204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed

General

Target

204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
Size

3.9MB
MD5

bca6b95784be22950d3c68f7c021418b
SHA1

a80dbf95d96ab9402e644eb1e271a9431bbc7b53
SHA256

204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed
SHA512

00db30ff69cb35c301b4a4d52778414e4e176ef183da1da587df63069706cfa0c62d72fa4e010c05241bc25e182c6e5183a40d7e61a2e15924d875068e533f08

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in Program Files directory 64 IoCs

Processes:

204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPSideShowGadget.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Java\jre7\bin\javacpl.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\89.0.4389.114_chrome_installer.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Java\jre7\bin\orbd.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Java\jre7\bin\javaws.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe

Drops file in Windows directory 64 IoCs

Processes:

204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\GAC_64\mcupdate\6.1.0.0__31bf3856ad364e35\mcupdate.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Narrator\0bae62c3fc6c327ed24989263988173d\Narrator.ni.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Boot\PCAT\memtest.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ehexthost\6.1.0.0__31bf3856ad364e35\ehexthost.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\1bc1ee3c3aa45d28dcf4657bceb2fcb4\SMSvcHost.ni.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\ehome\wow\ehexthost32.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\ehome\ehrec.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\WsatConfig\36ca2928b2191011831ab673861c6ac6\WsatConfig.ni.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\b93c627ec2e15c2675bcc81edafb10be\MSBuild.ni.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\537950d9c71af966e1d8c9deb550f842\WsatConfig.ni.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ehexthost\6.1.0.0__31bf3856ad364e35\ehexthost.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\ehome\mcGlidHost.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehExtHost\ad37b6e3a1cb1081592f1c5797ae9dad\ehExtHost.ni.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\mcupdate\f30beba36940b5a2b55a32ea7f42d694\mcupdate.ni.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\WsatConfig\36ca2928b2191011831ab673861c6ac6\WsatConfig.ni.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\MSBuild\af28543d9b3e7d9f110448ecce53cd72\MSBuild.ni.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\dfsvc\9bc0d921859b039d6e9f642148333949\dfsvc.ni.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\dfsvc\bb4a1994db088e84b9d383271b082250\dfsvc.ni.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\5f1a06c0108b2c81cde1dc491d74043d\ComSvcConfig.ni.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281#\5ada68cfa2258a2d4e3c3779106faf9b\Microsoft.Workflow.Compiler.ni.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\ehome\RegisterMCEApp.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\ehome\MediaCenterWebLauncher.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehExtHost\ad37b6e3a1cb1081592f1c5797ae9dad\ehExtHost.ni.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Narrator\0bae62c3fc6c327ed24989263988173d\Narrator.ni.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\b3ade8d5c0d4bb5d4940bcafd3453642\PresentationFontCache.ni.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe

NTFS ADS 1 IoCs

Processes:

204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe

pid process

1348 204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe

pid	process
1348	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe

C:\Users\Admin\AppData\Local\Temp\204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
"C:\Users\Admin\AppData\Local\Temp\204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1348