d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 02:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
Size

52KB
MD5

2e39d7c24840832a9e0b49cc905fe05c
SHA1

f71e63050fa6aaa630dedc42b3fbb7ace97ed8e0
SHA256

d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99
SHA512

d43065ec68b50fd2b086406df6178b959ec708bf7bc080079fa4061c431be9ebe9e95f203b51c1abcc69e99cc86a5e7e8d5ba99baab35a503715aac1f5d8d137
SSDEEP

768:DlQ4hrvaEGU4aikqykezg2XpfYEjYioRo40Ol5:5LhE1Dezg2ZfYJo985

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\G:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\U:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\W:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\H:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\J:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\K:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\M:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\P:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\T:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\X:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\L:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\O:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\Q:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\R:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\S:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\V:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\Y:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\I:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\N:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\Z:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\CMD.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\GPRESULT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\MIGWIZ\MIGHOST.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\NDADMIN.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\UTILMAN.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\NETPLWIZ.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\SYSTEMPROPERTIESREMOTE.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\USERACCOUNTCONTROLSETTINGS.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\WIAACMGR.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\ADAPTERTROUBLESHOOTER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\COMPUTERDEFAULTS.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\CTFMON.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\EXPLORER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\SNDVOL.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\SYSTEMPROPERTIESCOMPUTERNAME.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\PING.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\HDWWIZ.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\REGINI.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\SDCHANGE.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\SYSTRAY.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\DCCW.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\TASKENG.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\LABEL.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\RMACTIVATE_SSP.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\DXDIAG.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\MCBUILDER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\DWWIN.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\RECOVER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\TSWPFWRP.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\WERFAULT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\AUDITPOL.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\MSINFO32.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\FLTMC.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\COMPUTERDEFAULTS.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\DVDPLAY.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\GRPCONV.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\DOSKEY.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\EVENTCREATE.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\MMC.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\DPISCALING.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\LODCTR.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\GPUPDATE.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\MOBSYNC.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\IEUNATT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\UNLODCTR.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\WBEM\WINMGMT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\ODBCCONF.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\PERFHOST.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\WSMANHTTPCONFIG.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\DRIVERQUERY.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\WININIT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\SEARCHINDEXER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\DRVINST.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\RMCLIENT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\EHSTORAUTHN.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\FONTVIEW.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\SETUP16.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\PRESENTATIONHOST.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\VERCLSID.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\NET1.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\NETPLWIZ.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\XWIZARD.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\NTKRNLPA.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SYSWOW64\RMACTIVATE.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\1033\ONELEV.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\WINDOWS MEDIA PLAYER\WMPRPH.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT GAMES\SOLITAIRE\SOLITAIRE.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.36.151\GOOGLECRASHHANDLER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\VIDEOLAN\VLC\VLC-CACHE-GEN.