Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
15/10/2024, 04:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe
Resource
win7-20241010-en
windows7-x64
6 signatures
120 seconds
General
-
Target
53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe
-
Size
242KB
-
MD5
248c05ffc5214d6d892a4eaf572ab520
-
SHA1
497bc85f1d9645af350e1418be7e2c46891c3710
-
SHA256
53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243df
-
SHA512
974643827dcbdd9da678ee9035c3d359e183c66f8355b14194deeb093a0e4cb1a15f6548065a1539fb728fda2e5484f235020a575ac209e9f6752993be46b4b1
-
SSDEEP
6144:u6FJph/ox1M7JtLLpSVurRuTb2syNcGJNG:uekqtLLpFRuH2syF
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened (read-only) \??\I: 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened (read-only) \??\T: 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened (read-only) \??\Y: 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened (read-only) \??\Z: 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened (read-only) \??\J: 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened (read-only) \??\K: 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened (read-only) \??\M: 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened (read-only) \??\P: 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened (read-only) \??\U: 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened (read-only) \??\V: 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened (read-only) \??\H: 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened (read-only) \??\L: 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened (read-only) \??\Q: 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened (read-only) \??\S: 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened (read-only) \??\X: 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened (read-only) \??\E: 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened (read-only) \??\N: 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened (read-only) \??\O: 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened (read-only) \??\R: 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened (read-only) \??\W: 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\WINDOWS\SYSWOW64\DXDIAG.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\EXPAND.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\IME\IMEJP10\IMJPUEXC.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\MCBUILDER.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\REG.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\SYSTRAY.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\NOTEPAD.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\ROBOCOPY.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\TRACERT.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\WHERE.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\EXPAND.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\ATBROKER.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\CSCRIPT.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\REGINI.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\SHRPUBW.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\VERIFIER.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\CMDKEY.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\DISPLAYSWITCH.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\EHSTORAUTHN.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\AT.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\PROQUOTA.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\MMC.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\WSMANHTTPCONFIG.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\CMSTP.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\COMPUTERDEFAULTS.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\MUIUNATTEND.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\TASKKILL.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\MOBSYNC.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\UPNPCONT.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\AUTOFMT.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\CIPHER.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\VERIFIER.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\MAKECAB.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\POWERCFG.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\CMSTP.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\PKGMGR.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\DWWIN.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\ICACLS.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\TRACERPT.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\MSDT.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\NET1.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\RUNAS.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\CLICONFG.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\EXTRAC32.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\DRIVERQUERY.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\REGEDIT.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\RUNLEGACYCPLELEVATED.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\SEARCHFILTERHOST.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\SFC.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\WIMSERV.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\MTSTOCOM.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\IME\IMESC5\IMSCPROP.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\MIGWIZ\MIGSETUP.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\POWERCFG.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\UNREGMP2.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\TAPIUNATTEND.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\REGISTERIEPKEYS.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\IME\IMEJP10\IMJPMGR.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\IME\SHARED\IMCCPHR.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\WIAACMGR.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\BITSADMIN.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\OCSETUP.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SysWOW64\SECINIT.