60eb1cedf8013f056d9ee90a2661399d7af4f292054c24b474f782ff48bfe0ad

Analysis

max time kernel
104s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0e7f4e5e1afc3023f581e955a236db0N.exe
Size

52KB
MD5

c0e7f4e5e1afc3023f581e955a236db0
SHA1

6e7cf8a5d76a7337308d0ae778270e63b3f96483
SHA256

60eb1cedf8013f056d9ee90a2661399d7af4f292054c24b474f782ff48bfe0ad
SHA512

65355ebfc458745e800fa67c4cb23b844f4b8a2c24478ac1b4c92f23a80486394c23d2bb20b2ccef11e6ef21e76ccbfe522085a9f5b36ecb3d5a7c68d8f96cc6
SSDEEP

768:DlQ4hrvaEGU4aikqykezg2XpfYgQjYioRoFdWl5:5LhE1Dezg2ZfYg1oPE5

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened (read-only)	\??\M:	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened (read-only)	\??\Q:	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened (read-only)	\??\S:	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened (read-only)	\??\E:	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened (read-only)	\??\J:	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened (read-only)	\??\O:	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened (read-only)	\??\U:	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened (read-only)	\??\Y:	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened (read-only)	\??\H:	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened (read-only)	\??\I:	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened (read-only)	\??\L:	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened (read-only)	\??\N:	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened (read-only)	\??\P:	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened (read-only)	\??\R:	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened (read-only)	\??\W:	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened (read-only)	\??\G:	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened (read-only)	\??\T:	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened (read-only)	\??\V:	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened (read-only)	\??\X:	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened (read-only)	\??\Z:	c0e7f4e5e1afc3023f581e955a236db0N.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\SDCHANGE.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\ATTRIB.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\CLEANMGR.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\IME\IMEJP\IMJPUEX.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\IME\SHARED\IMESEARCH.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\RDRLEAKDIAG.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\CMD.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\EVENTCREATE.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\HELP.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\INFDEFAULTINSTALL.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\TAR.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\W32TM.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\HOSTNAME.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\NEWDEV.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\PING.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\REG.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\REPLACE.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\ICACLS.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\LAUNCHTM.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\TSTHEME.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\USERACCOUNTCONTROLSETTINGS.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\CERTUTIL.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\CHKDSK.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\EDPNOTIFY.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\OPENFILES.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\DIALER.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\ICSUNATTEND.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\MSRA.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\REGSVR32.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\TTDINJECT.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\DEVICEPAIRINGWIZARD.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\F12\IECHOOSER.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\IME\IMETC\IMTCLNWZ.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\RESMON.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\TRACERPT.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\IEXPRESS.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\PRINT.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\REKEYWIZ.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\UTILMAN.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\SYSTEMUWPLAUNCHER.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\UNREGMP2.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\CLIP.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\DWWIN.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\LOGMAN.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\ODBCAD32.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\RASDIAL.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\SC.