d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99

Analysis

max time kernel
93s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
Size

52KB
MD5

2e39d7c24840832a9e0b49cc905fe05c
SHA1

f71e63050fa6aaa630dedc42b3fbb7ace97ed8e0
SHA256

d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99
SHA512

d43065ec68b50fd2b086406df6178b959ec708bf7bc080079fa4061c431be9ebe9e95f203b51c1abcc69e99cc86a5e7e8d5ba99baab35a503715aac1f5d8d137
SSDEEP

768:DlQ4hrvaEGU4aikqykezg2XpfYEjYioRo40Ol5:5LhE1Dezg2ZfYJo985

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\J:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\K:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\S:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\Z:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\G:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\M:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\O:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\U:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\X:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\Y:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\E:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\H:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\P:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\R:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\T:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\L:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\N:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\Q:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\V:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened (read-only)	\??\W:	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\IME\IMEJP\IMJPDCT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\INSTALLSHIELD\_ISDEL.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\SDIAGNHOST.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\WAITFOR.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\APPIDTEL.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\NETSH.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\PRINTUI.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\MTSTOCOM.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\OPENWITH.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\PRESENTATIONHOST.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\SETX.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\WSCRIPT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\DEVICEPAIRINGWIZARD.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\DPAPIMIG.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\NET.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\RDPSAUACHELPER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\DPNSVR.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\DVDPLAY.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\FIXMAPI.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\RASAUTOU.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\SXSTRACE.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\TZUTIL.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\WINRS.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\BACKGROUNDTRANSFERHOST.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\BYTECODEGENERATOR.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\CMD.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\FONTDRVHOST.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\HELP.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\RPCPING.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\SC.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\WBEM\MOFCOMP.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\WBEM\WMIADAP.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\WUSA.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\NET1.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\PERFHOST.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\RMCLIENT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\TASKLIST.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\WIAACMGR.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\AUTOCHK.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\DISKPART.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\DWWIN.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\EXTRAC32.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\REPLACE.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\AUDITPOL.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\FONTVIEW.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\SYSTEMINFO.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\DOSKEY.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\FSUTIL.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\INSTALLSHIELD\SETUP.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\MAVINJECT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\AT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\AUTOFMT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\FIND.