48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-10-2024 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
Size

236KB
MD5

deb20d60b52959364914c86deb3bd21b
SHA1

2b1139b0d7d2c7b8c5057a137cb473c21db3352b
SHA256

48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59
SHA512

034106a52a8ccede36886206ce116d52b892205a1b079b0cc814a40743169913e448176e6e7f510c461d4a863fd7a499e09a20709c8d7d7a298672032e853f0a
SSDEEP

6144:l5+SIkWrbACX2p6fGNgKAO0CFrf3x+aFSm:3+SCrbA62A+xy4rvx+aFSm

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2820	eqs6FD3.tmp

Loads dropped DLL 1 IoCs

pid	Process
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXFAF2.tmp	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RCXF301.tmp	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCXFE42.tmp	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Windows Journal\RCXD112.tmp	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{81B62077-4199-45EB-921D-6EB76AC289EE}\chrome_installer.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RCXF222.tmp	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCXC46D.tmp	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCXC363.tmp	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\RCXD71F.tmp	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jre7\bin\RCXCAC1.tmp	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpenc.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Windows Journal\PDIALOG.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnscfg.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\RCXD874.tmp	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RCXF283.tmp	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCXCE1C.tmp	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RCXD46E.tmp	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCXC409.tmp	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCXC43B.tmp	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\RCXBFF0.tmp	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Windows Mail\RCXD152.tmp	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCXC408.tmp	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jre7\bin\RCXCA3D.tmp	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCXC703.tmp	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCXC779.tmp	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\RCXC22E.tmp	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCXCD79.tmp	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\RCXD903.tmp	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eqs6FD3.tmp

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2820	2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe	30
PID 2140 wrote to memory of 2820	2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe	30
PID 2140 wrote to memory of 2820	2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe	30
PID 2140 wrote to memory of 2820	2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe	30
PID 2140 wrote to memory of 2820	2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe	30
PID 2140 wrote to memory of 2820	2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe	30
PID 2140 wrote to memory of 2820	2140	48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe	30

C:\Users\Admin\AppData\Local\Temp\48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe
"C:\Users\Admin\AppData\Local\Temp\48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\eqs6FD3.tmp
  "C:\Users\Admin\AppData\Local\Temp\48475c5ce950d702ce347b51ae85cb3304fd3f527e0c4c100ee65089f025ec59.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
2.1MB

MD5
446a5b8ad3140f11ea4744519a153622

SHA1
8a150675e155e34018c53c25662278f15d4f9fe2

SHA256
45ed8ff820ebd062854d131d61cd51f8e0db85134901c0ce77b1450e9139e879

SHA512
b8f5ad0a1c1bf6ed4cb8b98d98e17bd0c725d6d0217aa867dc5664a01dbd08010f13d7a378aec0ae0dc5fb6aabd48a0cb5337bc6ca6cf2ed41f7318fd0cd2fcf

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE

Filesize
843KB

MD5
f8924c9f594cdf6c907d34c666961623

SHA1
d4e8581586a443811ae6ed7d52f789539f33a1eb

SHA256
e529a429f61857415436be79562ba20d471ab85ffb56a76191c6da2205aa5b45

SHA512
da09d001261fe1362ce92e6edcebff41bbdad203d28b36bec03b37b6da2a3000726c0a81f3dc3f16a2231f4dd36aa5428bf6b644fb337a1dc683c44431b8ad73

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE

Filesize
521KB

MD5
58a5b1cf75b0c2b565b62fd8e7486ca8

SHA1
8fcb355506591a2e84fb16c5d255be145f7da263

SHA256
d38e92539507dc10e30e4522a2bc75be55b53486255b7fe815fb1e59fb402435

SHA512
497126b936989650b76088affe7106f2b1f96504ee82aade4e459ddc2b191f4aab2eb45c57e46d4fdff11c6a30ccdb040b5ded4df6a6870e655e65789b4b9f74