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\WINDOWS MAIL\WABMIG.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\EXTEXPORT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\PACK200.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\JAVACPL.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\TNAMESERV.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT GAMES\MAHJONG\MAHJONG.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT GAMES\MULTIPLAYER\BACKGAMMON\BCKGZM.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\RMID.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\JAVA.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.36.151\GOOGLEUPDATE.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\WINDOWS NT\ACCESSORIES\WORDPAD.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\RMID.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE7\BIN\KTAB.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE7\BIN\SSVAGENT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\CLVIEW.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\VPREVIEW.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\OFFICESOFTWAREPROTECTIONPLATFORM\OSPPSVC.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JARSIGNER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE7\BIN\KINIT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\SOURCE ENGINE\OSE.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\GROOVEMN.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\ONENOTE.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\SETLANG.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\SERVERTOOL.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE7\BIN\JAVA.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\KEYTOOL.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\COMMON FILES\ADOBE\UPDATER6\ADOBE_UPDATER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE7\BIN\JAVAW.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE7\BIN\JAVAWS.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPSIDESHOWGADGET.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\APPLETVIEWER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\UNPACK200.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IELOWUTIL.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7Z.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\TNAMESERV.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT GAMES\MULTIPLAYER\CHECKERS\CHKRZM.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPCONFIG.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\106.0.5249.119\ELEVATION_SERVICE.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JHAT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPNSCFG.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JVISUALVM.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\JAVA-RMI.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT GAMES\MINESWEEPER\MINESWEEPER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\GRAPH.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\WINDOWS MEDIA PLAYER\SETUP_WM.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\INPUTPERSONALIZATION.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JSTATD.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\XJC.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\JAVAWS.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE7\BIN\UNPACK200.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\MOZILLA FIREFOX\CRASHREPORTER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\MOZILLA FIREFOX\PINGSENDER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\DOWNLOAD\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\CHROME_INSTALLER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JCMD.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\SERIALVER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEINSTAL.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\SHAPECOLLECTOR.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-DPAPI-KEYS_31BF3856AD364E35_6.1.7600.16385_NONE_7DA9291F2EC46948\DPAPIMIG.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-S..OPERTIESPERFORMANCE_31BF3856AD364E35_6.1.7600.16385_NONE_B6CB9ED71C8B43D5\SYSTEMPROPERTIESPERFORMANCE.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-T..MINALSERVICESCLIENT_31BF3856AD364E35_6.1.7601.17514_NONE_AC02530437B71A3F\MSTSC.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_NETFX-CLR_ILASM_EXE_B03F5F7F11D50A3A_6.1.7601.17514_NONE_8FBF4B0735F59A32\ILASM.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_WCF-M_SM_CFG_INS_EXE_31BF3856AD364E35_6.1.7601.17514_NONE_5E47617F33C574AC\SMCONFIGINSTALLER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WRITE.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IE-IEXPRESS_31BF3856AD364E35_8.0.7600.16385_NONE_DB2B15BFCF64F104\IEXPRESS.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IE-SETUP-SUPPORT_31BF3856AD364E35_8.0.7601.17514_NONE_3EB101CAEC1ACC2C\IE4UINIT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-IEINSTAL_31BF3856AD364E35_11.2.9600.16428_NONE_6ED450A8EE531DF1\IEINSTAL.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-WLAN-EXTENSION_31BF3856AD364E35_6.1.7600.16385_NONE_F9B9855184AD1E6D\WLANEXT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IME-EASHARED-CCSHARED_31BF3856AD364E35_6.1.7601.17514_NONE_34400A5790D1D336\IMCCPHR.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-WOW64_31BF3856AD364E35_6.1.7600.16385_NONE_CE6F64032560FA6B\SETUP16.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-M..OMMANDLINEUTILITIES_31BF3856AD364E35_6.1.7600.16385_NONE_7CF343CAC8A829EC\PRINT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-TASKSCHEDULER-ENGINE_31BF3856AD364E35_6.1.7601.17514_NONE_E7B3B71A1D1C8662\TASKENG.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\ASSEMBLY\GAC_MSIL\LOADMXF\6.1.0.0__31BF3856AD364E35\LOADMXF.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-CONVERT_31BF3856AD364E35_6.1.7601.17514_NONE_FAFB502ABEF1BE40\AUTOCONV.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-WMPNSS-UX_31BF3856AD364E35_6.1.7600.16385_NONE_13B9B4B7D327A721\WMPNSCFG.