Analysis
-
max time kernel
143s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-10-2022 02:00
Static task
static1
Behavioral task
behavioral1
Sample
65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
General
-
Target
65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe
-
Size
262KB
-
MD5
a33cc8c97669042961e6a13e0a424060
-
SHA1
8d1c3f2acf901de323126407869c6f8ead97596b
-
SHA256
65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41
-
SHA512
6893123c3fedc4c756626bb1f314071859bf5f6d4db9f6de64c23671611c91e0e3f3222f6ff74777b937d16d773eb3e56e3bca07c88673dfb73219b1811ac905
-
SSDEEP
3072:6P7SuAWFyAgHlI6EbLuweIExg7d8dTwNAGDiNFm/6sFccng4/x/qz1ou:gbnTGIfAI7p8dTwNd//q
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened (read-only) \??\B: 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\PkgMgr.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\DpiScaling.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\SetIEInstalledDate.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\xcopy.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wvmic.inf_amd64_neutral_b94eb92e8150fa35\vmicsvc.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP10\IMJPDCT.EXE 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\explorer.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\fltMC.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\icacls.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\PresentationHost.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesRemote.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\IME\IMETC10\IMTCPROP.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\choice.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\dllhost.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\LocationNotifications.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\net1.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\perfhost.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesPerformance.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\winrs.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\cscript.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\setupugc.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\eventvwr.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\MuiUnattend.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\nslookup.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\ROUTE.EXE 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\sdiagnhost.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\wininit.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\wusa.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP10\IMJPDADM.EXE 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\autochk.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\hh.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\logagent.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\openfiles.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\IME\IMESC5\IMSCPROP.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\migwiz\PostMig.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\wbem\WmiPrvSE.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\eventcreate.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\ntoskrnl.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\regedt32.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\sdbinst.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\sethc.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\icsunattend.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\print.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\InstallShield\_isdel.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\migwiz\MigSetup.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\ieUnatt.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\pcaui.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\systeminfo.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\wlanext.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\com\comrepl.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\getmac.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\odbcconf.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\taskkill.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\migwiz\migwiz.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\mstsc.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\newdev.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\unregmp2.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\winver.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\wsmprovhost.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\AdapterTroubleshooter.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\netbtugc.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\PushPrinterConnections.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\SysWOW64\RunLegacyCPLElevated.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Windows Media Player\wmlaunch.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler64.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmplayer.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files (x86)\Windows Mail\WinMail.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\sidebar.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Windows Journal\Journal.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpshare.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Windows Media Player\WMPDMC.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Windows Defender\MSASCui.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpenc.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_6d6b3cfb6a5a1e5a\ndadmin.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-systray_31bf3856ad364e35_6.1.7600.16385_none_4f466e7a0fbb1a04\systray.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\oisicon.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-corruptedfilerecovery_31bf3856ad364e35_6.1.7600.16385_none_e3aea9874278550c\cofire.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..s-ime-japanese-core_31bf3856ad364e35_6.1.7600.16385_none_cb604f1aa758e6b6\IMJPDSVR.EXE 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-certutil_31bf3856ad364e35_6.1.7600.16385_none_1179f9944d0d9973\certutil.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_aspnet_compiler_b03f5f7f11d50a3a_6.1.7600.16385_none_a5a135380060b978\aspnet_compiler.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..native-whitebox-isv_31bf3856ad364e35_6.1.7601.17514_none_4777e36e0649406c\RMActivate_isv.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-wmi-consumers_31bf3856ad364e35_6.1.7600.16385_none_a6c7190f7292676c\scrcons.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_d18028273214fa77\SearchIndexer.