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\WBEM\MOFCOMP.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\CMMON32.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\DLLHST3G.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\FSUTIL.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\MOUNTVOL.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\POWERCFG.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\SEARCHFILTERHOST.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\BOOTCFG.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\HH.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\INPUTSWITCHTOASTHANDLER.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\ISOBURN.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\NSLOOKUP.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\EHSTORAUTHN.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\OPOSHOST.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\SNDVOL.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\WINDOWS.WARP.JITSERVICE.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\SysWOW64\SETTINGSYNCHOST.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES\JAVA\JRE-1.8\BIN\JJS.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\CLVIEW.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\WINDOWS MAIL\WABMIG.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.MICROSOFTSTICKYNOTES_3.6.73.0_X64__8WEKYB3D8BBWE\MICROSOFT.NOTES.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES (X86)\COMMON FILES\ADOBE\ARM\1.0\ADOBEARM.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\RMIREGISTRY.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\123.0.6312.106\ELEVATION_SERVICE.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\123.0.6312.106\INSTALLER\SETUP.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\WSGEN.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK-1.8\JRE\BIN\JAVAW.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\WINDOWS NT\ACCESSORIES\WORDPAD.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\WOW_HELPER.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\DOTNET\SHARED\MICROSOFT.NETCORE.APP\6.0.27\CREATEDUMP.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\IDLJ.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK-1.8\JRE\BIN\JAVACPL.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-000F-0000-1000-0000000FF1CE}\OUTICON.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\PLUG_INS\PI_BROKERS\32BITMAPIBROKER.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\READER_SL.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\DISABLEDGOOGLEUPDATE.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES (X86)\MICROSOFT\EDGEUPDATE_BK\MICROSOFTEDGEUPDATE.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\SOURCE ENGINE\OSE.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-000F-0000-1000-0000000FF1CE}\PUBS.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.WINDOWSCOMMUNICATIONSAPPS_16005.11629.20316.0_X64__8WEKYB3D8BBWE\HXACCOUNTS.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.36.371\GOOGLECRASHHANDLER64.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\EXTEXPORT.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\XLICONS.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-000F-0000-1000-0000000FF1CE}\XLICONS.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES (X86)\MICROSOFT\EDGEUPDATE_BK\1.3.147.37\MICROSOFTEDGEUPDATEONDEMAND.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\PACK200.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\IECONTENTSERVICE.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\WINWORD.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.MICROSOFTSOLITAIRECOLLECTION_4.4.8204.0_X64__8WEKYB3D8BBWE\SOLITAIRE.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.YOURPHONE_0.19051.7.0_X64__8WEKYB3D8BBWE\YOURPHONE.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACRORD32INFO.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.36.371\GOOGLECRASHHANDLER.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\KLIST.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\RMID.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.DESKTOPAPPINSTALLER_1.0.30251.0_X64__8WEKYB3D8BBWE\APPINSTALLER.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.OFFICE.ONENOTE_16001.12026.20112.0_X64__8WEKYB3D8BBWE\ONENOTEIM.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JAVAW.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\TABTIP.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE-1.8\BIN\JABSWITCH.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\EXCELCNV.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\MSOTD.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\PERFBOOST.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\VIDEOLAN\VLC\VLC-CACHE-GEN.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.VP9VIDEOEXTENSIONS_1.0.22681.0_X64__8WEKYB3D8BBWE\CODECPACKS.VP9.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OFFICEC2RCLIENT.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES (X86)\MICROSOFT\EDGE\APPLICATION\MSEDGE_PROXY.