Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-04-2024 03:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
General
-
Target
de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe
-
Size
52KB
-
MD5
5e20aa27e0c6aa69dd478d98cb2e71b1
-
SHA1
039ab3293334038d9fd3850e230ba3fe6a40067e
-
SHA256
de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09
-
SHA512
3796fd9390f9d678363405fad19608398c761f0f643df3986c765a9abb7e3a8da8e9ee607454a0acc2659e77118515a7c17b6e33375bec64a14f0e7df0c3460e
-
SSDEEP
768:FlQ4hrvaEGU4aikqykezg2XpfY5jYioRo78Wl5:fLhE1Dezg2ZfYAo4E5
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened (read-only) \??\L: de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened (read-only) \??\T: de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened (read-only) \??\U: de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened (read-only) \??\V: de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened (read-only) \??\X: de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened (read-only) \??\Y: de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened (read-only) \??\H: de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened (read-only) \??\J: de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened (read-only) \??\K: de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened (read-only) \??\P: de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened (read-only) \??\Q: de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened (read-only) \??\R: de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened (read-only) \??\S: de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened (read-only) \??\W: de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened (read-only) \??\E: de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened (read-only) \??\I: de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened (read-only) \??\M: de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened (read-only) \??\N: de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened (read-only) \??\O: de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened (read-only) \??\G: de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\WINDOWS\SysWOW64\IME\IMEJP10\IMJPDADM.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\IME\IMEJP10\IMJPUEXC.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\PUSHPRINTERCONNECTIONS.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\SYSTEMINFO.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\DWWIN.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\FINDSTR.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\HOSTNAME.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\RPCPING.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\DLLHOST.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\SEARCHFILTERHOST.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\TASKKILL.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\FSUTIL.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\DXDIAG.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\PROQUOTA.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\CMMON32.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\ISCSICLI.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\MIGWIZ\MIGHOST.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\TASKENG.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\DEVICEPAIRINGWIZARD.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\NTKRNLPA.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\SECINIT.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\DLLHST3G.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\CONVERT.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\NSLOOKUP.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\TSTHEME.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\GRPCONV.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\LOGAGENT.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\NDADMIN.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\RASPHONE.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\regedit.exe de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\SYSTEMPROPERTIESCOMPUTERNAME.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\SEARCHINDEXER.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\RUNAS.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\TASKENG.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\MRINFO.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\POWERCFG.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSTEM32\DRIVERSTORE\FILEREPOSITORY\DIVACX64.INF_AMD64_NEUTRAL_FA0F82F024789743\XLOG.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\AUDITPOL.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\IEUNATT.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\NTPRINT.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\MIGWIZ\MIGWIZ.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\RMACTIVATE_ISV.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\ATTRIB.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\DFRGUI.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\DISM\DISMHOST.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\HELP.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\PUSHPRINTERCONNECTIONS.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\SCHTASKS.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\WININIT.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\HELP.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\CTTUNE.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\DOSKEY.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\DPNSVR.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\EFSUI.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\WINRSHOST.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\CTFMON.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\WHERE.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\DPISCALING.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\MUIUNATTEND.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\SC.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\SORT.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SYSWOW64\W32TM.