Analysis
-
max time kernel
84s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/09/2024, 15:06
Static task
static1
Behavioral task
behavioral1
Sample
09bd19605de3262ae7f8f2355d430300N.exe
Resource
win7-20240903-en
General
-
Target
09bd19605de3262ae7f8f2355d430300N.exe
-
Size
92KB
-
MD5
09bd19605de3262ae7f8f2355d430300
-
SHA1
450b0affa561fa73db6b372294db839a34a328d1
-
SHA256
ce74d4663834f10b00d027addaf44e64e3c0df6b12d2152d57d945abbb2bc210
-
SHA512
2424d541fbc8147abd4ec5593aed36d7977309af175eb7f8d8955b3aee5d9671cf57dcf33803042378d91771d41b16f3cd4b850c5b7658983fa2fc622411673d
-
SSDEEP
1536:DHB0UxMkzOt7HcvJGt5AdHIOWnToIf12ZqTUga1of0o:DhAWJGSCTBf12Z1g4of0
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\WINDOWS\SYSWOW64\CMSTP.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\XCOPY.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SysWOW64\RDRLEAKDIAG.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SysWOW64\SDIAGNHOST.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SysWOW64\SYSTEMPROPERTIESREMOTE.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\MIGWIZ\MIGSETUP.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\MSIEXEC.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SysWOW64\SHRPUBW.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SysWOW64\WBEM\WMIPRVSE.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\CONTROL.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SysWOW64\MCBUILDER.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SysWOW64\SNDVOL.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SysWOW64\SUBST.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SysWOW64\SYSTEMPROPERTIESPROTECTION.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\COMPACT.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SysWOW64\ESENTUTL.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SysWOW64\EVENTVWR.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SysWOW64\IME\IMETC10\IMTCPROP.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\TASKMGR.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\DWWIN.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\MUIUNATTEND.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\NOTEPAD.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\SRDELAYED.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\TASKENG.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\WLANEXT.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SysWOW64\CACLS.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSTEM32\DRIVERSTORE\FILEREPOSITORY\BRMFCMF.INF_AMD64_NEUTRAL_67B5984F8E8FF717\BRMFRSMG.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\REGEDT32.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\RESMON.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\RMACTIVATE_SSP.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\SCHTASKS.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\WIAACMGR.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\CLEANMGR.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\LABEL.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\MSINFO32.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\SETIEINSTALLEDDATE.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\UTILMAN.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SysWOW64\NETPLWIZ.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SysWOW64\NTOSKRNL.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\PERFMON.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\OSK.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SysWOW64\TAPIUNATTEND.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\EFSUI.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\FONTVIEW.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SysWOW64\MSINFO32.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\FSUTIL.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\RDRLEAKDIAG.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SysWOW64\REGINI.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SysWOW64\TCMSETUP.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SysWOW64\SECEDIT.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SysWOW64\DFRGUI.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SysWOW64\ISOBURN.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\CTFMON.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SysWOW64\SETUPUGC.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\DIANTZ.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\OCSETUP.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\TAKEOWN.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SysWOW64\PERFHOST.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SysWOW64\PREVHOST.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SysWOW64\SC.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\PSR.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\WBEM\WMIADAP.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SYSWOW64\WERMGR.EXE 09bd19605de3262ae7f8f2355d430300N.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\RMID.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\MICROSOFT GAMES\MULTIPLAYER\BACKGAMMON\BCKGZM.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\SMART TAG\SMARTTAGINSTALL.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\EXCEL.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\WORDICON.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MAIL\WAB.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\MSINFO32.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\JAVACPL.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\SETLANG.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JAVA-RMI.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JDB.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\MOZILLA FIREFOX\UNINSTALL\HELPER.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\SHAPECOLLECTOR.