90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3

Analysis

max time kernel
106s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
Size

1.3MB
MD5

e27ea9b034865c6d87eb26e6a95e58b0
SHA1

9151b8f1d74ea83a2e01900d9ffe8e84d0e0e3b3
SHA256

90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3
SHA512

397380f3be9527f9b06d9d4dc1d260c8ad385453a6ab1bb364482e7a2100538ce2f72bca6b0284854dd29474eb526224dd67f9ba017859d221b4a89c0a8eee07
SSDEEP

24576:HxksSWkfRyE2ZcFGUEGNBffACErtoFAocYj+uY64YF5AjXEx2Je7CVSszVrmWW:H8WJE2ZctEafitmGYj+uYP4D2VPrX

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1984	eqs297F.tmp

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM29FC.tmp\goopdateres_ko.dll	eqs297F.tmp
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File created	C:\Program Files (x86)\Google\Temp\GUM29FC.tmp\goopdateres_hi.dll	eqs297F.tmp
File created	C:\Program Files (x86)\Google\Temp\GUM29FC.tmp\goopdateres_nl.dll	eqs297F.tmp
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\RCXCFB3.tmp	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXF2FD.tmp	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File created	C:\Program Files (x86)\Google\Temp\GUM29FC.tmp\goopdateres_hu.dll	eqs297F.tmp
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\RCXD322.tmp	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCXDB6C.tmp	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateComRegisterShell64.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File created	C:\Program Files (x86)\Google\Temp\GUM29FC.tmp\goopdateres_en.dll	eqs297F.tmp
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\RCXCFC4.tmp	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\RCXDA3F.tmp	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCXDF2F.tmp	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXF32F.tmp	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File created	C:\Program Files (x86)\Google\Temp\GUM29FC.tmp\goopdateres_et.dll	eqs297F.tmp
File created	C:\Program Files (x86)\Google\Temp\GUM29FC.tmp\goopdateres_fa.dll	eqs297F.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\RCXD8B5.tmp	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\RCXD9CD.tmp	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\RCXEBD3.tmp	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXF330.tmp	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File created	C:\Program Files (x86)\Google\Temp\GUM29FC.tmp\goopdateres_sk.dll	eqs297F.tmp
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\RCXD1E2.tmp	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\RCXD1F2.tmp	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\RCXF21E.tmp	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File created	C:\Program Files (x86)\Google\Temp\GUM29FC.tmp\psuser.dll	eqs297F.tmp
File created	C:\Program Files (x86)\Google\Temp\GUM29FC.tmp\goopdateres_pt-PT.dll	eqs297F.tmp
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCXDAA3.tmp	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\RCXD417.tmp	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCXDAC5.tmp	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\RCXEC16.tmp	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File created	C:\Program Files (x86)\Google\Temp\GUM29FC.tmp\goopdateres_zh-CN.dll	eqs297F.tmp
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\RCXD39A.tmp	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCXDBEC.tmp	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eqs297F.tmp

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1984	1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe	85
PID 1992 wrote to memory of 1984	1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe	85
PID 1992 wrote to memory of 1984	1992	90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe	85

C:\Users\Admin\AppData\Local\Temp\90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe
"C:\Users\Admin\AppData\Local\Temp\90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\eqs297F.tmp
  "C:\Users\Admin\AppData\Local\Temp\90a94a57415a31454efeb7c8705adcb0c99a6915c79ff60475cc8f6365b5f6b3N.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\RCXEC28.tmp

Filesize
24KB

MD5
c016ef1a86325eaa8e3c7c1d0cbe6a9c

SHA1
1c0e466ceaae36cc5d24d59e03430a0ca07b6db7

SHA256
703e854417e666a42cbf8137637070148dd9c9421b492e5afbcf25405a2a3dd3

SHA512
93bdd300a5faaa2e14024719851a08dc341e273b497ec5ac01ab710f422fdb21d6dce0cd9027b3c78d03a80f81db42cca676a6dafd580f264c3940873e026fa7

