c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
Size

593KB
MD5

dc27c80f682aaba013e8dc2f3e658910
SHA1

29ed6d84974564102b91e2320cf4a08948643c65
SHA256

c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6
SHA512

e3e9066a69697b2098462af9bf2ea33c8762ee60ae18647fc692cb43a3d77c051da4cd811189f61d20807f133546e112097d0c886e21977756e1ada7d2b0a316
SSDEEP

6144:8jMKITkBXkHhIitXSrQeRTTilNeRTTilYeRTTilqvRe/5du4cuTfM7fhHDohnK7S:/IIwQCf2CfnCfjRc5dQuTErhjoxGQR

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\edpnotify.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\mcbuilder.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\RmClient.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\Windows.WARP.JITService.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\cmd.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\colorcpl.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\mspaint.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\TCPSVCS.EXE	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\CameraSettingsUIHost.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\CertEnrollCtrl.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\RdpSaProxy.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\cmmon32.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\DpiScaling.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\dpnsvr.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\find.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\setupugc.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\convert.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\logman.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\mmc.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\pcaui.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\sdbinst.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\shutdown.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\fontview.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\HOSTNAME.EXE-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\ktmutil.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\more.com	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\wbem\WMIC.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\lodctr.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\setupugc.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\sort.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\stordiag.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\wextract.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\scrnsave.scr	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\certutil.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\msinfo32.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\netsh.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\ARP.EXE	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\getmac.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\mavinject.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\sdchange.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\wevtutil.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\dtdump.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\eudcedit.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\iexpress.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\bthudtask.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\mmgaserver.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\NETSTAT.EXE	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\setx.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\sort.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\Windows.WARP.JITService.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\fltMC.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\odbcad32.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\recover.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\secinit.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\wecutil.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\rrinstaller.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\wbem\WinMgmt.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\ipconfig.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\MRINFO.EXE	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\Netplwiz.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\runas.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\setx.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SysWOW64\wusa.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstat.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\7-Zip\7zFM.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Java\jre-1.8\bin\keytool.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msotd.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\show_third_party_software_licenses.bat	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdate.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\orbd.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Java\jre-1.8\bin\policytool.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Windows NT\Accessories\wordpad.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateCore.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Java\jre-1.8\bin\pack200.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files (x86)\Windows Media Player\wmplayer.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Windows Media Player\wmpnscfg.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaws.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-recdisc-main_31bf3856ad364e35_10.0.19041.84_none_7c1f17a9e1beaf63\f\recdisc.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-client-li..pgrade-subscription_31bf3856ad364e35_10.0.19041.1_none_07600fc1c7993163\ClipRenew.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.19041.173_none_38fc88f8cb913df1\r\winresume.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1202_none_8f7e37524c3e1a13\SystemSettings.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-update-usoclient_31bf3856ad364e35_10.0.19041.1266_none_23ae8c0349f1b325\UsoClient.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_multipoint-logcollector_31bf3856ad364e35_10.0.19041.1_none_56138d203a7fc4cf\LogCollector.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1237_none_7578510aa0f564fa\vfpctrl.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_serviceinitiatedhealing-client_31bf3856ad364e35_10.0.19041.1_none_d2cf62416598c002\SIHClient.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wimgapi_31bf3856ad364e35_10.0.19041.84_none_809ebfa242fbf368\f\wimserv.