Malware Analysis Report

2024-11-15 05:40

Sample ID 240604-chv8tshf6s
Target b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c
SHA256 b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c
Tags
discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c

Threat Level: Shows suspicious behavior

The file b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 02:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 02:05

Reported

2024-06-04 02:08

Platform

win7-20240508-en

Max time kernel

150s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\EngineSource = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe" C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSSync.exe\" /DelayServices" C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Operatingmsinfo = "c:\\program files (x86)\\common files\\microsoft shared\\msinfo\\en-us\\msinfowindows6.1.7600.163857.0907131255.exe" C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BuildingBuiltIn = "c:\\program files (x86)\\microsoft office\\office14\\document parts\\1033\\14\\builtinbuilding.exe" C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsSystem = "c:\\program files (x86)\\common files\\system\\ole db\\en-us\\sqlxmlxmicrosoft.exe" C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EngineOffice = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe" C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\msolap100Microsoft = "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\serverinterfaces.exe" C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\Microsoftmslid = "c:\\program files (x86)\\common files\\microsoft shared\\proof\\languagemicrosoft3.1.14709.exe" C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualVisual = "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\x86\\microsoftvisual.exe" C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ntdll.dll.dll C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\SysWOW64\ntdll.dll.dll \??\c:\program files (x86)\microsoft analysis services\as oledb\10\serverinterfaces.exe N/A
File created C:\Windows\SysWOW64\ntdll.dll.dll \??\c:\program files (x86)\common files\microsoft shared\msinfo\en-us\msinfowindows6.1.7600.163857.0907131255.exe N/A
File created C:\Windows\SysWOW64\ntdll.dll.dll \??\c:\program files (x86)\common files\system\ole db\en-us\sqlxmlxmicrosoft.exe N/A
File created C:\Windows\SysWOW64\ntdll.dll.dll \??\c:\program files (x86)\common files\microsoft shared\vsta\8.0\x86\microsoftvisual.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\PROOF\RCX57F3.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqlxmlxMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\RCX420F.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\MicrosoftVisual.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\BuiltInBuilding.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\ServerInterfaces.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\RCX426E.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\msinfoWindows6.1.7600.163857.0907131255.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\PROOF\LanguageMicrosoft3.1.14709.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\MSTTSLocEngine.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\BuiltInBuilding.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\RCX428E.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\RCX5803.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\en-US\RCX5823.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier \??\c:\program files (x86)\common files\system\ole db\en-us\sqlxmlxmicrosoft.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier \??\c:\program files (x86)\common files\microsoft shared\vsta\8.0\x86\microsoftvisual.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier \??\c:\program files (x86)\microsoft analysis services\as oledb\10\serverinterfaces.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\program files (x86)\common files\microsoft shared\msinfo\en-us\msinfowindows6.1.7600.163857.0907131255.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\program files (x86)\common files\system\ole db\en-us\sqlxmlxmicrosoft.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\program files (x86)\common files\system\ole db\en-us\sqlxmlxmicrosoft.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\program files (x86)\microsoft analysis services\as oledb\10\serverinterfaces.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\program files (x86)\microsoft analysis services\as oledb\10\serverinterfaces.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\program files (x86)\common files\microsoft shared\msinfo\en-us\msinfowindows6.1.7600.163857.0907131255.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier \??\c:\program files (x86)\common files\microsoft shared\msinfo\en-us\msinfowindows6.1.7600.163857.0907131255.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\program files (x86)\common files\microsoft shared\vsta\8.0\x86\microsoftvisual.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\program files (x86)\common files\microsoft shared\vsta\8.0\x86\microsoftvisual.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A \??\c:\program files (x86)\microsoft analysis services\as oledb\10\serverinterfaces.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A \??\c:\program files (x86)\common files\microsoft shared\msinfo\en-us\msinfowindows6.1.7600.163857.0907131255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A \??\c:\program files (x86)\common files\system\ole db\en-us\sqlxmlxmicrosoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A \??\c:\program files (x86)\common files\microsoft shared\vsta\8.0\x86\microsoftvisual.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 620 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\microsoft analysis services\as oledb\10\serverinterfaces.exe
PID 620 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\microsoft analysis services\as oledb\10\serverinterfaces.exe
PID 620 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\microsoft analysis services\as oledb\10\serverinterfaces.exe
PID 620 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\microsoft analysis services\as oledb\10\serverinterfaces.exe
PID 620 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\microsoft analysis services\as oledb\10\serverinterfaces.exe
PID 620 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\microsoft analysis services\as oledb\10\serverinterfaces.exe
PID 620 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\microsoft analysis services\as oledb\10\serverinterfaces.exe
PID 620 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\common files\microsoft shared\msinfo\en-us\msinfowindows6.1.7600.163857.0907131255.exe
PID 620 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\common files\microsoft shared\msinfo\en-us\msinfowindows6.1.7600.163857.0907131255.exe
PID 620 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\common files\microsoft shared\msinfo\en-us\msinfowindows6.1.7600.163857.0907131255.exe
PID 620 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\common files\microsoft shared\msinfo\en-us\msinfowindows6.1.7600.163857.0907131255.exe
PID 620 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\common files\microsoft shared\msinfo\en-us\msinfowindows6.1.7600.163857.0907131255.exe
PID 620 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\common files\microsoft shared\msinfo\en-us\msinfowindows6.1.7600.163857.0907131255.exe
PID 620 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\common files\microsoft shared\msinfo\en-us\msinfowindows6.1.7600.163857.0907131255.exe
PID 620 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\common files\system\ole db\en-us\sqlxmlxmicrosoft.exe
PID 620 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\common files\system\ole db\en-us\sqlxmlxmicrosoft.exe
PID 620 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\common files\system\ole db\en-us\sqlxmlxmicrosoft.exe
PID 620 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\common files\system\ole db\en-us\sqlxmlxmicrosoft.exe
PID 620 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\common files\system\ole db\en-us\sqlxmlxmicrosoft.exe
PID 620 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\common files\system\ole db\en-us\sqlxmlxmicrosoft.exe
PID 620 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\common files\system\ole db\en-us\sqlxmlxmicrosoft.exe
PID 620 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\common files\microsoft shared\vsta\8.0\x86\microsoftvisual.exe
PID 620 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\common files\microsoft shared\vsta\8.0\x86\microsoftvisual.exe
PID 620 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\common files\microsoft shared\vsta\8.0\x86\microsoftvisual.exe
PID 620 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\common files\microsoft shared\vsta\8.0\x86\microsoftvisual.exe
PID 620 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\common files\microsoft shared\vsta\8.0\x86\microsoftvisual.exe
PID 620 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\common files\microsoft shared\vsta\8.0\x86\microsoftvisual.exe
PID 620 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe \??\c:\program files (x86)\common files\microsoft shared\vsta\8.0\x86\microsoftvisual.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe