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\RCXF2DA.tmp

Filesize
24KB

MD5
2ee82bf31f8f29f17aa432e16e8a9192

SHA1
2b9c59b13c5544f818b34536511aa0e89d7df435

SHA256
fd3f8155e1151ab0e0d91b9455166d05ee026c6914a66ec259202b4ebac86334

SHA512
c9dfbdbdcdc6a4b3433f8dcb3415d7d7ec22b2098879ba774e1fca720d609ce78203a7ffd54c047fcfadbfda0a115611f3db7461e00b8173f64e186440baca33

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\RCXF2FD.tmp

Filesize
39KB

MD5
77dbc4532d0527b80563fef9ab9f7d32

SHA1
a27cee72780384bc67865e57c2db9b4b4e655d08

SHA256
43e174176205b249709b329d274c6493ea3cb4e252bca7b2dcb3a067d8896f43

SHA512
bfa715736ba0bfad1723b8fa98e98164f7645ffa741a1b5b957e96a09fc36c8ac96ba3c20b6a4f07e7ebec8a4e7ec3f87a70dda3acf5b0254f925fcda7fc35bf

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.8MB

MD5
2628a5053cbb7a486f22d7ac9df84489

SHA1
2af0370889f53e0b4e281eb21a635c8c46ab9d1f

SHA256
b4f63337d2ab3f0befd220f611e961955e67159d4883225a23bedeb7c15cfabb

SHA512
0f5f2807fef499d8b46387252d7b8cde0ceb51ca4845e3e0a8a6c9c287f86164bb9346396b78872b401a45b713ae4cf9aea9525ebdfb221bed9092f2c8cff70d

Download Submit
C:\Program Files\7-Zip\RCXCE8B.tmp

Filesize
12KB

MD5
31ca51862b31bcf129556d16f467af09

SHA1
5a211b99259a8b98aba5b281f57d2dbd6cf3325f

SHA256
c02959bf05c6802755bda953e649cbdb7cdb03ba0a4f458a84e575dcee0e907c

SHA512
ceb6864b90a5f8eb8192f4de5914a3aca6788dbca27d724be07484f18cb4d8c6cf6c5adeac6956d21ad15f695b959d1d6712a2ca876b50e24f4591e6e8b6f47f

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCXDB09.tmp

Filesize
54KB

MD5
5854db9641e407adc851e8a223abb0d1

SHA1
adb057b3c2ba9304516f5ba621a900b000e2e63f

SHA256
0a6e3edb25ced4306f7422e6e25f2d93e381f76312273493b35df02a74979f4f

SHA512
c161d904bf6e562b348f7d78645c60fcaa09f51f482a38a432827ae7af66cae4964e99984b11597651f7e7473d52066f0875e329b9cb4e49853c9cc9a5becfc4

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCXDBAC.tmp

Filesize
3.3MB

MD5
1f75518e4bdc08ad0e5872e6d6fa0a3b

SHA1
045c2f37078d5bbbcedc98fb554330eace8bbbe9

SHA256
ccfa1e9e25c36c6d6a9fa8c80a5e794fee8a2d8934bcf6c4f03e663509aa9a2f

SHA512
74010c987b997df3908577cb0191400b16035d72cf6c51acb5f17f340ffcb1d5f505c315aaff816a1049444133d869720003a1731e8a5f16de04d8cbb283ffdf

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe

Filesize
151KB

MD5
fe8556f4cd549ca5a9b2811a955a25b9

SHA1
ff58dd1cfb676668c99e47c06ca1f3967d2057fa

SHA256
7eab17620ba806eadb500e21c344f7f4af9725b3fe8c1ffe775364f201c5ec56

SHA512
4669ef5198396e77a56ffa92a06291cc0b229eb3b49a696a8776a138354addcd9fbefb24de01c0b25f9e4a4157d563fbe17102633283d7eb73f4c5cace2fa940