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\RMACTIVATE_SSP.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\SysWOW64\BOOTCFG.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\MICROSOFT GAMES\SPIDERSOLITAIRE\SPIDERSOLITAIRE.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE14\MSOHTMED.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JCONSOLE.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\JAVAW.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\RMIREGISTRY.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEINSTAL.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\EXCEL.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\CHROME_PROXY.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\INTERNET EXPLORER\IEINSTAL.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\MICROSOFT GAMES\MULTIPLAYER\CHECKERS\CHKRZM.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\MSTORDB.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS SIDEBAR\SIDEBAR.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\FLICKLEARNINGWIZARD.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\JAVA.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\READER 9.0\READER\ACROTEXTEXTRACTOR.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\APT.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\RMID.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MEDIA PLAYER\WMPDMC.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\SETUP_WM.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\SMART TAG\SMARTTAGINSTALL.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\MSACCESS.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\PACK200.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\KTAB.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\WINDOWS JOURNAL\PDIALOG.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JARSIGNER.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\READER 9.0\READER\READER_SL.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\SSVAGENT.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\106.0.5249.119\ELEVATION_SERVICE.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JSADEBUGD.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\SERVERTOOL.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPNSCFG.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\MISC.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS NT\ACCESSORIES\WORDPAD.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\NATIVE2ASCII.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\MOZILLA FIREFOX\CRASHREPORTER.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\WINDOWS MAIL\WABMIG.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\VSTO\10.0\VSTOINSTALLER.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.36.151\GOOGLEUPDATECORE.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\DISABLEDGOOGLEUPDATE.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\GROOVEMN.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7ZG.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\PACK200.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.36.151\GOOGLEUPDATECOMREGISTERSHELL64.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MEDIA PLAYER\WMPRPH.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\INTERNET EXPLORER\IELOWUTIL.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPSHARE.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\OFFICE14\OARPMANY.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\INK\TABTIP32.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\MSPUB.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\CONVERTINKSTORE.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\TNAMESERV.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\WINDOWS PHOTO VIEWER\IMAGINGDEVICES.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\EQNEDT32.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\INTERNET EXPLORER\IEDIAGCMD.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JAVA.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\POLICYTOOL.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\POWERPNT.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\SCHEMAGEN.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\JAVA-RMI.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\MICROSOFT GAMES\MINESWEEPER\MINESWEEPER.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\KLIST.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\ORBD.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MAIL\WINMAIL.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\ADDINUTIL.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-D..IME-EASHARED-IMEPAD_31BF3856AD364E35_6.1.7601.17514_NONE_98B24799B5D08C05\IMEPADSV.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-E..AGEENGINE-UTILITIES_31BF3856AD364E35_6.1.7600.16385_NONE_3580DEA4DEF227D4\ESENTUTL.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-I..I_INITIATOR_SERVICE_31BF3856AD364E35_6.1.7601.17514_NONE_3899B0AD2BB77A86\ISCSICLI.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-GRPCONV_31BF3856AD364E35_6.1.7600.16385_NONE_A25E7B019F016E70\GRPCONV.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-MEDIAPLAYER-SETUP_31BF3856AD364E35_6.1.7601.17514_NONE_AFFB336D34CCF2F8\SETUP_WM.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-LUA_31BF3856AD364E35_6.1.7601.17514_NONE_047062A1736AF5B9\CONSENT.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_WCF-SMSVCHOST_B03F5F7F11D50A3A_6.1.7600.16385_NONE_C7F13AF70AC77B22\SMSVCHOST.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-AT_31BF3856AD364E35_6.1.7600.16385_NONE_4CD7FA8CE5381B26\AT.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-I..-SETIEINSTALLEDDATE_31BF3856AD364E35_8.0.7600.16385_NONE_23079F05995EE912\SETIEINSTALLEDDATE.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-IE-IECLEANUP_31BF3856AD364E35_11.2.9600.16428_NONE_441ECCC2F13EAB51\IECLEANUP.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-FINDSTR_31BF3856AD364E35_6.1.7601.17514_NONE_855590D1705431C5\FINDSTR.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-WMI-CONSUMERS_31BF3856AD364E35_6.1.7600.16385_NONE_A6C7190F7292676C\SCRCONS.