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES (X86)\MICROSOFT\EDGE\APPLICATION\92.0.902.67\IDENTITY_HELPER.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESX86\MICROSOFT OFFICE\OFFICE16\DCF\DATABASECOMPARE.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.SKYPEAPP_14.53.77.0_X64__KZF8QXF38ZG5C\SKYPEBRIDGE\SKYPEBRIDGE.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE-1.8\BIN\KLIST.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\123.0.6312.106\INSTALLER\CHRMSTP.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\INTERNET EXPLORER\IEDIAGCMD.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JRUNSCRIPT.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\MSOASB.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\ORGCHART.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.MICROSOFTOFFICEHUB_18.1903.1152.0_X64__8WEKYB3D8BBWE\LOCALBRIDGE.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\MSINFO32.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES (X86)\MICROSOFT\EDGE\APPLICATION\92.0.902.67\MSEDGE_PWA_LAUNCHER.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.ZUNEVIDEO_10.19071.19011.0_X64__8WEKYB3D8BBWE\VIDEO.UI.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-000F-0000-1000-0000000FF1CE}\DBCICONS.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.WINDOWSALARMS_10.1906.2182.0_X64__8WEKYB3D8BBWE\TIME.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\WINSXS\X86_INSTALLUTIL_B03F5F7F11D50A3A_10.0.19041.1_NONE_3C6036D4B220F210\INSTALLUTIL.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-D..MNOTIFICATIONBROKER_31BF3856AD364E35_10.0.19041.746_NONE_A5ADE2E84580E250\DMNOTIFICATIONBROKER.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-MSINFO32-EXE_31BF3856AD364E35_10.0.19041.1110_NONE_20A89186AEDB6AF7\F\MSINFO32.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-P..INSTALLERANDPRINTUI_31BF3856AD364E35_10.0.19041.1237_NONE_4B16FB7FAB206EB1\F\PRINTUI.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-TCPIP-UTILITY_31BF3856AD364E35_10.0.19041.1_NONE_F30CAB80229C6B29\FINGER.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\WOW64_WINDOWSSEARCHENGINE_31BF3856AD364E35_7.0.19041.1151_NONE_F68DB62A3702882B\F\SEARCHINDEXER.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\IEEXEC.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-HYPER-V-VSTACK-VMMS_31BF3856AD364E35_10.0.19041.264_NONE_1477A882BDCE0DF2\F\VMMS.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IIS-MANAGEMENTCONSOLE_31BF3856AD364E35_10.0.19041.906_NONE_65F82BA919C64B11\INETMGR.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.19041.1220_NONE_7E21BC567C7ED16B\TIFILEFETCHER.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-S..LINE-USER-INTERFACE_31BF3856AD364E35_10.0.19041.1_NONE_92D880487C3589C8\CMDKEY.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SECURITY-EASINVOKER_31BF3856AD364E35_10.0.19041.1_NONE_42154EFF4D5817BF\EASINVOKER.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-WINLOGON-TOOLS_31BF3856AD364E35_10.0.19041.746_NONE_726CC4A1EBCB1C1E\WLRMDR.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-MSAUDITTOOLS_31BF3856AD364E35_10.0.19041.546_NONE_FFD303094FF1FE66\F\AUDITPOL.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-LXSS-WSLHOST_31BF3856AD364E35_10.0.19041.1151_NONE_329784A84ED43ACD\F\WSLHOST.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-S..PLICATIONFRAME-HOST_31BF3856AD364E35_10.0.19041.746_NONE_B7A67DDD8BCC7470\APPLICATIONFRAMEHOST.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-CHARMAP_31BF3856AD364E35_10.0.19041.1_NONE_B29F753478196F5E\CHARMAP.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-E..ORTINGCOMPATIBILITY_31BF3856AD364E35_10.0.19041.264_NONE_E6D5F08988C6CB95\DWWIN.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-WOW64-LEGACY_31BF3856AD364E35_10.0.19041.1023_NONE_6AEAB5D4BD0371A8\SETUP16.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-P..TING-LPRPORTMONITOR_31BF3856AD364E35_10.0.19041.1_NONE_69F4AF04DD2C1F80\LPQ.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-S..NSEMANAGER-SHELLEXT_31BF3856AD364E35_10.0.19041.1_NONE_683B3C51D469E51B\LICENSEMANAGERSHELLEXT.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT.WINDOWS.WINHTTP_31BF3856AD364E35_5.1.19041.1151_NONE_D57E154A0A8460D3\F\PACJSWORKER.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\ILASM.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-A..-EXPERIENCE-APPHELP_31BF3856AD364E35_10.0.19041.928_NONE_6012C8CABF808FF7\PCAUI.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-A..NAGEMENT-APPVCLIENT_31BF3856AD364E35_10.0.19041.264_NONE_AA5417FD2708544D\F\SCRIPTRUNNER.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-D..B-STANDARDCOLLECTOR_31BF3856AD364E35_10.0.19041.928_NONE_0F531EA0D233243B\R\DIAGNOSTICSHUB.STANDARDCOLLECTOR.SERVICE.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-FINDSTR_31BF3856AD364E35_10.0.19041.1_NONE_DD2098E5F9122DFF\FINDSTR.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-DISKPART_31BF3856AD364E35_10.0.19041.964_NONE_510EBDD9292EED06\F\DISKPART.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-ONECORE-PNP-DRVINST_31BF3856AD364E35_10.0.19041.1_NONE_0B4EEB140948562C\DRVINST.