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\SYSWOW64\DIANTZ.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JARSIGNER.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\PACK200.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MEDIA PLAYER\WMLAUNCH.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\WINDOWS PHOTO VIEWER\IMAGINGDEVICES.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\ONENOTEM.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS NT\ACCESSORIES\WORDPAD.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MEDIA PLAYER\WMPLAYER.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\KEYTOOL.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\BCSSYNC.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPNETWK.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\IECONTENTSERVICE.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\INKWATSON.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\INPUTPERSONALIZATION.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\SHAPECOLLECTOR.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\IDLJ.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JSTACK.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\106.0.5249.119\CHROME_PWA_LAUNCHER.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JAR.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\EXCELCNV.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\VPREVIEW.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JAVAH.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\JAVA.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\JP2LAUNCHER.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT GAMES\MULTIPLAYER\CHECKERS\CHKRZM.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\MOZILLA FIREFOX\UNINSTALL\HELPER.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7Z.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\LIB\LAUNCHER.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPRPH.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\CHROME.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\APT.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\ORBD.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\UNPACK200.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\DVD MAKER\DVDMAKER.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JSADEBUGD.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPNSCFG.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\MSPUB.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\SCANPST.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\CONVERTINKSTORE.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JHAT.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\KTAB.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\READER 9.0\READER\ACROTEXTEXTRACTOR.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\MSACCESS.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JPS.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\JAVA.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\OFFICE14\OFFICE SETUP CONTROLLER\SETUP.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\1033\ONELEV.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MEDIA PLAYER\WMPDMC.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\JAVACPL.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\WINDOWS NT\ACCESSORIES\WORDPAD.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\MISC.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\ORBD.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\TNAMESERV.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\TNAMESERV.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT GAMES\HEARTS\HEARTS.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\ADOBE AIR\VERSIONS\1.0\ADOBE AIR UPDATER.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\DISABLEDGOOGLEUPDATE.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\CLVIEW.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\MOZILLA FIREFOX\DEFAULT-BROWSER-AGENT.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\MIP.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JAVAW.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JMAP.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\KEYTOOL.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-N..PROTECTION-STATUSUI_31BF3856AD364E35_6.1.7600.16385_NONE_998FF5C741AE3FB1\NAPSTAT.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-EFS-UI_31BF3856AD364E35_6.1.7600.16385_NONE_F64B1E25E8EA1172\EFSUI.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.0\WINDOWS COMMUNICATION FOUNDATION\SERVICEMODELREG.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-A..IME-UPGRADE-RESULTS_31BF3856AD364E35_6.1.7601.17514_NONE_21DE7E134213566A\WINDOWSANYTIMEUPGRADERESULTS.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-DXP-DEVICEEXPERIENCE_31BF3856AD364E35_6.1.7601.17514_NONE_A54B31331066C8E2\DXPSERVER.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IIS-SHAREDLIBRARIES_31BF3856AD364E35_6.1.7601.17514_NONE_6F0F7833CB71E18D\ASPNETCA.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-BASIC-MISC-TOOLS_31BF3856AD364E35_6.1.7600.16385_NONE_17330D9420BF24E8\EXPAND.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_64\NARRATOR\4CC02FAD33053737088D4C18267CA0A0\NARRATOR.NI.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\DFSVC.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-WINVER_31BF3856AD364E35_6.1.7600.16385_NONE_12466FE3B629E036\WINVER.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_WCF-WSATCONFIG_B03F5F7F11D50A3A_6.1.7601.17514_NONE_D7CE65F32404434B\WSATCONFIG.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-WOW64_31BF3856AD364E35_6.1.7601.17932_NONE_D088DEF7226177D5\USER.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-CLEANMGR_31BF3856AD364E35_6.1.7600.16385_NONE_6D1A8C84BEDF66A4\CLEANMGR.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\ASPNET_WP.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-DRIVERQUERY_31BF3856AD364E35_6.1.7600.16385_NONE_F217BD1CAEBAA683\DRIVERQUERY.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-S..ESTARTUP-FVERECOVER_31BF3856AD364E35_6.1.7600.16385_NONE_AB0552BCEECA5A61\BDEUNLOCKWIZARD.