I: OSE.EXE File opened (read-only) \??\R: OSE.EXE File opened (read-only) \??\G: OSE.EXE File opened (read-only) \??\V: OSE.EXE File opened (read-only) \??\J: 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened (read-only) \??\M: 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened (read-only) \??\U: 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened (read-only) \??\E: OSE.EXE File opened (read-only) \??\F: OSE.EXE -
Drops file in System32 directory 36 IoCs
description ioc Process File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\SysWOW64\ui0detect.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\vds.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\svchost.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\SysWOW64\ieetwcollector.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\SysWOW64\svchost.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\wbengine.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe OSE.EXE File created \??\c:\windows\SysWOW64\msiexec.vir 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\SysWOW64\locator.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe OSE.EXE File opened for modification \??\c:\windows\syswow64\perfhost.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\dllhost.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\SysWOW64\msdtc.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\vssvc.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\SysWOW64\alg.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\msdtc.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\SysWOW64\locator.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\ui0detect.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\vssvc.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\SysWOW64\alg.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File created \??\c:\windows\SysWOW64\svchost.vir 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\SysWOW64\wbengine.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File created \??\c:\windows\SysWOW64\searchindexer.vir 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\SysWOW64\ieetwcollector.exe OSE.EXE File created \??\c:\windows\SysWOW64\dllhost.vir 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\SysWOW64\msiexec.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\SysWOW64\vds.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe -
Drops file in Program Files directory 28 IoCs
description ioc Process File opened for modification \??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification C:\Program Files\7-Zip\7z.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe OSE.EXE File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe OSE.EXE File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove.exe OSE.EXE File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe OSE.EXE File created C:\Program Files\7-Zip\Uninstall.vir 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe OSE.EXE File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File created \??\c:\program files (x86)\microsoft office\office14\groove.vir 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File created \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe OSE.EXE -
Drops file in Windows directory 27 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5FC544A6-6D14-40B3-9C0B-A3BFA96C99CB}.crmlog dllhost.exe File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe OSE.EXE File opened for modification \??\c:\windows\ehome\ehrecvr.exe OSE.EXE File opened for modification \??\c:\windows\servicing\trustedinstaller.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\ehome\ehrecvr.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe OSE.EXE File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification \??\c:\windows\ehome\ehsched.exe OSE.EXE File created \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe OSE.EXE File created \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\ehome\ehsched.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe OSE.EXE File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5FC544A6-6D14-40B3-9C0B-A3BFA96C99CB}.crmlog dllhost.