"C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe"

\??\c:\program files (x86)\microsoft analysis services\as oledb\10\serverinterfaces.exe

"c:\program files (x86)\microsoft analysis services\as oledb\10\serverinterfaces.exe"

\??\c:\program files (x86)\common files\microsoft shared\msinfo\en-us\msinfowindows6.1.7600.163857.0907131255.exe

"c:\program files (x86)\common files\microsoft shared\msinfo\en-us\msinfowindows6.1.7600.163857.0907131255.exe"

\??\c:\program files (x86)\common files\system\ole db\en-us\sqlxmlxmicrosoft.exe

"c:\program files (x86)\common files\system\ole db\en-us\sqlxmlxmicrosoft.exe"

\??\c:\program files (x86)\common files\microsoft shared\vsta\8.0\x86\microsoftvisual.exe

"c:\program files (x86)\common files\microsoft shared\vsta\8.0\x86\microsoftvisual.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 waldes.in udp
US 8.8.8.8:53 windowsupdate.microsoft.com udp
US 20.109.209.108:80 windowsupdate.microsoft.com tcp
US 8.8.8.8:53 fe2.update.microsoft.com udp
US 52.152.180.151:80 fe2.update.microsoft.com tcp
US 8.8.8.8:53 counterslocal.com udp
US 204.11.56.48:80 counterslocal.com tcp
US 204.11.56.48:80 counterslocal.com tcp
US 204.11.56.48:80 counterslocal.com tcp

Files

C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\BuiltInBuilding.exe

MD5 b1a1b801d4d4cd9a69432cbac0a53393
SHA1 0ca06e648515de6973846fbd1d3c2ddd67af0157
SHA256 b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c
SHA512 3b8c5bb38009e03b45c99e207170847bc91c7691624663602d14b417e2f20266a3098e67e13c2e6a5a77bdbabe98058c3adbd89adad0674e5860bedb746db034