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_NETFX-APPLAUNCH_EXE_B03F5F7F11D50A3A_6.1.7601.17514_NONE_51E5E402131AFC4A\APPLAUNCH.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-M..AC-SQL-CLICONFG-EXE_31BF3856AD364E35_6.1.7600.16385_NONE_CC12387F7062EB3B\CLICONFG.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-W..FOR-MANAGEMENT-CORE_31BF3856AD364E35_6.1.7601.17514_NONE_32E02520F8081891\WSMANHTTPCONFIG.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-COMPACT_31BF3856AD364E35_6.1.7600.16385_NONE_F9CB90EE16E61EC6\COMPACT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-TIME-TOOL_31BF3856AD364E35_6.1.7601.17514_NONE_EF1085419A309311\W32TM.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\MSIL_PRESENTATIONFONTCACHE_31BF3856AD364E35_6.1.7600.16385_NONE_0DA126F11187FAFA\PRESENTATIONFONTCACHE.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-S..NATIVE-WHITEBOX-ISV_31BF3856AD364E35_6.1.7601.17514_NONE_EB5947EA4DEBCF36\RMACTIVATE_ISV.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-I..XING-SERVICE-SERVER_31BF3856AD364E35_6.1.7601.17514_NONE_0DB5E5844ED6FFE9\CIDAEMON.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-NFS-CLIENTCMDTOOLS_31BF3856AD364E35_6.1.7600.16385_NONE_AD5854CA0A23343D\UMOUNT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-RUNONCE_31BF3856AD364E35_6.1.7601.17514_NONE_73E0DA0BD5A77C41\RUNONCE.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-WMI-CORE_31BF3856AD364E35_6.1.7601.17514_NONE_177A088436382A34\MOFCOMP.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-COM-SURROGATE_31BF3856AD364E35_6.1.7600.16385_NONE_A018E05D0D33081D\DLLHST3G.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-EHOME-EHREC_31BF3856AD364E35_6.1.7600.16385_NONE_A6E882BC6EB8EA53\EHREC.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-WRITEWIN_31BF3856AD364E35_6.1.7600.16385_NONE_378836C309EE380E\WRITE.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_64\COMSVCCONFIG\D632B7434F821829827657E23AC98589\COMSVCCONFIG.NI.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\VBC.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SETHC_31BF3856AD364E35_6.1.7601.17514_NONE_C0E644688BBAD892\SETHC.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SETUP-COMPONENT_31BF3856AD364E35_6.1.7601.17514_NONE_905283BDC3E1D2D8\SETUPSQM.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-D..PWINDOWMANAGER-CORE_31BF3856AD364E35_6.1.7601.17514_NONE_EBC99983D3D18578\DWM.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-DEFRAG-ADMINUI_31BF3856AD364E35_6.1.7601.17514_NONE_F73C142DA6E47DAA\DFRGUI.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-M..OMMANDLINEUTILITIES_31BF3856AD364E35_6.1.7600.16385_NONE_7CF343CAC8A829EC\ATTRIB.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-WINRSPLUGINS_31BF3856AD364E35_6.1.7600.16385_NONE_160CCC8A92FAE520\WINRS.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-T..ES-COMMANDLINETOOLS_31BF3856AD364E35_6.1.7601.17514_NONE_42D65ED50FA3C682\RESET.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-T..NPUTPERSONALIZATION_31BF3856AD364E35_6.1.7600.16385_NONE_9BA1049CE0053BEF\INPUTPERSONALIZATION.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\X86_CASPOL_B03F5F7F11D50A3A_6.1.7601.17514_NONE_403307E9AC829B13\CASPOL.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-SHELL-PREVIEWHOST_31BF3856AD364E35_6.1.7601.17514_NONE_4544CF0E5F20BEEA\PREVHOST.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.5\VBC.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\ILASM.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\SETUPCACHE\V4.7.03062\SETUPUTILITY.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SPEECH-USEREXPERIENCE_31BF3856AD364E35_6.1.7601.17514_NONE_7A2FF57A626C29FD\SPEECHUXTUTORIAL.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SCTASKS_31BF3856AD364E35_6.1.7601.17514_NONE_E8657D02CBF5E4C1\SCHTASKS.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-T..LICATIONS-CLIENTSKU_31BF3856AD364E35_6.1.7601.17514_NONE_7D0125C85CC31D2A\RDPINIT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-CONVERT_31BF3856AD364E35_6.1.7601.17514_NONE_9EDCB4A706944D0A\AUTOCONV.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\SMSVCHOST\E88DB1688B08FBB889B0B9D4B1A51493\SMSVCHOST.NI.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\CSC.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-CLEANMGR_31BF3856AD364E35_6.1.7600.16385_NONE_C9392808773CD7DA\CLEANMGR.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-EHOME-MCWEBLAUNCHER_31BF3856AD364E35_6.1.7600.16385_NONE_5846A8771B202706\MEDIACENTERWEBLAUNCHER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSBUILD.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MICROSOFT.WORKFLOW.COMPILER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-RELIABILITY-POSTBOOT_31BF3856AD364E35_6.1.7600.16385_NONE_A9B5C1D91F03E0B4\RELPOST.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-UTILMAN_31BF3856AD364E35_6.1.7600.16385_NONE_028006129290E443\UTILMAN.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-T..-COREINKRECOGNITION_31BF3856AD364E35_6.1.7600.16385_NONE_498D334C14A3B9BB\HWRREG.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\EHOME\EHRECVR.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\MSBUILD.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-AUTHENTICATION-LOGONUI_31BF3856AD364E35_6.1.7601.17514_NONE_C3B917FD89D834F3\LOGONUI.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IIS-LEGACYSNAPIN_31BF3856AD364E35_6.1.7601.17514_NONE_DF46D976C8A5880B\INETMGR6.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-REGISTRY-EDITOR_31BF3856AD364E35_6.1.7600.16385_NONE_5023A70BF589AD3E\REGEDT32.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2432	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2432	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
2432	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe

C:\Users\Admin\AppData\Local\Temp\d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
"C:\Users\Admin\AppData\Local\Temp\d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2432