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\PRINT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\REAGENTC.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\REGISTER-CIMPROVIDER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\TCMSETUP.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\CMMON32.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\IME\SHARED\IMEPADSV.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\MSINFO32.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\RASERVER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\SEARCHPROTOCOLHOST.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\TTDINJECT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\SysWOW64\DLLHST3G.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\SCHEMAGEN.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK-1.8\JRE\BIN\SERVERTOOL.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE-1.8\BIN\RMID.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.OFFICE.ONENOTE_16001.12026.20112.0_X64__8WEKYB3D8BBWE\ONENOTESHARE.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACROCEF\RDRSERVICESUPDATER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OFFICEC2RCLIENT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\SERIALVER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE-1.8\BIN\POLICYTOOL.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\SKYPESRV\SKYPESERVER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.MICROSOFTSOLITAIRECOLLECTION_4.4.8204.0_X64__8WEKYB3D8BBWE\SOLITAIRE.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\VSTO\10.0\VSTOINSTALLER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.SCREENSKETCH_10.1907.2471.0_X64__8WEKYB3D8BBWE\SCREENSKETCH.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_86062\JAVA.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\MIP.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\SHAPECOLLECTOR.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JJS.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\ORBD.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE16\OSPPREARM.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.549981C3F5F10_1.1911.21713.0_X64__8WEKYB3D8BBWE\CORTANA.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\MICROSOFT\EDGEUPDATE_BK\1.3.195.15\MICROSOFTEDGEUPDATECOMREGISTERSHELL64.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\123.0.6312.123\CHROME_PWA_LAUNCHER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JSTAT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE-1.8\BIN\KLIST.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESX86\MICROSOFT OFFICE\OFFICE16\DCF\COMMON.DBCONNECTION.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\WINDOWS MEDIA PLAYER\WMLAUNCH.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\APPVCLEANER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JAVAWS.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE-1.8\BIN\JAVAW.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\OFFICEAPPGUARDWIN32.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.GETHELP_10.1706.13331.0_X64__8WEKYB3D8BBWE\GETHELP.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\MICROSOFT\EDGEUPDATE_BK\1.3.195.15\MICROSOFTEDGEUPDATECORE.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\VPREVIEW.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.WEBMEDIAEXTENSIONS_1.0.20875.0_X64__8WEKYB3D8BBWE\MICROSOFT.WEBMEDIAEXTENSIONS.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.XBOX.TCUI_1.23.28002.0_X64__8WEKYB3D8BBWE\TCUI-APP.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.MICROSOFT3DVIEWER_6.1908.2042.0_X64__8WEKYB3D8BBWE\3DVIEWER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\WOW_HELPER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\COMMON FILES\ADOBE\ARM\1.0\ADOBEARMHELPER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\MICROSOFT\EDGE\APPLICATION\92.0.902.67\PWAHELPER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\MICROSOFT\EDGEUPDATE_BK\1.3.195.15\MICROSOFTEDGEUPDATE.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7Z.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JPS.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK-1.8\JRE\BIN\JP2LAUNCHER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\INTEGRATION\INTEGRATOR.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\SETUP_WM.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\MSINFO\MSINFO32.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\ONENOTE.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.ZUNEVIDEO_10.19071.19011.0_X64__8WEKYB3D8BBWE\VIDEO.UI.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESCOMMONX64\MICROSOFT SHARED\OFFICE16\FLTLDR.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESCOMMONX64\MICROSOFT SHARED\OFFICE16\MSOXMLED.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESX86\MICROSOFT OFFICE\OFFICE16\MSOHTMED.