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_NETFX-DFSVC_B03F5F7F11D50A3A_6.1.7600.16385_NONE_96DBB959BA7C7A79\DFSVC.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SCRIPTING_31BF3856AD364E35_6.1.7600.16385_NONE_A45D44BD1A0AF822\WSCRIPT.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-TCPIP_31BF3856AD364E35_6.1.7601.17514_NONE_CA00459DDA59F6F4\NETIOUGC.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\INSTALLER\{90140000-0011-0000-0000-0000000FF1CE}\OISICON.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DW20.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\ILASM.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\EDMGEN.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-S..OXGAMES-PURBLEPLACE_31BF3856AD364E35_6.1.7600.16385_NONE_622070221822EB39\PURBLEPLACE.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-A..ENCE-INFRASTRUCTURE_31BF3856AD364E35_6.1.7601.17514_NONE_3D8BB37F97BA22FF\SDBINST.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-EFS-UI_31BF3856AD364E35_6.1.7600.16385_NONE_F64B1E25E8EA1172\EFSUI.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\X86_NETFX-ASPNET_REGIIS_EXE_B03F5F7F11D50A3A_6.1.7600.16385_NONE_E6AF0ACBDE467B7B\ASPNET_REGIIS.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.0\WINDOWS COMMUNICATION FOUNDATION\SERVICEMODELREG.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-TELNET-CLIENT_31BF3856AD364E35_6.1.7600.16385_NONE_1426830C3EBB712D\TELNET.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-M..-MANAGEMENT-CONSOLE_31BF3856AD364E35_6.1.7600.16385_NONE_0F49A133D6F5D42B\MMC.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-SERVICES-SVCHOST_31BF3856AD364E35_6.1.7600.16385_NONE_B591AFC466A15356\SVCHOST.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-TASKKILL_31BF3856AD364E35_6.1.7600.16385_NONE_25545528BD642170\TASKKILL.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\ASSEMBLY\GAC_MSIL\COMSVCCONFIG\3.0.0.0__B03F5F7F11D50A3A\COMSVCCONFIG.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\EXPLORER.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-AUTOCHKCONFIGURATOR_31BF3856AD364E35_6.1.7600.16385_NONE_74B76D3FA1757C6F\CHKNTFS.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MSBUILD_B03F5F7F11D50A3A_3.5.7601.17514_NONE_EA8CA0C25E350957\MSBUILD.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WRITE.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\INSTALLER\{90140000-0011-0000-0000-0000000FF1CE}\INFICON.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IE-FEEDSBS_31BF3856AD364E35_11.2.9600.16428_NONE_DEA50217EFD0356B\MSFEEDSSYNC.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_6.1.7600.16385_NONE_655452EFE0FB810B\POQEXEC.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\X86_NETFX-CVTRES_FOR_VC_AND_VB_B03F5F7F11D50A3A_6.1.7601.17514_NONE_BA1C770AF0B2031B\CVTRES.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ILASM.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\NGEN.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-RASCLIENTTOOLS_31BF3856AD364E35_6.1.7600.16385_NONE_CB3BC16FC2624947\RASPHONE.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-IE-PDM_31BF3856AD364E35_8.0.7601.17514_NONE_0A379BCFBDCFFB74\PDMSETUP.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\PRESENTATIONFONTCAC#\B3ADE8D5C0D4BB5D4940BCAFD3453642\PRESENTATIONFONTCACHE.NI.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_64\COMSVCCONFIG\D632B7434F821829827657E23AC98589\COMSVCCONFIG.NI.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-MEDIAPLAYER-AUTOPLAY_31BF3856AD364E35_6.1.7601.17514_NONE_7920B60D569A4A1E\WMLAUNCH.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-NFS-CLIENTCMDTOOLS_31BF3856AD364E35_6.1.7600.16385_NONE_AD5854CA0A23343D\UMOUNT.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-PEERTOPEERCOLLAB_31BF3856AD364E35_6.1.7600.16385_NONE_F32A402A46D391F3\P2PHOST.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-SNMP-AGENT-SERVICE_31BF3856AD364E35_6.1.7601.17514_NONE_5FAF9128A3432508\SNMP.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-USERINIT_31BF3856AD364E35_6.1.7601.17514_NONE_DE3024012FF21116\USERINIT.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.0\WINDOWS COMMUNICATION FOUNDATION\SERVICEMODELREG.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IEINSTAL_31BF3856AD364E35_8.0.7601.17514_NONE_617C25C51F43E03F\IEINSTAL.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-P..TING-TOOLS-PRINTBRM_31BF3856AD364E35_6.1.7601.17514_NONE_DFE02DE35BF41E0B\PRINTBRM.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_NETFX-JSC_B03F5F7F11D50A3A_6.1.7600.16385_NONE_14E6E9DAB736481D\JSC.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-P..INSTALLERANDPRINTUI_31BF3856AD364E35_6.1.7601.17514_NONE_3ECEEF6140EC9728\PRINTUI.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\MSBUILD.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-LSA_31BF3856AD364E35_6.1.7601.17514_NONE_04709031736AC277\LSASS.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-M..OMMANDLINEUTILITIES_31BF3856AD364E35_6.1.7600.16385_NONE_7CF343CAC8A829EC\SUBST.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-MAKECAB_31BF3856AD364E35_6.1.7600.16385_NONE_F0A5D809CA926E4F\MAKECAB.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-WRITEWIN_31BF3856AD364E35_6.1.7600.16385_NONE_378836C309EE380E\WRITE.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-IIS-SHAREDLIBRARIES_31BF3856AD364E35_6.1.7601.17514_NONE_79642285FFD2A388\APPCMD.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-IE-IMPEXP-EXTEXPORT_31BF3856AD364E35_11.2.9600.16428_NONE_B436382B203656BE\EXTEXPORT.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-INTERNATIONAL-CORE_31BF3856AD364E35_6.1.7601.17514_NONE_EBB1CE7438031941\MUIUNATTEND.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-WINRE-RECOVERYTOOLS_31BF3856AD364E35_6.1.7601.17514_NONE_D7553E5FCF6B6373\REAGENTC.EXE de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3000 de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3000 de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe 3000 de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe"C:\Users\Admin\AppData\Local\Temp\de6ef5aecac976d5a265244582ced1ffd406596b3d1ef2231543927622e72c09.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3000