Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
19/03/2024, 22:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe
Resource
win7-20240215-en
windows7-x64
5 signatures
150 seconds
General
-
Target
84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe
-
Size
4.2MB
-
MD5
36e37f10405484f08a31af912ecdffc6
-
SHA1
d360437622641185fa29f1a59c3a5c49e6afdfdf
-
SHA256
84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca
-
SHA512
b80a8704ceeecdef76cc6d96e28f8049ba5e121ce73cc51b59d867c1fcd5f31e3a9103031092b73a6d0acece9def3b60f62b2dd908fa6ec0d7ca8db4b8f34396
-
SSDEEP
49152:SHJFPTI9DkYOMwwnMb4PmyV9HbYcMRT/HMph7GBfWxph7GBfWGLninAHC3M:CdYOXwnS4rVR5v77GBfWx77GBfWGLe8
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\iscsicpl.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\NAPSTAT.EXE 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\replace.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\rrinstaller.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\shutdown.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\sort.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\chkdsk.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\cmstp.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\InfDefaultInstall.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\mmc.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\user.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\regedit.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\OptionalFeatures.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\setup16.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\systray.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\WPDShextAutoplay.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\migwiz\MigSetup.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\wbem\WMIC.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\comp.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\diantz.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\EhStorAuthn.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\wextract.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\TsWpfWrp.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\tzutil.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\unregmp2.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\IME\shared\IMEPADSV.EXE 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\makecab.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\msra.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\net1.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\recover.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\taskkill.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\diskperf.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\dxdiag.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\finger.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\mstsc.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\dnscacheugc.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\rundll32.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\wbem\WmiPrvSE.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\migwiz\mighost.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\bitsadmin.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\drvinst.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\secinit.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\tracerpt.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\logagent.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\ndadmin.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\srdelayed.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\wbem\WMIADAP.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\RMActivate_ssp_isv.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\cliconfg.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\dplaysvr.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\msfeedssync.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\nslookup.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\gpscript.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\hh.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\icacls.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\raserver.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\BrmfRsmg.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\driverquery.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\getmac.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\mcbuilder.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\waitfor.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\doskey.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\SysWOW64\proquota.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Windows Defender\MpCmdRun.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Windows Media Player\wmprph.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Windows Mail\wab.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\appcmd.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-diskraid_31bf3856ad364e35_6.1.7601.17514_none_67910dfbf63c4aae\diskraid.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-ipconfig_31bf3856ad364e35_6.1.7600.16385_none_4c104723794237c2\ipconfig.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\twunk_32.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.1.7600.16385_none_ddf6cb6d7a745cbf\pcaui.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..-japanese-migration_31bf3856ad364e35_6.1.7600.16385_none_6a5b38699f97e38d\imjppdmg.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-stickynotes-app_31bf3856ad364e35_6.1.7600.16385_none_493ba8a4d2fc9697\StikyNot.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_6.1.7601.17514_none_7d0125c85cc31d2a\rdpinit.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_netfx-cvtres_for_vc_and_vb_b03f5f7f11d50a3a_6.1.7601.17514_none_726f4033dc35da15\cvtres.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_6.1.7600.16385_none_851e6308c5b62529\msg.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_7cf343cac8a829ec\replace.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-networkprojection_31bf3856ad364e35_6.1.7600.16385_none_3fbc74d90a6e33f8\NetProj.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-r..sistance-dcomserver_31bf3856ad364e35_6.1.7600.16385_none_963d3becc3a475f1\raserver.