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.36.371\GOOGLECRASHHANDLER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IELOWUTIL.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\MICROSOFT\EDGEUPDATE_BK\1.3.195.15\MICROSOFTEDGEUPDATESETUP.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\EXTEXPORT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES (X86)\WINDOWS PHOTO VIEWER\IMAGINGDEVICES.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\APPVSHNOTIFY.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\OFFICE16\LICLUA.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\KINIT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\MSOSYNC.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\VIDEOLAN\VLC\UNINSTALL.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.MSPAINT_6.1907.29027.0_X64__8WEKYB3D8BBWE\PAINTSTUDIO.VIEW.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\INTERNET EXPLORER\IEINSTAL.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JAVA-RMI.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-P..NCETOOLSCOMMANDLINE_31BF3856AD364E35_10.0.19041.1_NONE_171488549E32A4D3\DISKPERF.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_NETFX-JSC_B03F5F7F11D50A3A_10.0.19041.1_NONE_014838EF8BEA39E9\JSC.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-COM-SURROGATE_31BF3856AD364E35_10.0.19041.1_NONE_0469A68BC74049EC\DLLHST3G.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_HYPERV-COMPUTE-CONT..UTIONSERVICE-SHARED_31BF3856AD364E35_10.0.19041.928_NONE_33E0D5558CDD7C61\N\CEXECSVC.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-P..RIENCEHOST.APPXMAIN_31BF3856AD364E35_10.0.19041.423_NONE_BFCB7B02F95B1E52\F\PEOPLEEXPERIENCEHOST.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\MSIL_SMSVCHOST_B03F5F7F11D50A3A_10.0.19200.110_NONE_30A09D63C4775424\SMSVCHOST.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-FINDSTR_31BF3856AD364E35_10.0.19041.1_NONE_DD2098E5F9122DFF\FINDSTR.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-COMMANDPROMPT_31BF3856AD364E35_10.0.19041.1_NONE_40FDD440B9BA0FEA\CMD.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_WINDOWS-SENSECLIENT-SERVICE_31BF3856AD364E35_10.0.19041.1288_NONE_1CEC63974464878F\N\SENSESC.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-MSPAINT_31BF3856AD364E35_10.0.19041.1_NONE_4E633E7AC2500190\MSPAINT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-ONECORE-U..IEDWRITEFILTER-MGMT_31BF3856AD364E35_10.0.19041.1266_NONE_41843EFC8F66BC7C\R\UWFMGR.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-DISKRAID_31BF3856AD364E35_10.0.19041.1_NONE_1B7AB1943757B81E\DISKRAID.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-USEREXPERIENCE-DESKTOP_31BF3856AD364E35_10.0.19041.173_NONE_6486F23C2831AAF3\R\INPUTAPP\TEXTINPUTHOST.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-A..ENCE-INFRASTRUCTURE_31BF3856AD364E35_10.0.19041.928_NONE_BD769D14DFD7D29D\R\SDBINST.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.0\WINDOWS COMMUNICATION FOUNDATION\SERVICEMODELREG.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-PERFORMANCETOOLSGUI_31BF3856AD364E35_10.0.19041.746_NONE_7A0308F7FFC334D5\PERFMON.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-T..ES-COMMANDLINETOOLS_31BF3856AD364E35_10.0.19041.1_NONE_9AA166E99861C2BC\QAPPSRV.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-G..POLICY-CMDLINETOOLS_31BF3856AD364E35_10.0.19041.906_NONE_198D8D483AA30ED0\GPRESULT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.19041.262_NONE_8B2066136DD02EB6\TIWORKER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-P..NTALCONTROLSMONITOR_31BF3856AD364E35_10.0.19041.1266_NONE_BFB5312DF2D5C960\R\WPCMON.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-AUDIO-AUDIOCORE_31BF3856AD364E35_10.0.19041.1266_NONE_EB6597AC99D11603\SPATIALAUDIOLICENSESRV.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-COMMANDPROMPT_31BF3856AD364E35_10.0.19041.746_NONE_69061189792BCE34\CMD.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-P..INSTALLERANDPRINTUI_31BF3856AD364E35_10.0.19041.1237_NONE_4B16FB7FAB206EB1\PRINTUI.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_ADDINUTIL_B77A5C561934E089_4.0.15805.0_NONE_FCD173BC1B434B81\ADDINUTIL.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-SPEECHCOMMON-ONECORE_31BF3856AD364E35_10.0.19041.1081_NONE_F28BA6A10743AEBC\R\SPEECHMODELDOWNLOAD.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SQM-CONSOLIDATOR-BASE_31BF3856AD364E35_10.0.19041.1081_NONE_491D51C316B5EA8F\WSQMCONS.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-APPID_31BF3856AD364E35_10.0.19041.1202_NONE_CC0C3D35675DA3A1\F\APPIDCERTSTORECHECK.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-BLB-ENGINE-MAIN_31BF3856AD364E35_10.0.19041.746_NONE_C1DB40C45E8F2D9E\WBENGINE.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-PING-UTILITIES_31BF3856AD364E35_10.0.19041.1_NONE_5F22B28B2F384ED0\PING.