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\ServerInterfaces.exe

MD5 d8a6a5fb6b811fd15418f70f4c778236
SHA1 c5ae7353ddaef65ff939428becff6b72cf5c0775
SHA256 0c938f62b4e6d5b7b44ad9833a29c5ad6bbccfe6e41c18ba0c39187e6180ee05
SHA512 59b4750b671341a69e35585f6a7ba0d278c40e463eb7ce53979f527327c2ef7717f3280b379fbd9b3b30462cd573b7e50d3a8ef4026fb437be94fd145c2f13d5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 02:05

Reported

2024-06-04 02:08

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDriveSetupOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe" C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftOneDriveSetup26962 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe" C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ntdll.dll.dll C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\tifffilttifffilt.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\RCX5078.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAcrobat.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\RCX60D8.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX69E3.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AcrobatAdobe.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipResdexploitation.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\RCX3D87.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\RCX3DE6.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\ToolsContract.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\RCX4683.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcrPlugin.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\AcrobatAdobe.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ProjectionDynamic.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\RCX4653.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\RCX474F.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\RCX51F0.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapterdllDirectX.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCX5DD9.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipResdexploitation.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPluginAdobeHunspellPlugin.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\AdobeAcrobat.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapterdllDirectX.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX6A51.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTFAdobe.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX5AFA.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\RCX521F.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\RCX6965.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ProjectionDynamic.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\RCX3D76.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\PowerShellMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\AcrobatAdobe.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\AdobeAcrobat.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Boot\PCAT\en-GB\bootmgrWindows.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Windows\Branding\Basebrd\RCX3655.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-l..ker-winrt.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_65d349adc7a2c384\lockappbrokerMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-n..anagement-proxystub_31bf3856ad364e35_10.0.19041.1_none_9e6f38387d47c886\WindowsOperating.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\EFI\et-EE\bootmgrOperatsioonissteem.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\PCAT\fi-FI\kyttjrjestelmmemdiag.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\EFI\ja-JP\bootmgrmemdiag.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..agnostics.resources_31bf3856ad364e35_10.0.19041.1_en-us_a23b49aa54c858bd\WindowsMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..oningcore.resources_31bf3856ad364e35_10.0.19041.1_de-de_91d83e61e91defbb\provcoreprovcore.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\PCAT\fr-FR\Microsoftmemdiag.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\PCAT\lv-LV\Microsoftbootmgr10.0.19041.1.160101.0800.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\Resources\it-IT\Microsoftoperativo.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Branding\Basebrd\BASEBRDWindows.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic.Runtime\v4.0_4.0.0.0__b03f5f7f11d50a3a\DynamicMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Windows\Branding\Basebrd\fr-FR\RCX9FEA.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\WinSxS\amd64_wpf-presentationcffrasterizer_31bf3856ad364e35_10.0.19041.1_none_c368d2fec931c74c\PresentationCFFRasterizerMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\OperatingWindows.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\it\resourcesMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\PCAT\hu-HU\rendszeropercis.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ahclientBSAFE.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\PCAT\es-ES\MicrosoftSistema.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..-recovery.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_6555f45e11bdae94\MicrosoftWindows10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..rd-module.resources_31bf3856ad364e35_10.0.19041.1_en-us_d9534f94e0f0515f\Windowstpmvsc.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\PCAT\es-ES\bootmgrWindows.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\EFI\it-IT\Microsoftoperativo.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\EFI\en-US\memdiagOperating10.0.19041.1.160101.0800.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-scheduleui.resources_31bf3856ad364e35_10.0.19041.1_en-us_593f7a7ea2a28e1b\WindowsMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\WinSxS\amd64_xamlbuildtask.resources_31bf3856ad364e35_4.0.15805.0_de-de_c00b369dc56fa632\Microsoftresources.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..aphostres.resources_31bf3856ad364e35_10.0.19041.1_fi-fi_c8dbe15330ec9d29\kyttjrjestelmWindows.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\PCAT\zh-TW\Windowsbootmgr10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\EFI\hu-HU\bootmgropercis.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Utility.Activities.Resources\v4.0_3.0.0.0_es_31bf3856ad364e35\RCX565B.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\de-DE\MicrosoftServiceModelEvents4.8.4084.0.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\EFI\pt-BR\Windowsbootmgr10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\PCAT\nb-NO\memdiagOperativsystemet.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-setx_31bf3856ad364e35_10.0.19041.1_none_6267e352b86de969\WindowsOperating.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Windows\Branding\Basebrd\fr-FR\RCXEB5D.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E39B69A3F3677E14587CF1C3CC73FE72\48.108.8828\RCXEBAD.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\EFI\tr-TR\bootmgrMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..r-wmerror.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_a1098e6d824abd2f\Windowsdexploitation12.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\WinSxS\wow64_startupapp-task-data.resources_31bf3856ad364e35_10.0.19041.1_de-de_27922e70e9a44f76\Microsoftstartupscan.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ahclientBSAFE.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\EFI\qps-ploc\u8YSicstfertng.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-onex.resources_31bf3856ad364e35_10.0.19041.1_de-de_7416c97e26554480\onexMicrosoft10.0.19041.1.160101.0800.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\diagnostics\system\Power\it-IT\MicrosoftPowerDiagPackage.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\PCAT\hr-HR\sustavbootmgr.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\EFI\fr-FR\Windowsdexploitation10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Speech.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\SystemSpeech340.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\EFI\sk-SK\Windowsbootmgr.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\Resources\de-DE\bootresWindows10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\PCAT\ko-KR\bootmgrWindows.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\EFI\es-MX\MicrosoftWindows10.0.19041.1.160101.0800.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\PCAT\en-GB\Windowsbootmgr.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\EFI\es-ES\operativomemdiag.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Speech.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\RCXDC6.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\WinSxS\amd64_umb_31bf3856ad364e35_10.0.19041.746_none_64b09337769b299e\WindowsMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\de-DE\RCX56BB.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\EFI\cs-CZ\memdiagsystm.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\PCAT\sk-SK\bootmgrOperating10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..emotepage.resources_31bf3856ad364e35_10.0.19041.1_en-us_6d08a39cd122d3e0\remotepgremotepg10.0.19041.1.160101.0800.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MUI\040C\RCXE34.tmp C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\EFI\zh-TW\SystemMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\Boot\EFI\pl-PL\memdiagMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
File created C:\Windows\WinSxS\amd64_security-octagon-enclave_31bf3856ad364e35_10.0.19041.1266_none_c5ebbfd4188c4c8d\SgrmEnclaveMicrosoft10.0.19041.1266.160101.0800.exe C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe