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\RCXD874.tmp

Filesize
13KB

MD5
8ec77e62f4193408bcaef96ea8e8b8e0

SHA1
6fa102f7dbbb6f08d0a7a2810c57eacfa55cd8f6

SHA256
05a7204c0acbf7d8b1d0ab1a55907966b21e7bc99729c88845c3b42637a0860d

SHA512
eb17bcdcc3952111cf756e90ad7d731da71cd56fe28710c24e26a65ed03697183838e94ab6135f856593bfcfad6e8fc5ed6e622a19ddf9686dbd66c730542492

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe

Filesize
139KB

MD5
7ec6814f81def3b03a9180cd3ea79058

SHA1
ad7bfbaeff620a1606cefaa1356488534e421b46

SHA256
514683af11a386513f66375ec997bdb325a0311fbab33e9bfb7d2a6e2bb685f5

SHA512
9b226f0b82d550a33dcccb50a62f9936326714cb176317c78c827038460a64aafc593a5e291c2fa4635ddaf2ee0ce6fb0efe99496eeb10870393d9b62d8558ed

Download Submit
C:\Program Files (x86)\Google\Update\RCXDE78.tmp

Filesize
24KB

MD5
bffd874083fba172bf20b5edaef60230

SHA1
78325fe215931a3625075e5f9ec9e49f93194b49

SHA256
f20e730e38a64ba9cebea162854c7bee7939fb45dbe9bb051ecaa72e9ba85d9a

SHA512
58649c7d5c629f00b4021e59182ee682eebcbd3c5786b348faf07598a38e76e28629526ed522150d8d5deaab0d2eda0969ad6b50ebe8375df9271c230568733f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\RCXF926.tmp

Filesize
39KB

MD5
388dc612c9439deb9e7c69b49043c036

SHA1
61f23498ffe9764de6a3dbaf315d96b405456465

SHA256
6d6d5cef7f4ff441f4b401824d2489eed5e4a8c445dcc2ea892f33c3cf4a8838

SHA512
e9856195673550dcc258f3de5d085f4b72ec0c0939625c59b10bdeec28dba2790acc7e000c13742cd1a2f4903de6bdd4dedf988fc145266e13e42eded6511a96

Download Submit
C:\Program Files\7-Zip\RCXBF6F.tmp

Filesize
12KB

MD5
31ca51862b31bcf129556d16f467af09

SHA1
5a211b99259a8b98aba5b281f57d2dbd6cf3325f

SHA256
c02959bf05c6802755bda953e649cbdb7cdb03ba0a4f458a84e575dcee0e907c

SHA512
ceb6864b90a5f8eb8192f4de5914a3aca6788dbca27d724be07484f18cb4d8c6cf6c5adeac6956d21ad15f695b959d1d6712a2ca876b50e24f4591e6e8b6f47f

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
461KB

MD5
146e2ea79c72a7a3ed817683dd4caec2

SHA1
65e6c8acda0e37d6f5ebb23ed8ebdd7f4036df88

SHA256
85c934133aa31419574443fea5d6fb9040eb7c626e68f4c28e2d3b912c9327ac

SHA512
204ecb8fe5f756a334be1a8bb1fc744e6f0099a9387787dfe8b2bce136573d0c735d1d16eda820cd66935e09a1b40182fe4e7f801dbe06047ebf23c447386cbc

Download Submit
\Users\Admin\AppData\Local\Temp\eqs6FD3.tmp

Filesize
212KB

MD5
dbc0eba52fa6a0127c7e998c3f2d2741

SHA1
bd73c6d3796b6b9f8898a7d17c84a207b3d5cdda

SHA256
80837fee9cdc25b4316448db66800db67968b8f264faca6b93923436fe58f362

SHA512
31706e88efcc076a0d173132ba2e3a945e4b90bd6816650a0e072a93a8425ce4b2407b99773fda5f8857a76d1ddd90f36f2881c7cf51f6e1e00ff7719781c878

Download Submit