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe

Filesize
8.2MB

MD5
90ef8b52adf2917ed0bf8abcfd634d42

SHA1
a3e11a32e6531f5f681e5869878290d90dad93c3

SHA256
5accb1ac4f3b653192f3e792bbe48cd309e2bd3bab69575219710fc78bd535db

SHA512
04263c4e70a96e1327d8984708510e71609a82d2f746d9edddcb39a0740c054e1eebee081a4650224860cd414aa389c20f56a963f831abac47094fa29cf21e00

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe

Filesize
2.0MB

MD5
2e80e450ec8a4cb5e9804154b944d67e

SHA1
49c8ed6b16910a00928f1b5e51977a6baae540e4

SHA256
df62b2c57c04aaddb4eb8284ca2f6dec6fa7880e0bcd3a5aebb52cb2829d5f41

SHA512
c21523a39bf8a2a265c0ebca0d3355cb9343e35e7b6cd28017b5aa5aefa6bb4db4cf8de445425069080afb44f75bd64b2bd1cdfb3dea843741c762744d8659ba

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
626KB

MD5
97943f8e7cd54d2d2fa5ff7a88078afe

SHA1
7653d2921a0de1c5ede1cb7a147b0f3fd78da475

SHA256
d18740207a99b70f898042859479a39278db1b318b7eb59d67100834c86e2ab4

SHA512
a9b2a0d6b1601de8a3aae74feed70422b2b8c1cc1c8aeb37751cd85f253766b16d5dcd638907e9947ae16ef85d3e9ed6cd41e434c6214810a4e5670684d8870d

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\RCXF418.tmp

Filesize
16KB

MD5
e51281f5acbc298a898ebf7cd270fad4

SHA1
aa54f61b89db033d5d6b39cca971f76730aba054

SHA256
dca3096afaab558ecf91ef35f9d3427f7ed2cbc17341067203b9e3e103045867

SHA512
bae3e66e0273abc67c174244a6b14468043ac73b013f9d5a3510d615f8de91f5ce76afc3339d4ac7546274cadeb28261ead730791e252bc42623c2d5f218683c

Download Submit
C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\windowsdesktop-runtime-7.0.16-win-x64.exe

Filesize
626KB

MD5
3c4979276c3c98bc17338887f7a08a32

SHA1
271fa38de1165e811241faa1f028f5c9d1325412

SHA256
ac14d37637f99e908210b206980ae0c01f6fbc37cfd3d1239786124ad9e1def2

SHA512
7a6261153f2b15b1e929db2e6563831529588fb2c896b57568ec0b8eb47e91878a1fa1e43461b63c94712e52d221c72e155ddaee8698587aef00728ed3e69811

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
471KB

MD5
59dbe39c9ae8f8f6b2a667d65dcbcb56

SHA1
61393a4c69407671fc5a8fc30ddcc4d5c27b7868

SHA256
c1cb0ee24ce7657126b2cbc8820ea012eb9d0f72cba5184721dd23ce4aea07ee

SHA512
610a251c3ba3f851bbdf85084f0f960bae98ac4c6a02e09723ce0b53c23dd2e84179f52286d798e104dc5c3e18719ecfe986a5bd14207ac710197e9728d28eec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\RCXF4F9.tmp

Filesize
367KB

MD5
7cf4cb0b4265b22096287e98414b449c

SHA1
23707d9f3dc80b9b75d6a36768ba3b32d1672466

SHA256
20948aaa8787075fbadfc7cb7e59f125f2c78199b490fc46a115278731ef5a31

SHA512
d307d92c79d77e6839c92d563e020c43da5fdafe7b755ec50c7941dee2f2c97252210b983b3495fef415fa70e4252bad9e74bbf373b6b6ba7ff27634ee6f77cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqs297F.tmp

Filesize
1.2MB

MD5
16a42e45149d841dd3445bc2c30a57f5

SHA1
c7964fcf7d85f3ab992af24e5d0a5df79c609212

SHA256
bd033c07759ed01d78c7d7e5a1b405654046f47793eb422b3bc37634e3ade991

SHA512
600763cf12a637c70945ea90c263414ca06ae071676bac430413fc04ab494cf1bb7a952240df7a89c771e4449d7119409bab0ba58d8716b31e54799ab828848c

Download Submit