"C:\Users\Admin\AppData\Local\Temp\b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 waldes.in udp
US 8.8.8.8:53 windowsupdate.microsoft.com udp
US 20.109.209.108:80 windowsupdate.microsoft.com tcp
US 8.8.8.8:53 fe2.update.microsoft.com udp
US 52.252.198.176:80 fe2.update.microsoft.com tcp
US 8.8.8.8:53 counterslocal.com udp
US 204.11.56.48:80 counterslocal.com tcp
US 8.8.8.8:53 108.209.109.20.in-addr.arpa udp
US 8.8.8.8:53 176.198.252.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 waldes.in udp
US 204.11.56.48:80 counterslocal.com tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 waldes.in udp
US 204.11.56.48:80 counterslocal.com tcp

Files

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipResdexploitation.exe

MD5 b1a1b801d4d4cd9a69432cbac0a53393
SHA1 0ca06e648515de6973846fbd1d3c2ddd67af0157
SHA256 b91e77cdaa582335f5e2714d4f84910dfda1a272d2d568053c68b7738191be1c
SHA512 3b8c5bb38009e03b45c99e207170847bc91c7691624663602d14b417e2f20266a3098e67e13c2e6a5a77bdbabe98058c3adbd89adad0674e5860bedb746db034

C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\RCX3DE6.tmp

MD5 b7b51c33a1abae87f0b95f46d7d99cc7
SHA1 c8fc561911c9185c9b2b8f635ae4426a5b783cbf
SHA256 351d44e4a1b35ff87a962d8529d1b6d60dc5f18e6fc9d8c8bf5fa0b89698e040
SHA512 205f5377aff836294380097893798001b2170265afb55b3c04f94be2f8f2f0444541ab72973620534d9f1d94935ca84c25ec40285ca4d2ce477fdc2bba1af38b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcrPlugin.exe

MD5 74ff4246031397f0415ff4365582545c
SHA1 36d670443d1cd48ee8431054f1b567f90f24a6f8
SHA256 9f26bccdb96445a3b717f538ae64e2ab0dd001b3da95451eb6917979d5f17256
SHA512 17dbd25667faf922670f3b0ed94c255150eb9fd424625c751a398a09cb062ceb271492e28b01829144a5f542e0c8be37203c13f44f213a179d2c0389552902a2