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-B..MENT-WINDOWS-MINWIN_31BF3856AD364E35_10.0.19041.173_NONE_2DC175215AE8EC39\R\WINLOAD.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-P..RANDPRINTUI-NTPRINT_31BF3856AD364E35_10.0.19041.1288_NONE_6F1FCB1866FCB4B8\F\NTPRINT.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-AXINSTALLSERVICE_31BF3856AD364E35_10.0.19041.867_NONE_B4E9FC09CFCBDD7C\AXINSTUI.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-W..SITION-UICOMPONENTS_31BF3856AD364E35_10.0.19041.1151_NONE_43C494653A7536D0\R\WIAACMGR.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-WINLOGON-TOOLS_31BF3856AD364E35_10.0.19041.746_NONE_726CC4A1EBCB1C1E\MPNOTIFY.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_WINDOWS-SENSECLIENT-SERVICE_31BF3856AD364E35_10.0.19041.1288_NONE_1CEC63974464878F\SENSENDR.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-DISKPART_31BF3856AD364E35_10.0.19041.964_NONE_510EBDD9292EED06\R\DISKPART.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-HVSI-MANAGER_31BF3856AD364E35_10.0.19041.1202_NONE_7CDAD2E52790705D\HVSIRPCD.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-NOTEPAD_31BF3856AD364E35_10.0.19041.117_NONE_4D353CF1CEB5D6D2\F\NOTEPAD.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_NETFX4-VBC_EXE_B03F5F7F11D50A3A_4.0.15805.0_NONE_96EDD00E05696409\VBC.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_WINDOWS-SENSECLIENT-SERVICE_31BF3856AD364E35_10.0.19041.1288_NONE_1CEC63974464878F\SENSESAMPLEUPLOADER.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-D..D-SEARCHINTEGRATION_31BF3856AD364E35_10.0.19041.1_NONE_45FD6972631FF67C\IMESEARCH.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-D..OMMANDLINE-REPADMIN_31BF3856AD364E35_10.0.19041.1_NONE_5A9698F03A1B8696\REPADMIN.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-CALC_31BF3856AD364E35_10.0.19041.1_NONE_5FAF0EBEBA197E78\CALC.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-D..-CERTIFICATEINSTALL_31BF3856AD364E35_10.0.19041.1151_NONE_AE854961A06058B2\DMCERTINST.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IPCONFIG_31BF3856AD364E35_10.0.19041.1_NONE_022AFE83B74C28CC\IPCONFIG.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-S..TTINGS-REMOVEDEVICE_31BF3856AD364E35_10.0.19041.1_NONE_69523BA694C053CA\SYSTEMSETTINGSREMOVEDEVICE.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_NETFX4-MSCORSVW_EXE_B03F5F7F11D50A3A_4.0.15805.0_NONE_7D38F956251354FE\MSCORSVW.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-B..ENVIRONMENT-WINDOWS_31BF3856AD364E35_10.0.19041.1_NONE_1F29A4AE2C282494\WINRESUME.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-S..CSENGINE-NATIVEHOST_31BF3856AD364E35_10.0.19041.1_NONE_D016F232FBEEFBAD\SDIAGNHOST.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-MAGNIFY_31BF3856AD364E35_10.0.19041.1266_NONE_ED4855448241F7E7\R\MAGNIFY.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-T..ES-COMMANDLINETOOLS_31BF3856AD364E35_10.0.19041.1_NONE_A4F6113BCCC284B7\CHANGE.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-A..NAGEMENT-APPVCLIENT_31BF3856AD364E35_10.0.19041.1202_NONE_4132A4047D5D53B2\F\APPVSHNOTIFY.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\MSIL_C2WTSHOST_31BF3856AD364E35_10.0.19041.1_NONE_746453FD22521BA2\C2WTSHOST.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IE-IEXPRESS_31BF3856AD364E35_11.0.19041.1_NONE_4E5E653D48E95632\IEXPRESS.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.19041.1_NONE_BF506ECC66A800DF\TIFILEFETCHER.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SYSPREP_31BF3856AD364E35_10.0.19041.746_NONE_CD77EB91574A2623\SYSPREP.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-TERMINALSERVICES-THEME_31BF3856AD364E35_10.0.19041.746_NONE_B3DF5AA8D99E9B89\TSTHEME.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SENSORDATASERVICE_31BF3856AD364E35_10.0.19041.1_NONE_B3F4F49AC9993D28\SENSORDATASERVICE.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-THUMBEXTHOST_31BF3856AD364E35_10.0.19041.746_NONE_CE6643A69C39F80A\THUMBNAILEXTRACTIONHOST.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-WINVER_31BF3856AD364E35_10.0.19041.1_NONE_6C428BC03BD6600A\WINVER.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\NGEN.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-CLOUDNOTIFICATIONS_31BF3856AD364E35_10.0.19041.1_NONE_47F8A965309A7EE6\CLOUDNOTIFICATIONS.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-I..NTROLPANEL.APPXMAIN_31BF3856AD364E35_10.0.19041.1202_NONE_8F7E37524C3E1A13\F\SYSTEMSETTINGS.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-M..NT-BROWSER.APPXMAIN_31BF3856AD364E35_10.0.19041.844_NONE_D9EB415C5B9DBE4E\SECUREASSESSMENTBROWSER.EXE	c0e7f4e5e1afc3023f581e955a236db0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0e7f4e5e1afc3023f581e955a236db0N.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
848	c0e7f4e5e1afc3023f581e955a236db0N.exe
848	c0e7f4e5e1afc3023f581e955a236db0N.exe

C:\Users\Admin\AppData\Local\Temp\c0e7f4e5e1afc3023f581e955a236db0N.exe
"C:\Users\Admin\AppData\Local\Temp\c0e7f4e5e1afc3023f581e955a236db0N.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:848