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_6.1.7601.17514_none_bd4644e077251730\cmdl32.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\tskill.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_6.1.7601.17514_none_288b7acec3a75696\WSManHTTPConfig.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-directx-directplay8_31bf3856ad364e35_6.1.7601.17514_none_7addf2001d014646\dpnsvr.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-runlegacycplelevated_31bf3856ad364e35_6.1.7600.16385_none_10e2654156a06b06\RunLegacyCPLElevated.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_0b66cb34258c936f\PkgMgr.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-w..ommand-line-utility_31bf3856ad364e35_6.1.7600.16385_none_a1802b822e2a878c\WMIC.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-packagemanager_31bf3856ad364e35_6.1.7601.17514_none_eedf2e0751865eb2\PkgMgr.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-defrag-adminui_31bf3856ad364e35_6.1.7601.17514_none_f73c142da6e47daa\dfrgui.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-services-ehrecvr_31bf3856ad364e35_6.1.7601.17514_none_1b8f8373383de46a\ehrecvr.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_6.1.7601.17514_none_e8f86b1cdf02c483\wpnpinst.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-p..nfiguration-cmdline_31bf3856ad364e35_6.1.7600.16385_none_09320e5ae212b9d9\powercfg.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-wrp-integrity-client_31bf3856ad364e35_6.1.7600.16385_none_2b1523604c99c736\sfc.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..player-shellpreview_31bf3856ad364e35_6.1.7600.16385_none_1c92c4d88ce86757\wmprph.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-rundll32_31bf3856ad364e35_6.1.7600.16385_none_33fa4336c49b998b\rundll32.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..policy-cmdlinetools_31bf3856ad364e35_6.1.7600.16385_none_3b3f55233d47d4f2\gpresult.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-errorreportingcore_31bf3856ad364e35_6.1.7600.16385_none_7c6ba3bd1f954290\wermgr.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tcpip_31bf3856ad364e35_6.1.7601.17514_none_bfab9b4ba5f934f9\netiougc.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-sidebar_31bf3856ad364e35_6.1.7601.17514_none_37575b7e71a86712\sidebar.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-wmpdmc-ux_31bf3856ad364e35_6.1.7601.17514_none_f06adab455a2f1e9\WMPDMC.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\x86_netfx35linq-linqwebconfig_31bf3856ad364e35_6.1.7600.16385_none_56e30bcc495bf9ca\LinqWebConfig.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Journal.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-osk_31bf3856ad364e35_6.1.7600.16385_none_06b1c513739fb828\osk.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_6.1.7600.16385_none_934d08d31b96d4ee\sdchange.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_wcf-smsvchost_b03f5f7f11d50a3a_6.1.7600.16385_none_c7f13af70ac77b22\SMSvcHost.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-d..s-ime-japanese-core_31bf3856ad364e35_6.1.7600.16385_none_d5b4f96cdbb9a8b1\IMJPMGR.EXE 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-legacyhwui_31bf3856ad364e35_6.1.7600.16385_none_e24a7886a9947ebf\hdwwiz.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_9ebebe8614be1470\notepad.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-at_31bf3856ad364e35_6.1.7600.16385_none_4cd7fa8ce5381b26\at.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-secinit_31bf3856ad364e35_6.1.7600.16385_none_878e469b2e51ce80\secinit.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..s-ime-japanese-core_31bf3856ad364e35_6.1.7600.16385_none_cb604f1aa758e6b6\IMJPDSVR.EXE 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\reset.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ping-utilities_31bf3856ad364e35_6.1.7600.16385_none_052696aea98bcefc\PING.EXE 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_netfx35linq-csharp_31bf3856ad364e35_6.1.7601.17514_none_7551b4792ac9630d\csc.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-diskraid_31bf3856ad364e35_6.1.7601.17514_none_c3afa97fae99bbe4\diskraid.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\msil_addinutil_b77a5c561934e089_6.1.7601.17514_none_1a816bc7556b71eb\AddInUtil.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-iscsi_initiator_ui_31bf3856ad364e35_6.1.7600.16385_none_d7c180d4bd657495\iscsicpl.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-s..mpropertiesadvanced_31bf3856ad364e35_6.1.7600.16385_none_f71eddfb459a0155\SystemPropertiesAdvanced.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\ehome\mcGlidHost.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehprivjob_31bf3856ad364e35_6.1.7601.17514_none_53393627486ae37b\ehprivjob.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\x86_infocard_b77a5c561934e089_6.1.7601.17514_none_9fe7c337d52f2ea7\infocard.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..s-ime-japanese-core_31bf3856ad364e35_6.1.7600.16385_none_cb604f1aa758e6b6\IMJPMGR.EXE 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_11.2.9600.16428_none_1c0dbd69636d746a\ieUnatt.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-basic-misc-tools_31bf3856ad364e35_6.1.7600.16385_none_17330d9420bf24e8\expand.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-convert_31bf3856ad364e35_6.1.7601.17514_none_9edcb4a706944d0a\autoconv.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-s..llercommandlinetool_31bf3856ad364e35_6.1.7600.16385_none_7444913c36004801\sc.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_wpf-presentationhostexe_31bf3856ad364e35_6.2.7601.17514_none_96490604d588c19b\PresentationHost.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..eoptionalcomponents_31bf3856ad364e35_8.0.7601.17514_none_7a9a2f07e4e23a48\ConfigureIEOptionalComponents.exe 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2316 84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe"C:\Users\Admin\AppData\Local\Temp\84ca0a6017d60d80186f83b3b984e495897d5ec58962dbed5a5d4a21a73832ca.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.8MB
MD52843e6f346ef2bbca306bcb86eb59080
SHA1504a8a72e67ee01885f0592c15b2a4775797021c
SHA256b1179b238f207390b4020e6c917fbb77167e3024977d1153a4062c56095d0ebc
SHA512a4665ffd5bcef7e43dd741189233440451040a8056b7af853e5c7af94d9a8c52e32d345d2f7184f9b0c9c8942ed0d3e759cc5289709fb2daed475de92a8ac674