← Back to Explore
sigmamediumHunting
Potential Fake Instance Of Hxtsr.EXE Executed
HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
Detection Query
selection:
Image|endswith: \hxtsr.exe
filter_main_hxtsr:
Image|contains: :\program files\windowsapps\microsoft.windowscommunicationsapps_
Image|endswith: \hxtsr.exe
condition: selection and not 1 of filter_main_*
Author
Sreeman
Created
2020-04-17
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1036
Raw Content
title: Potential Fake Instance Of Hxtsr.EXE Executed
id: 4e762605-34a8-406d-b72e-c1a089313320
status: test
description: |
HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.
HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files".
Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
references:
- Internal Research
author: Sreeman
date: 2020-04-17
modified: 2024-02-08
tags:
- attack.defense-evasion
- attack.t1036
logsource:
product: windows
category: process_creation
detection:
# TODO: Link this to the more generic system process rule
selection:
Image|endswith: '\hxtsr.exe'
filter_main_hxtsr:
Image|contains: ':\program files\windowsapps\microsoft.windowscommunicationsapps_'
Image|endswith: '\hxtsr.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium