Analysis
-
max time kernel
136s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 11:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1731e6f159778b20be4f37da73b2d2e1.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
1731e6f159778b20be4f37da73b2d2e1.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
1731e6f159778b20be4f37da73b2d2e1.exe
-
Size
1.7MB
-
MD5
1731e6f159778b20be4f37da73b2d2e1
-
SHA1
3269e5651542e418e0aab0e3198ce321ea6ee2b6
-
SHA256
53ea49d23dff0a45344c9dd2047242dce99a977ef4e9dfc89b6e6f29d726eea3
-
SHA512
496537d992d1a94dbcdc668c8d146eb4527d55500e4e828876f26988bb6964a8858e9253c6f0e76c706e43217fb77b097ab8ad271cab4130c9cb9f6ae0b92357
-
SSDEEP
12288:ro7oPnj0bidyzNJbT7SCo7oPnj0bidyzNJbT7SCo7oPnj0bidyzNJbT7SCo7oPnW:PnQfrnQfrnQfrnQfR
Score
7/10
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 1731e6f159778b20be4f37da73b2d2e1.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 1731e6f159778b20be4f37da73b2d2e1.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\cliconfg.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\recover.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\WerFaultSecure.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\winrshost.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\efsui.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\convert.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\esentutl.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\tcmsetup.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\ddodiag.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\eventcreate.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\find.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\LocationNotifications.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\tracerpt.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\tzutil.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\dplaysvr.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\extrac32.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\InfDefaultInstall.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\replace.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\schtasks.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\SearchProtocolHost.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\upnpcont.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\UserAccountControlSettings.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\wusa.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\xwizard.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\migwiz\MigSetup.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\autoconv.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\icardagt.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\MRINFO.EXE 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\msra.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\osk.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\wevtutil.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\fc.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\msdt.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\nslookup.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\printui.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\svchost.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\takeown.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\migwiz\mighost.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\wbem\mofcomp.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\rasphone.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\TSTheme.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\userinit.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\autofmt.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\cacls.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\certutil.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\colorcpl.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\dnscacheugc.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\taskeng.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\setup16.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\setx.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\cscript.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\fixmapi.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\RMActivate.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\rundll32.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\secinit.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\sethc.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\com\comrepl.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\at.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\Dism.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\ReAgentc.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\vssadmin.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\IME\shared\IMCCPHR.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\dfrgui.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\SysWOW64\forfiles.exe 1731e6f159778b20be4f37da73b2d2e1.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe 1731e6f159778b20be4f37da73b2d2e1.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 1731e6f159778b20be4f37da73b2d2e1.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{816A3475-9C83-4071-ADF3-DF13B538F008}\chrome_installer.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE$ 1731e6f159778b20be4f37da73b2d2e1.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe 1731e6f159778b20be4f37da73b2d2e1.exe File created C:\Program Files\Java\jre7\bin\javaws.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe 1731e6f159778b20be4f37da73b2d2e1.exe File created C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe 1731e6f159778b20be4f37da73b2d2e1.exe File created C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe 1731e6f159778b20be4f37da73b2d2e1.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe 1731e6f159778b20be4f37da73b2d2e1.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe 1731e6f159778b20be4f37da73b2d2e1.exe File created C:\Program Files\Java\jre7\bin\keytool.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe$ 1731e6f159778b20be4f37da73b2d2e1.exe File created C:\Program Files\Java\jre7\bin\jabswitch.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE 1731e6f159778b20be4f37da73b2d2e1.exe File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe$ 1731e6f159778b20be4f37da73b2d2e1.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\7-Zip\7z.exe$ 1731e6f159778b20be4f37da73b2d2e1.