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\READER 9.0\SETUP FILES\{AC76BA86-7AD7-1033-7B44-A90000000001}\SETUP.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.36.151\GOOGLEUPDATEBROKER.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\KLIST.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPDMC.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\READER 9.0\READER\ACROBROKER.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\JAVAWS.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\READER 9.0\READER\ACROTEXTEXTRACTOR.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS SIDEBAR\SIDEBAR.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\CHROME_PROXY.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\KINIT.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\WINDOWS MAIL\WAB.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\KINIT.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\ORBD.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\JABSWITCH.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\SOURCE ENGINE\OSE.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MAIL\WINMAIL.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\UNPACK200.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MEDIA PLAYER\WMPDMC.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MEDIA PLAYER\WMPSHARE.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\EQNEDT32.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\OFFICESOFTWAREPROTECTIONPLATFORM\OSPPREARM.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MEDIA PLAYER\SETUP_WM.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MEDIA PLAYER\WMPLAYER.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\INTERNET EXPLORER\IEINSTAL.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JAVAP.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JHAT.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\WINDOWS MAIL\WABMIG.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\MOZILLA FIREFOX\MAINTENANCESERVICE.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MAIL\WABMIG.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\POLICYTOOL.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\JAVA-RMI.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\ORBD.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\MOZILLA FIREFOX\MINIDUMP-ANALYZER.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPCONFIG.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\READER 9.0\READER\ACRORD32INFO.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\INPUTPERSONALIZATION.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JRUNSCRIPT.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\KTAB.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\TNAMESERV.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\JAVA.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\MICROSOFT GAMES\MINESWEEPER\MINESWEEPER.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.36.151\GOOGLEUPDATEONDEMAND.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7ZG.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\INTERNET EXPLORER\IELOWUTIL.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JAVAWS.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\WINDOWS DEFENDER\MPCMDRUN.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\MSOHTMED.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\JABSWITCH.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\PROGRAM FILES\MICROSOFT GAMES\MULTIPLAYER\SPADES\SHVLZM.EXE 09bd19605de3262ae7f8f2355d430300N.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\WINDOWS\INSTALLER\{90140000-0011-0000-0000-0000000FF1CE}\JOTICON.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-A..ATIBILITY-ASSISTANT_31BF3856AD364E35_6.1.7600.16385_NONE_8FBB77BB3CD808D1\PCAWRK.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-REGISTRY-EDITOR_31BF3856AD364E35_6.1.7600.16385_NONE_5023A70BF589AD3E\REGEDT32.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-CORRUPTEDFILERECOVERY_31BF3856AD364E35_6.1.7600.16385_NONE_E3AEA9874278550C\COFIRE.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-RASAUTODIAL_31BF3856AD364E35_6.1.7600.16385_NONE_6BCEF05D7F04260A\RASAUTOU.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SIDEBAR_31BF3856AD364E35_6.1.7601.17514_NONE_2D02B12C3D47A517\SIDEBAR.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\REGTLIBV12.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\INSTALLUTIL.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-CONSOLEHOST_31BF3856AD364E35_6.1.7601.17514_NONE_D281CCC018B94FF4\CONHOST.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-F..CLIENT-APPLICATIONS_31BF3856AD364E35_6.1.7601.17514_NONE_D71FB1D63F05EF22\WFS.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\SPLWOW64.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SECURITY-TOOLS-SETSPN_31BF3856AD364E35_6.1.7600.16385_NONE_DBFA9310F7D4D925\SETSPN.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-STICKYNOTES-APP_31BF3856AD364E35_6.1.7600.16385_NONE_493BA8A4D2FC9697\STIKYNOT.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\BFSVC.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\COMSVCCONFIG.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-D..ANDLINEPROPERTYTOOL_31BF3856AD364E35_6.1.7601.17514_NONE_696354579779EADF\IMJPUEXC.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-REMOTEASSISTANCE-EXE_31BF3856AD364E35_6.1.7600.16385_NONE_934D08D31B96D4EE\MSRA.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_WPF-TERMINALSERVERWPFWRAPPEREXE_31BF3856AD364E35_6.1.7600.16385_NONE_80543131E5508A75\TSWPFWRP.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CSC.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-REMOTEASSISTANCE-EXE_31BF3856AD364E35_6.1.7600.16385_NONE_934D08D31B96D4EE\SDCHANGE.