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-WINVER_31BF3856AD364E35_10.0.19041.1_NONE_6C428BC03BD6600A\WINVER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\ASPNET_REGBROWSERS.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-T..ETPC-MATHINPUTPANEL_31BF3856AD364E35_10.0.19041.746_NONE_A89ACDE4AFBAB635\R\MIP.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-P..NCETOOLSCOMMANDLINE_31BF3856AD364E35_10.0.19041.546_NONE_49716C2392052ACA\R\TRACERPT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-UPNPDEVICEHOST_31BF3856AD364E35_10.0.19041.867_NONE_AA218BEBC7C352EF\F\UPNPCONT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\REGSVCS.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-TCPIP-UTILITY_31BF3856AD364E35_10.0.19041.1_NONE_F30CAB80229C6B29\NETSTAT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_SECURITY-OCTAGON-BROKER_31BF3856AD364E35_10.0.19041.84_NONE_51AE5C25BAF813FF\F\SGRMBROKER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IE-IEXPRESS_31BF3856AD364E35_11.0.19041.1_NONE_4E5E653D48E95632\IEXPRESS.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-XBOX-GAMECALLABLEUI.APPXMAIN_31BF3856AD364E35_10.0.19041.746_NONE_0119299746221375\XBOX.TCUI.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-CHOICE_31BF3856AD364E35_10.0.19041.1_NONE_7957F8902B2072A6\CHOICE.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-EMBEDDED-SHELLLAUNCHER_31BF3856AD364E35_10.0.19041.264_NONE_223A5768A6257099\R\CUSTOMSHELLHOST.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IIS-SHAREDLIBRARIES_31BF3856AD364E35_10.0.19041.1_NONE_C6DA8048542FDDC7\IISRSTAS.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-S..ESTARTUP-CHANGE-PIN_31BF3856AD364E35_10.0.19041.1237_NONE_665F7346099D6350\F\BDECHANGEPIN.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-W..TNET-MUA-HOSTSERVER_31BF3856AD364E35_10.0.19041.746_NONE_AEE92417063BABBE\F\WINRTNETMUAHOSTSERVER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-WINLOGON_31BF3856AD364E35_10.0.19041.1266_NONE_E488D49C8A22D21E\F\WINLOGON.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-P..NCETOOLSCOMMANDLINE_31BF3856AD364E35_10.0.19041.546_NONE_49716C2392052ACA\RELOG.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-T..ELDEBUGGER-RECORDER_31BF3856AD364E35_10.0.19041.1_NONE_24A9C1E1E1B0F793\TTDINJECT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\ASPNET_COMPILER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-S..ESTARTUP-CHANGE-PIN_31BF3856AD364E35_10.0.19041.1237_NONE_665F7346099D6350\BDECHANGEPIN.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SETTINGSYNCHOST_31BF3856AD364E35_10.0.19041.1202_NONE_F4A35974D85FF180\SETTINGSYNCHOST.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-SETTINGSYNCHOST_31BF3856AD364E35_10.0.19041.1202_NONE_FEF803C70CC0B37B\R\SETTINGSYNCHOST.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-S..CLIENT-UI-WSCOLLECT_31BF3856AD364E35_10.0.19041.746_NONE_E7ACB2599054DC72\F\WSCOLLECT.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-RUNDLL32_31BF3856AD364E35_10.0.19041.746_NONE_B5FE9C5C09B9D7A9\F\RUNDLL32.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\INSTALLER\$PATCHCACHE$\MANAGED\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ACROBROKER.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-W..SITION-UICOMPONENTS_31BF3856AD364E35_10.0.19041.1151_NONE_43C494653A7536D0\F\WIAACMGR.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-UPFC_31BF3856AD364E35_10.0.19041.1_NONE_5D169326BBC0ABDB\UPFC.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_OPENSSH-COMMON-COMPONENTS-ONECORE_31BF3856AD364E35_10.0.19041.964_NONE_9A882AF90EA09CC3\SSH-ADD.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-W..DATECLIENT-API-HOST_31BF3856AD364E35_10.0.19041.1266_NONE_149B57F8509CE672\WUAPIHOST.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-M..-ODBC-ADMINISTRATOR_31BF3856AD364E35_10.0.19041.1_NONE_04959F34117554A3\ODBCAD32.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-NSLOOKUP_31BF3856AD364E35_10.0.19041.1_NONE_8171817405D01500\NSLOOKUP.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-FILTERMANAGER-UTILS_31BF3856AD364E35_10.0.19041.546_NONE_01DBA454B887BA53\R\FLTMC.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\VBC.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-A..NAGEMENT-APPVCLIENT_31BF3856AD364E35_10.0.19041.264_NONE_AA5417FD2708544D\APPVSHNOTIFY.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
File opened for modification	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-TAKEOWN_31BF3856AD364E35_10.0.19041.1_NONE_AFDC734DB4FBA076\TAKEOWN.EXE	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2556	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
2556	d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe

C:\Users\Admin\AppData\Local\Temp\d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe
"C:\Users\Admin\AppData\Local\Temp\d39a4d66cefa47e601819fc8250dce505d9a6c1f06078c877104d8db7fc7db99.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2556