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe 1731e6f159778b20be4f37da73b2d2e1.exe File created C:\Program Files\Microsoft Games\Hearts\Hearts.exe 1731e6f159778b20be4f37da73b2d2e1.exe File created C:\Program Files\Mozilla Firefox\default-browser-agent.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{816A3475-9C83-4071-ADF3-DF13B538F008}\chrome_installer.exe$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe$ 1731e6f159778b20be4f37da73b2d2e1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe 1731e6f159778b20be4f37da73b2d2e1.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-fsutil_31bf3856ad364e35_6.1.7600.16385_none_28590620099da2d8\fsutil.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..boxgames-backgammon_31bf3856ad364e35_6.1.7600.16385_none_668d031845881638\bckgzm.exe$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_6.1.7601.17514_none_6fb51b358e21d75f\TabTip.exe 1731e6f159778b20be4f37da73b2d2e1.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_d911df4e81059b22\find.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..inboxgames-freecell_31bf3856ad364e35_6.1.7600.16385_none_b466b741b68bd29a\FreeCell.exe$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..inboxgames-shanghai_31bf3856ad364e35_6.1.7600.16385_none_1c98ed5d08db04ce\Mahjong.exe$ 1731e6f159778b20be4f37da73b2d2e1.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_6.1.7601.17514_none_533cd4f8150e6a86\RMActivate_ssp_isv.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\servicing\GC64\tzupd.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-atbroker_31bf3856ad364e35_6.1.7600.16385_none_2b95a17838063e9b\AtBroker.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_6.1.7601.17514_none_4e297fab940bc0e5\ntprint.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.17514_none_b94cbfa183466a89\winload.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-runlegacycplelevated_31bf3856ad364e35_6.1.7600.16385_none_6d0100c50efddc3c\RunLegacyCPLElevated.exe 1731e6f159778b20be4f37da73b2d2e1.exe File created C:\Windows\assembly\GAC_MSIL\loadmxf\6.1.0.0__31bf3856ad364e35\loadmxf.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-autochkconfigurator_31bf3856ad364e35_6.1.7600.16385_none_74b76d3fa1757c6f\chkntfs.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-dpiscaling_31bf3856ad364e35_6.1.7600.16385_none_d63cc4dd74a11d0b\DpiScaling.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..e-managed-regmceapp_31bf3856ad364e35_6.1.7600.16385_none_b13a0967547ecab4\RegisterMCEApp.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-eudc-settings_31bf3856ad364e35_6.1.7601.17514_none_b84dc938eed78546\eudcsettings.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\5f1a06c0108b2c81cde1dc491d74043d\ComSvcConfig.ni.exe$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe 1731e6f159778b20be4f37da73b2d2e1.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281#\df459c0a2762c33e0699703f186b1751\Microsoft.Workflow.Compiler.ni.exe 1731e6f159778b20be4f37da73b2d2e1.exe File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_wcf-servicemodelreg_b03f5f7f11d50a3a_6.1.7601.17514_none_40fc6e6d1b4ea992\ServiceModelReg.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-com-dtc-runtime_31bf3856ad364e35_6.1.7600.16385_none_7547f48c79b40229\msdtc.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-computerdefaults_31bf3856ad364e35_6.1.7600.16385_none_626b9352dcfa715c\ComputerDefaults.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.7600.16385_none_a61138e7aab17fed\ieUnatt.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_6.1.7600.16385_none_63dee2821fc69fce\bridgeunattend.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_6.1.7601.17514_none_177a088436382a34\mofcomp.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\ShapeCollector.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\SMSvcHost\04d794428d635f6a82ac57dd3d6f3628\SMSvcHost.ni.exe$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_6.1.7601.17514_none_e501f8e06b32b48f\net1.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_6.1.7601.17514_none_cde4c4fd7ab159cb\RMActivate_ssp.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-security-tools-nltest_31bf3856ad364e35_6.1.7601.17514_none_f8852afc12f84e8e\nltest.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe$ 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..ervicing-management_31bf3856ad364e35_6.1.7600.16385_none_ba9e94bf275d71ed\Dism.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..ageengine-utilities_31bf3856ad364e35_6.1.7600.16385_none_3580dea4def227d4\esentutl.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_6.1.7601.17514_none_bd4644e077251730\cmdl32.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-anytime-upgradeui_31bf3856ad364e35_6.1.7600.16385_none_4aadf3be188c056d\WindowsAnytimeUpgradeui.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_678566b7ddea04a5\SvcIni.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7601.17514_none_90ecf919657dacf4\finger.exe 1731e6f159778b20be4f37da73b2d2e1.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\537950d9c71af966e1d8c9deb550f842\WsatConfig.ni.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\Speech\Common\sapisvr.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mapi_31bf3856ad364e35_6.1.7601.17514_none_097346be305f3966\fixmapi.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_6.1.7601.17514_none_0b0882245933a065\nfsclnt.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-recdisc-main_31bf3856ad364e35_6.1.7601.17514_none_e2a1ffe0ca40cff2\recdisc.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\ehome\ehprivjob.exe 1731e6f159778b20be4f37da73b2d2e1.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ftp_31bf3856ad364e35_6.1.7601.17514_none_0b11635f6f2987f7\ftp.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..erinboxgames-spades_31bf3856ad364e35_6.1.7600.16385_none_6fa6d7361acba514\shvlzm.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-findstr_31bf3856ad364e35_6.1.7601.17514_none_855590d1705431c5\findstr.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_6.1.7601.17514_none_848b402bf3e1c3b1\wksprt.exe 1731e6f159778b20be4f37da73b2d2e1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_6d6b3cfb6a5a1e5a\ndadmin.exe 1731e6f159778b20be4f37da73b2d2e1.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 1731e6f159778b20be4f37da73b2d2e1.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2296 1731e6f159778b20be4f37da73b2d2e1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1731e6f159778b20be4f37da73b2d2e1.exe"C:\Users\Admin\AppData\Local\Temp\1731e6f159778b20be4f37da73b2d2e1.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2296