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_WINDOWSSEARCHENGINE_31BF3856AD364E35_7.0.7601.17514_NONE_D18028273214FA77\SEARCHFILTERHOST.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-IIS-SHAREDLIBRARIES_31BF3856AD364E35_6.1.7601.17514_NONE_79642285FFD2A388\IISRESET.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-SXS_31BF3856AD364E35_6.1.7601.17514_NONE_B0540607B5E5D445\SXSTRACE.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.5\CSC.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-DEFRAG-CMDLINE_31BF3856AD364E35_6.1.7600.16385_NONE_2370C162E00680C3\DEFRAG.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_NETFX35LINQ-EDMGEN_31BF3856AD364E35_6.1.7601.17514_NONE_0CA1FD81527E1E9A\EDMGEN.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_WCF-ICARDAGT_EXE_31BF3856AD364E35_6.1.7600.16385_NONE_8DCC9C6F8B58A5EB\ICARDAGT.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-WRITEWIN_31BF3856AD364E35_6.1.7600.16385_NONE_378836C309EE380E\WRITE.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_NETFX35LINQ-LINQWEBCONFIG_31BF3856AD364E35_6.1.7601.17514_NONE_B532BB17FEA7EE9A\LINQWEBCONFIG.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-DIANTZ_31BF3856AD364E35_6.1.7600.16385_NONE_A69C6A8F23F521F3\DIANTZ.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-TASKSCHEDULER-ENGINE_31BF3856AD364E35_6.1.7601.17514_NONE_E7B3B71A1D1C8662\TASKENG.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\APPLAUNCH.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_ADDINPROCESS32_B77A5C561934E089_6.1.7601.17514_NONE_DF35B5AC03866E22\ADDINPROCESS32.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-COM-SURROGATE_31BF3856AD364E35_6.1.7600.16385_NONE_A018E05D0D33081D\DLLHOST.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SECURESTARTUP-PROMPT_31BF3856AD364E35_6.1.7600.16385_NONE_4C045EC8FDA52D34\FVEPROMPT.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-TIME-TOOL_31BF3856AD364E35_6.1.7601.17514_NONE_EF1085419A309311\W32TM.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\APPLAUNCH.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-AUTOFMT_31BF3856AD364E35_6.1.7601.17514_NONE_441A424CD5CDA219\AUTOFMT.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-NETCFG_31BF3856AD364E35_6.1.7600.16385_NONE_6C23CD5F6B2A8DBC\NETCFG.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-T..LISHING-WMIPROVIDER_31BF3856AD364E35_6.1.7601.17514_NONE_935E5E07AA28AA00\RDPSIGN.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-WUSA_31BF3856AD364E35_6.1.7601.17514_NONE_AF07FB6876DEF437\WUSA.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-MAPI_31BF3856AD364E35_6.1.7601.17514_NONE_AD54AB3A7801C830\FIXMAPI.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-OS-KERNEL_31BF3856AD364E35_6.1.7601.17727_NONE_6E30004A126A8DB7\NTKRNLPA.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-RASCLIENTTOOLS_31BF3856AD364E35_6.1.7600.16385_NONE_6F1D25EC0A04D811\RASPHONE.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-SETHC_31BF3856AD364E35_6.1.7601.17514_NONE_64C7A8E4D35D675C\SETHC.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-W..FOR-MANAGEMENT-CORE_31BF3856AD364E35_6.1.7601.17514_NONE_32E02520F8081891\WSMANHTTPCONFIG.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\EHOME\LOADMXF.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-DEVICEPAIRINGAPP_31BF3856AD364E35_6.1.7600.16385_NONE_CB9353551BBD8ED8\DEVICEPAIRINGWIZARD.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-S..INBOXGAMES-CHECKERS_31BF3856AD364E35_6.1.7601.17514_NONE_D467C138CBCE0B24\CHKRZM.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-T..ES-COMMANDLINETOOLS_31BF3856AD364E35_6.1.7601.17514_NONE_42D65ED50FA3C682\CHGUSR.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_NETFX35LINQ-VB_COMPILER_ORCAS_31BF3856AD364E35_6.1.7601.17514_NONE_F4285A06060032A9\VBC.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-EUDCEDIT_31BF3856AD364E35_6.1.7601.17514_NONE_5B9FEE911DC04044\EUDCEDIT.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\ASPNET_REGBROWSERS.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-BOOTCONFIG_31BF3856AD364E35_6.1.7600.16385_NONE_680B6EB133F91B1B\BOOTCFG.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-S..NBOXGAMES-SOLITAIRE_31BF3856AD364E35_6.1.7600.16385_NONE_D1124C00155DFD14\SOLITAIRE.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MSBUILD_B03F5F7F11D50A3A_6.1.7601.17514_NONE_0DE23DAF595F5711\MSBUILD.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-WININIT_31BF3856AD364E35_6.1.7600.16385_NONE_30C90EF265A43C13\WININIT.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-ADAPTERTROUBLESHOOTER_31BF3856AD364E35_6.1.7600.16385_NONE_2DF6395B9CF7E9A5\ADAPTERTROUBLESHOOTER.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-INFDEFAULTINSTALL_31BF3856AD364E35_6.1.7600.16385_NONE_C8897566B5C070A0\INFDEFAULTINSTALL.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-S..LLERCOMMANDLINETOOL_31BF3856AD364E35_6.1.7600.16385_NONE_D0632CBFEE5DB937\SC.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-COM-COMPLUS-SETUP_31BF3856AD364E35_6.1.7600.16385_NONE_E97E2F6C50A1C3C0\MTSTOCOM.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SCRIPTING_31BF3856AD364E35_6.1.7600.16385_NONE_A45D44BD1A0AF822\WSCRIPT.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-RECOVER_31BF3856AD364E35_6.1.7600.16385_NONE_85E9A3F215EE94E3\RECOVER.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_6.1.7600.16385_NONE_0935B76C289E0FD5\PKGMGR.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-ERRORREPORTINGFAULTS_31BF3856AD364E35_6.1.7601.17514_NONE_CE2D22115368DB7A\WERFAULT.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-REGSVR32_31BF3856AD364E35_6.1.7600.16385_NONE_D44C0EF849349ED9\REGSVR32.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SNMP-EVNTWIN_31BF3856AD364E35_6.1.7600.16385_NONE_12C5B5B81F2D2F1D\EVNTWIN.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-RUNONCE_31BF3856AD364E35_6.1.7601.17514_NONE_17C23E881D4A0B0B\RUNONCE.EXE 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe"C:\Users\Admin\AppData\Local\Temp\53ce52ffa0c37fe6f090366783eab6163ac039d1c1b13730fb1640031c8243dfN.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2776
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1