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 1508 OSE.EXE 1508 OSE.EXE 1508 OSE.EXE 1508 OSE.EXE 1508 OSE.EXE 1508 OSE.EXE 1508 OSE.EXE 1508 OSE.EXE 1508 OSE.EXE 1508 OSE.EXE 1508 OSE.EXE 1508 OSE.EXE 1508 OSE.EXE 1508 OSE.EXE 1508 OSE.EXE -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1408 19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe Token: SeRestorePrivilege 1368 msiexec.exe Token: SeTakeOwnershipPrivilege 1368 msiexec.exe Token: SeSecurityPrivilege 1368 msiexec.exe Token: SeTakeOwnershipPrivilege 1508 OSE.EXE Token: SeManageVolumePrivilege 360 SearchIndexer.exe Token: 33 360 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 360 SearchIndexer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1344 SearchProtocolHost.exe 1344 SearchProtocolHost.exe 1344 SearchProtocolHost.exe 1344 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 360 wrote to memory of 1344 360 SearchIndexer.exe 33 PID 360 wrote to memory of 1344 360 SearchIndexer.exe 33 PID 360 wrote to memory of 1344 360 SearchIndexer.exe 33 PID 360 wrote to memory of 1440 360 SearchIndexer.exe 34 PID 360 wrote to memory of 1440 360 SearchIndexer.exe 34 PID 360 wrote to memory of 1440 360 SearchIndexer.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe"C:\Users\Admin\AppData\Local\Temp\19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2040
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
PID:1688
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Drops file in Windows directory
PID:1140
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1368
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-4063495947-34355257-727531523-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-4063495947-34355257-727531523-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:1344
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 5202⤵PID:1440
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304KB
MD5955879bca9ff6fc7f313f46581f01210
SHA1fe50013b527a7d6efa69289aa72de944856a3367
SHA256b84f78d691ce336e0ae0910ca187bf732fb664e45c87cac49d52716b1702051c
SHA51266e404f05d674f3ec640a4a308a554fff58571cdac1b48b6ac204e06cdc4a545cc71d03bf3b8e517a1770c88ecd135ecd341980ab6f975ee5611d138d394d9b6
-
Filesize
1.2MB
MD5cfc815c95a8a470fab3ca0da89c649aa
SHA156da8cc1ffad1343c9f5411ba05a4d40e5486dcc
SHA25652de0f75f621ca643e933bc3501a5a05aa240529bc17a42c272922cf21a17750
SHA512e728f1a531996ebb6255e16d8ca177e5cef56020d5cbb5490a1d4aa49959f3378d7954195d7c78de080bd5dd6c262fa8a1abb9e8d67c7760c75e42823ec5f51b
-
Filesize
304KB
MD56ca9b516b7f51b10e7d7a92e6b77faed
SHA1028d4c2983052ed68166cbe7111f056012204a7e
SHA256588d9cfd8347b3fbed89983e6d7787349085c19f408b22e32d4c268e3a3aa4f0
SHA5129aa374479d55bdf2350f0d60cd944032cedca557e6b9c293fa48bc8addf3c0c4444dd6ab97b65554b72f1a4dcb5c680d937789e693a29e9a9b0339e7ab4c96cd
-
Filesize
223KB
MD5b9916d5a582489f47f6a7b29e107b3c1
SHA10d5bee90421fe5d935b66ed4d4b20c0c92b773da
SHA2569d67d8b9c0d3da7744b6d841b26f48c796f9f2901552ac95c89a67fa48d2e008
SHA5125f626c4815e0c4b1d9daa2aa7888eecb5710445a87ed3c41701fd592f60d42e4d59516ecc2ab93f0989b840d71be9797ea62520a1aba383986a4ca8b11302d98
-
Filesize
223KB
MD5b9916d5a582489f47f6a7b29e107b3c1
SHA10d5bee90421fe5d935b66ed4d4b20c0c92b773da
SHA2569d67d8b9c0d3da7744b6d841b26f48c796f9f2901552ac95c89a67fa48d2e008
SHA5125f626c4815e0c4b1d9daa2aa7888eecb5710445a87ed3c41701fd592f60d42e4d59516ecc2ab93f0989b840d71be9797ea62520a1aba383986a4ca8b11302d98
-
Filesize
254KB
MD5cdd9ec3e68a1d1e75b6a9b6f2f290584
SHA14fdfc4cd4c10b5d70791ba1d6bc8097d28bda778
SHA2565b710a4d5f5c49438e6c6086da15bb4d3668d1ac4fe1003f40762f4d9fdccd09
SHA5120138520196d56a85a9bf3b7611d0f432bda61b0fcef96620ac90909806562582a4e30fabf7364aa27b1cda74097e0f2d237e1b7ffad52809e0225e06ad39a12f
-
Filesize
29.7MB
MD542a992440638a4620f170323cc0edb14
SHA10b9d496624e5903bd2299cc64f7755397267926a
SHA256b26b094833136c5773ebbc3d2d6e12b3fa9510cd52e1db5f9bb87cfb673386cd
SHA512e554b8308f98976d4792da178d56722b0291757ce6ddda1b3164d466bf78f0fa3e96d3e7f151d69af47ed4be81c79ad42372de127664f7f4e8a71e2a12239a98
-
Filesize
582KB
MD5039361688b23c4f61e019c5c58116564
SHA1c160c2ab45d613a057c2170fbda5e2e207d26548
SHA256a429371b1b5701e61996c012b810ef966a0bfdc6b90d0708bf1ae9e84803f768
SHA512138ce627ae3ef34bdac4e2b93436f356bb35c36a2ef5869129dc6d3f18a6c73048c3389377061a55815be0a87a0250ac67e8705a6817e3a7ad6a40093ea059ee
-
Filesize
184KB
MD5415818c27267825b0eb9dc88ba7cfc4f
SHA15adb52656247f0af445f2a96cda0fbf659025221
SHA256fbedfa360d26c4c01addfa69c9bf1e200de2e055c791b92c5f2997f83c069976
SHA5125169e767d97fb9626f1c76b95933ea0e7f1dfc6b636bbdcdd68c2b0e2561670d350d8899e7b090163a5b72cb2e995276c8a6adae7023073adb4b2af1d8e1e347
-
Filesize
254KB
MD5cdd9ec3e68a1d1e75b6a9b6f2f290584
SHA14fdfc4cd4c10b5d70791ba1d6bc8097d28bda778
SHA2565b710a4d5f5c49438e6c6086da15bb4d3668d1ac4fe1003f40762f4d9fdccd09
SHA5120138520196d56a85a9bf3b7611d0f432bda61b0fcef96620ac90909806562582a4e30fabf7364aa27b1cda74097e0f2d237e1b7ffad52809e0225e06ad39a12f