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_NETFX-CSHARP_COMPILER_CSC_B03F5F7F11D50A3A_6.1.7600.16385_NONE_8B52BB03D4EA5D36\CSC.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IE-GC-REGISTERIEPKEYS_31BF3856AD364E35_8.0.7601.17514_NONE_A0C922C3B170DD5D\REGISTERIEPKEYS.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IE-INTERNETEXPLORER_31BF3856AD364E35_11.2.9600.16428_NONE_11B913172F0CB26F\IEUNATT.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-TABLETPC-INKWATSON_31BF3856AD364E35_6.1.7600.16385_NONE_644C1A991AAC9FFB\INKWATSON.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-I..EOPTIONALCOMPONENTS_31BF3856AD364E35_11.2.9600.16428_NONE_E410F56F6C4EE930\CONFIGUREIEOPTIONALCOMPONENTS.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-MAKECAB_31BF3856AD364E35_6.1.7600.16385_NONE_4CC4738D82EFDF85\MAKECAB.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-S..EXECUTIONPREVENTION_31BF3856AD364E35_6.1.7600.16385_NONE_25D85B4A3E4A7709\SYSTEMPROPERTIESDATAEXECUTIONPREVENTION.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-TCPIP-UTILITY_31BF3856AD364E35_6.1.7601.17514_NONE_90ECF919657DACF4\NETSTAT.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\APPLAUNCH.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.0\WINDOWS COMMUNICATION FOUNDATION\SERVICEMODELREG.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-I..DEVICESCONTROLPANEL_31BF3856AD364E35_6.1.7600.16385_NONE_8094BD7B62D2B435\IMAGINGDEVICES.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-NFS-ADMINCMDTOOLS_31BF3856AD364E35_6.1.7601.17514_NONE_12D42225A9A7AEF7\NFSADMIN.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SMSS_31BF3856AD364E35_6.1.7600.16385_NONE_082F99A432E2A661\SMSS.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IE-GC-REGISTERIEPKEYS_31BF3856AD364E35_11.2.9600.16428_NONE_0A3FE92B38DD8C45\REGISTERIEPKEYS.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-NETSH_31BF3856AD364E35_6.1.7600.16385_NONE_BB95E7E51189D8F9\NETSH.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_SUBSYSTEM-FOR-UNIX-BASED-APPLICATIONS_31BF3856AD364E35_6.1.7601.17514_NONE_D20E5D35068F261A\PSXRUN.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_WCF-ICARDAGT_EXE_31BF3856AD364E35_6.1.7600.16385_NONE_8DCC9C6F8B58A5EB\ICARDAGT.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-EHOME-MCWEBLAUNCHER_31BF3856AD364E35_6.1.7600.16385_NONE_5846A8771B202706\MEDIACENTERWEBLAUNCHER.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-M..CATIONNOTIFICATIONS_31BF3856AD364E35_6.1.7600.16385_NONE_737951AB23CF8EA0\LOCATIONNOTIFICATIONS.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SETUP-COMPONENT_31BF3856AD364E35_6.1.7601.17514_NONE_905283BDC3E1D2D8\WINDEPLOY.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\HELPPANE.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\ILASM.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_DIVACX64.INF_31BF3856AD364E35_6.1.7600.16385_NONE_CF37CC4C5BC25DC7\DITRACE.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-CHARMAP_31BF3856AD364E35_6.1.7600.16385_NONE_4E4EAF05BE0C2D8F\CHARMAP.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-D..ING-MANAGEMENT-CORE_31BF3856AD364E35_6.1.7601.17514_NONE_895A2B74415EA575\DISMHOST.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SPEECH-USEREXPERIENCE_31BF3856AD364E35_6.1.7601.17514_NONE_7A2FF57A626C29FD\SPEECHUXTUTORIAL.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IIS-MANAGEMENTCONSOLE_31BF3856AD364E35_6.1.7600.16385_NONE_E3C88F07D4C88269\INETMGR.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-ISCSI_INITIATOR_UI_31BF3856AD364E35_6.1.7600.16385_NONE_33E01C5875C2E5CB\ISCSICPL.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-T..MINALSERVICESCLIENT_31BF3856AD364E35_6.1.7601.17514_NONE_AC02530437B71A3F\MSTSC.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_64\SMSVCHOST\04D794428D635F6A82AC57DD3D6F3628\SMSVCHOST.NI.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\EDMGEN.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\APPLAUNCH.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-EVENTCREATE_31BF3856AD364E35_6.1.7600.16385_NONE_3157C24B5944E2A3\EVENTCREATE.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-LPKSETUP_31BF3856AD364E35_6.1.7601.17514_NONE_7F7F66788318015D\LPREMOVE.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-FILTERMANAGER-UTILS_31BF3856AD364E35_6.1.7600.16385_NONE_7582A4A93F08B488\FLTMC.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-I..ETEXPLORER-OPTIONAL_31BF3856AD364E35_11.2.9600.16428_NONE_7B0D6F67C2D3F97A\IEXPLORE.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-RASCONNECTIONMANAGER_31BF3856AD364E35_6.1.7601.17514_NONE_BD4644E077251730\CMDL32.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SECURITY-TOOLS-KSETUP_31BF3856AD364E35_6.1.7600.16385_NONE_7861B83567D966E6\KSETUP.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.0\WPF\PRESENTATIONFONTCACHE.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-MEDIAFOUNDATION_31BF3856AD364E35_6.1.7601.17514_NONE_FA8534AB236134C4\MFPMP.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-DEVICEPROPERTIES_31BF3856AD364E35_6.1.7600.16385_NONE_463F54AA539A0B62\DEVICEPROPERTIES.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-OPTIONALTSPS_31BF3856AD364E35_6.1.7600.16385_NONE_3DF12FEBE293CE5D\TCMSETUP.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-R..EAK-DIAGNOSTIC-CORE_31BF3856AD364E35_6.1.7600.16385_NONE_B70694AA97134F37\RDRLEAKDIAG.EXE 09bd19605de3262ae7f8f2355d430300N.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-CONSOLEHOST_31BF3856AD364E35_6.1.7601.17932_NONE_D26A33EC18CB49C4\CONHOST.EXE 09bd19605de3262ae7f8f2355d430300N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 09bd19605de3262ae7f8f2355d430300N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\09bd19605de3262ae7f8f2355d430300N.exe"C:\Users\Admin\AppData\Local\Temp\09bd19605de3262ae7f8f2355d430300N.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1708