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-com-surrogate-core_31bf3856ad364e35_10.0.19041.1_none_f53047daaa565a5e\dllhost.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.746_none_52411fe22e5a0ca1\TapiUnattend.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\XBox.TCUI.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-ie-iexpress_31bf3856ad364e35_11.0.19041.1_none_f23fc9b9908be4fc\wextract.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-com-runtimebroker_31bf3856ad364e35_10.0.19041.1_none_4c44763647728882\RuntimeBroker.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\ScriptRunner.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-fax-service_31bf3856ad364e35_10.0.19041.804_none_8b46258bdefa0beb\f\FXSUNATD.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-securestartup-cpl_31bf3856ad364e35_10.0.19041.1202_none_cc46843e404eb749\f\BitLockerWizard.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-a..l-systemuwplauncher_31bf3856ad364e35_10.0.19041.746_none_ed5986fc58f1b817\r\SystemUWPLauncher.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.19041.1202_none_2dfbb21bd5166adc\r\Taskmgr.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.1_none_3b97be772075a03a\RdpSa.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-robocopy_31bf3856ad364e35_10.0.19041.1266_none_3bcd0306a19592e2\f\Robocopy.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.746_none_fefa067e67e7af8b\f\UserAccountBroker.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..ifiedwritefilter-ux_31bf3856ad364e35_10.0.19041.746_none_c7c6fccae233c8b7\f\uwfux.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-compact_31bf3856ad364e35_10.0.19041.1_none_afe6484e54f00fd0\compact.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..ortingcompatibility_31bf3856ad364e35_10.0.19041.264_none_dc8146375466099a\f\DWWIN.EXE-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\Temp\PendingDeletes\a267614236e5d701639700001815341f.UwfServicingSvc.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\finger.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-htmlhelp_31bf3856ad364e35_10.0.19041.746_none_b0a3ebd117ec81d4\hh.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-r..sistance-dcomserver_31bf3856ad364e35_10.0.19041.1110_none_af1474f55f209109\raserver.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-secinit_31bf3856ad364e35_10.0.19041.1_none_3da8fdfb6c5bbf8a\secinit.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-fax-service_31bf3856ad364e35_10.0.19041.804_none_8b46258bdefa0beb\r\FXSUNATD.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.153_none_c8fbed52dad932cb\ResetEngine.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-taskkill_31bf3856ad364e35_10.0.19041.1_none_db6f0c88fb6e127a\taskkill.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-computerdefaults_31bf3856ad364e35_10.0.19041.1_none_c6bc59819707b32b\ComputerDefaults.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..hreshold-adminflows_31bf3856ad364e35_10.0.19041.1023_none_9583d52fd3076014\r\SystemSettingsAdminFlows.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\x86_netfx-aspnet_wp_exe_b03f5f7f11d50a3a_10.0.19041.1_none_85d1745a1d49397f\aspnet_wp.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..tiondialog.appxmain_31bf3856ad364e35_10.0.19041.423_none_f20ecec27517964b\r\PinningConfirmationDialog.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.1151_none_0412565dd5f26733\r\wkspbroker.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_10.0.19041.746_none_ff52abd5cb47bbe1\f\lpremove.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.1288_none_f92f7256107c0e35\nvspinfo.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ac-sql-cliconfg-exe_31bf3856ad364e35_10.0.19041.1_none_260e545bf60f6b0f\cliconfg.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-spp_31bf3856ad364e35_10.0.19041.1266_none_8f272afdd624490f\f\sppsvc.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-autochk_31bf3856ad364e35_10.0.19041.1266_none_610e6b21ab533b13\autochk.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.19041.1_none_3d62a57d3b12dcf1\chcp.com-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-eventcollector_31bf3856ad364e35_10.0.19041.662_none_d8ed4acdd3960fad\r\wecutil.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-aarsvc_31bf3856ad364e35_10.0.19041.1266_none_d7b5820f5a89765b\agentactivationruntimestarter.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-certificateinstall_31bf3856ad364e35_10.0.19041.1151_none_ae854961a06058b2\r\dmcertinst.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.746_none_6c7de5b30e8f6071\f\BackgroundTransferHost.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-net-command-line-tool_31bf3856ad364e35_10.0.19041.1_none_1278095646355851\net.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\f\ScriptRunner.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.264_none_6ea6dfb6393e5f06\DataStoreCacheDumpTool.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_10.0.19041.1288_none_23aa03725ec9354a\wuauclt.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-convert_31bf3856ad364e35_10.0.19041.1266_none_1befc89391e44c23\f\autoconv.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-verclsid_31bf3856ad364e35_10.0.19041.1_none_7c2c890be7329496\verclsid.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\AppVStreamingUX.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ieframe_31bf3856ad364e35_11.0.19041.264_none_863c21753674f968\IESettingSync.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-international-unattend_31bf3856ad364e35_10.0.19041.1_none_760acfd88cf7390d\MuiUnattend.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\aspnetca.exe-	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe

C:\Users\Admin\AppData\Local\Temp\c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe
"C:\Users\Admin\AppData\Local\Temp\c5d564f330c1551f87dbfcad6617011159e166b85c18a68921788321bb302df6N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe-

Filesize
1.1MB

MD5
fbbb8f2fd92ff61aaa006c7f2ace6c2a

SHA1
7b94bfbe05621f8b58f7bf3f5ce6876e1a4f102f

SHA256
3904603706df0c4d230a6bc552842a9808cc31e172f90ba91a47787990211988

SHA512
6afcf1a4bd4c11bffcecaf823163d23fb247b614f947c53f15ac7ba4584378d5d979dbbde63e33b8d8965671aa2b1659b7d96a5859fb17d95f833d457e73dcda

Download Submit
memory/1464-2618-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1464-4252-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1464-4253-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1464-4257-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download