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_addinprocess32_b77a5c561934e089_6.1.7601.17514_none_df35b5ac03866e22\AddInProcess32.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-gc-registeriepkeys_31bf3856ad364e35_8.0.7601.17514_none_a0c922c3b170dd5d\RegisterIEPKEYs.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-wmi-core-providerhost_31bf3856ad364e35_6.1.7601.17514_none_6e88c3faa2049408\WmiPrvSE.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-dxp-deviceexperience_31bf3856ad364e35_6.1.7601.17514_none_a54b31331066c8e2\Dxpserver.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-defrag-adminui_31bf3856ad364e35_6.1.7601.17514_none_f73c142da6e47daa\dfrgui.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-rpc-locator_31bf3856ad364e35_6.1.7600.16385_none_2b2984d40648fbe7\Locator.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\logoff.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-chkdsk_31bf3856ad364e35_6.1.7600.16385_none_1ddb4b87a6618437\chkdsk.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-commandprompt_31bf3856ad364e35_6.1.7601.17514_none_e932cc2c30fc13b0\cmd.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..frameworks-usermode_31bf3856ad364e35_6.1.7601.17514_none_fb3795fb0be32033\WUDFHost.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..-setieinstalleddate_31bf3856ad364e35_11.2.9600.16428_none_eace14b8d6178cca\SetIEInstalledDate.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_3899b0ad2bb77a86\iscsicli.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7600.16385_none_cd7aeeff1897d018\lodctr.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-robocopy_31bf3856ad364e35_6.1.7601.17514_none_252d34f00303c6fa\Robocopy.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..line-user-interface_31bf3856ad364e35_6.1.7600.16385_none_38dc646bf68909f4\cmdkey.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..-coreinkrecognition_31bf3856ad364e35_6.1.7600.16385_none_498d334c14a3b9bb\hwrreg.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.17514_none_d281ccc018b94ff4\conhost.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_wpf-presentationfontcache_31bf3856ad364e35_6.1.7601.17514_none_63bf9c3e28cd9bfb\PresentationFontCache.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_wcf-icardagt_exe_31bf3856ad364e35_6.1.7600.16385_none_8dcc9c6f8b58a5eb\icardagt.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-n..protection-statusui_31bf3856ad364e35_6.1.7600.16385_none_998ff5c741ae3fb1\NAPSTAT.EXE 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\qprocess.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tpm-adminsnapin_31bf3856ad364e35_6.1.7600.16385_none_d3720895f8f22acd\TpmInit.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_msbuild_b03f5f7f11d50a3a_3.5.7601.17514_none_ea8ca0c25e350957\MSBuild.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-authentication-logonui_31bf3856ad364e35_6.1.7601.17514_none_c3b917fd89d834f3\LogonUI.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..-management-console_31bf3856ad364e35_6.1.7600.16385_none_6b683cb78f534561\mmc.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ddodiag_31bf3856ad364e35_6.1.7600.16385_none_924b83b9b69fb351\ddodiag.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-extrac32_31bf3856ad364e35_6.1.7600.16385_none_371e8c461d966a55\extrac32.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-migrationengine_31bf3856ad364e35_6.1.7601.17514_none_b6cddd21f1df8715\mighost.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-setupapi_31bf3856ad364e35_6.1.7601.17514_none_931b5f1fdcdd6496_wowreg32.exe_94fc2d06 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-b..iondata-cmdlinetool_31bf3856ad364e35_6.1.7601.17514_none_e6510234bbcb2a8c\bcdedit.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..-japanese-utilities_31bf3856ad364e35_6.1.7601.17514_none_4b57445488ba33fd\IMJPUEX.EXE 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-downlevel.binaries_31bf3856ad364e35_6.3.9600.16428_none_5faf8886ff3d65d0\MsSpellCheckingFacility.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..executionprevention_31bf3856ad364e35_6.1.7600.16385_none_25d85b4a3e4a7709\SystemPropertiesDataExecutionPrevention.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_6.1.7601.17514_none_da3cb85562df73c9_memtest.exe_01d80391 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-mcspad_31bf3856ad364e35_6.1.7600.16385_none_bd8c328b84ea0fba\mcspad.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-security-spp-ux_31bf3856ad364e35_6.1.7601.17514_none_b9e7a42ab571bbb9\slui.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-a..atibility-assistant_31bf3856ad364e35_6.1.7600.16385_none_8fbb77bb3cd808d1\pcawrk.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\iissetup.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_347a450f0c8bd52d\printui.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-sctasks_31bf3856ad364e35_6.1.7601.17514_none_e8657d02cbf5e4c1\schtasks.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-u..ountcontrolsettings_31bf3856ad364e35_6.1.7601.17514_none_e1cb175aef3b13bb\UserAccountControlSettings.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647\appidpolicyconverter.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17514_none_04709031736ac277\lsass.exe 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe -
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FaxCover.Document\ = "Fax Cover Page" 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FaxCover.Document\shell 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FaxCover.Document\shell\open 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FaxCover.Document\shell\print 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FaxCover.Document\DefaultIcon 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FaxCover.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe,1" 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FaxCover.Document 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FaxCover.Document\shell\open\command 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FaxCover.Document\shell\print\command 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1112 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe 1112 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1112 wrote to memory of 2036 1112 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe 27 PID 1112 wrote to memory of 2036 1112 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe 27 PID 1112 wrote to memory of 2036 1112 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe 27 PID 1112 wrote to memory of 2036 1112 65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe"C:\Users\Admin\AppData\Local\Temp\65ba6b043e119de3ac226b87b194e8311d3ad67018b4fcc21bf94db5c57eeb41.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2036
-