16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2024 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
Size

874KB
MD5

01c875521f3c15d155e80017c296e884
SHA1

cbff30d3c3a83613ede4be222138ac1222120262
SHA256

16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427
SHA512

b41f0aac37cff7cdb173aa69bf0a0a023fca549266216a6fb5d2a97a30e449018a26d6b2ecffc720b95edc1de1ce2ad3df46fe152387d6e691167ae00f12c70d
SSDEEP

24576:ksFmJ1R7GQLSCjtIu6P339SSgT7cu6P339SSgT7:pmJ1RGtCjyvNSFTwvNSFT

Score

7^/10

defense_evasion discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe

Executes dropped EXE 1 IoCs

pid	Process
732	eqs7232.tmp

Loads dropped DLL 2 IoCs

pid	Process
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\RCX295E.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\RCX1CE5.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\RCX2028.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\RCX259B.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\RCX25BB.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCX2917.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\RCX1B47.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\RCX392A.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\RCX39BA.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCX2918.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Windows Media Player\wmplayer.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\RCX2238.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\RCX1BED.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\RCX1CAD.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\RCX1D5A.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX3222.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCX3AB7.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\RCX1AA7.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\RCX3A53.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCX3AFD.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\RCX1C7A.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\RCX20BF.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpshare.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\RCX1A29.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\RCX1BB8.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\RCX3395.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\RCX2359.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCX265F.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\RCX1C57.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\RCX2218.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\RCX23BD.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\RCX35F7.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCX3907.tmp	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eqs7232.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 732	4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe	84
PID 4052 wrote to memory of 732	4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe	84
PID 4052 wrote to memory of 732	4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe	84
PID 4052 wrote to memory of 3216	4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe	110
PID 4052 wrote to memory of 3216	4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe	110
PID 4052 wrote to memory of 3216	4052	16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe	110

C:\Users\Admin\AppData\Local\Temp\16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe
"C:\Users\Admin\AppData\Local\Temp\16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Users\Admin\AppData\Local\Temp\eqs7232.tmp
  "C:\Users\Admin\AppData\Local\Temp\16c7368a03629d421a298d675f64cc94a338be75f8a7dc676b2e7562128c1427.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\16C736~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\RCX3420.tmp

Filesize
24KB

MD5
c016ef1a86325eaa8e3c7c1d0cbe6a9c

SHA1
1c0e466ceaae36cc5d24d59e03430a0ca07b6db7

SHA256
703e854417e666a42cbf8137637070148dd9c9421b492e5afbcf25405a2a3dd3

SHA512
93bdd300a5faaa2e14024719851a08dc341e273b497ec5ac01ab710f422fdb21d6dce0cd9027b3c78d03a80f81db42cca676a6dafd580f264c3940873e026fa7

Download Submit
C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe

Filesize
182KB

MD5
e23271d80596956368a4b19d3028407f

SHA1
6ad7b3e176db8d05fc5a93c614ed36bd654259dc

SHA256
e7852c4caadfd1507f313420bd22d597fc1574498203f5a30dd9fa2d2b9396f3

SHA512
fd7ad7e35e70a1617670d5b87fbe40e96836a6157f587e6e30f29d3944b46fcf5d217463ad4fbdc6f2241b0933214049de2838be9c59defad249e45b5826a294

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\RCX3A52.tmp

Filesize
24KB

MD5
2ee82bf31f8f29f17aa432e16e8a9192

SHA1
2b9c59b13c5544f818b34536511aa0e89d7df435

SHA256
fd3f8155e1151ab0e0d91b9455166d05ee026c6914a66ec259202b4ebac86334

SHA512
c9dfbdbdcdc6a4b3433f8dcb3415d7d7ec22b2098879ba774e1fca720d609ce78203a7ffd54c047fcfadbfda0a115611f3db7461e00b8173f64e186440baca33

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe

Filesize
497KB

MD5
995dd26bc06600e83f884023f72fbeb8

SHA1
20c6ded8d608900c5f0ba3624cd81e13295e012d

SHA256
b9e286db5fce408f7a82851aa0ef2f2f5c338e7404175ff2064bfce432dada23

SHA512
57b6d5228a862846387b5b8df0d188451e2b1b06f3d622af7bdee64e12fce494afef68fb27d0439623f65103263baa8e7c49b0f13ad58758cdd01a760e2dd890

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
930KB

MD5
2c6fc4604ae4175908df632df0e5e2eb

SHA1
32cdf01fcb2fd3c4023bb13d81c7db0632c9b40b

SHA256
cf8880ca86ba1ae8204dd0e5492b0ca639a307c85e9c5fee2f9ab80da9e0300a

SHA512
46bef3506d1ba6eb3125a2e80456ffb360fcfa6749b25b169093628156edd4f4afb1b2e987faa8820ba26b5074abd106325ad48368921facced8f96abc75a6ca

Download Submit
C:\Program Files\7-Zip\RCX173E.tmp

Filesize
12KB

MD5
31ca51862b31bcf129556d16f467af09

SHA1
5a211b99259a8b98aba5b281f57d2dbd6cf3325f

SHA256
c02959bf05c6802755bda953e649cbdb7cdb03ba0a4f458a84e575dcee0e907c

SHA512
ceb6864b90a5f8eb8192f4de5914a3aca6788dbca27d724be07484f18cb4d8c6cf6c5adeac6956d21ad15f695b959d1d6712a2ca876b50e24f4591e6e8b6f47f

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX24C9.tmp

Filesize
3.9MB

MD5
8235f9a7dee83ae3d73106b9251955e2

SHA1
b52abb012d8bf8ce8ad295627d04a6426a78eb8d

SHA256
9bbe361214bfe67297317b49a7b995cc8849a5ac298bbe7a8782c214d82ed1d6

SHA512
544a02f19d6f53930979232ac63ed53b749b70ec606e1ed06bd9a0b02cdd1cd0f24968149c265d8198560c8dcc11480b837a20aa489fddc524f28c8b6c119b5c

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX2519.tmp

Filesize
72KB

MD5
c3411750dfd25bb95944073f862cc794

SHA1
a7a2b803a82169e86273009d91127bd992cf734f

SHA256
ecbd4f76a280fa2241aadb39cd0140b65daaf623fc9c42932fae4eff9519d6ea

SHA512
add09d0c379d40d2e34d2c0c475c95a4c65e75065716fe23dfbad0b27c2212039d27ba0b3f2fc5bba8038f808ece999cba2d0cf0dd8d82c6c93110e2a7f2702e

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe

Filesize
8.2MB

MD5
90ef8b52adf2917ed0bf8abcfd634d42

SHA1
a3e11a32e6531f5f681e5869878290d90dad93c3

SHA256
5accb1ac4f3b653192f3e792bbe48cd309e2bd3bab69575219710fc78bd535db

SHA512
04263c4e70a96e1327d8984708510e71609a82d2f746d9edddcb39a0740c054e1eebee081a4650224860cd414aa389c20f56a963f831abac47094fa29cf21e00

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\RCX259B.tmp

Filesize
1007KB

MD5
53889c85c32108f93022352ea52f0ddd

SHA1
a0f6da80f0a2a2b700a2670e89c3e58a27ea956f

SHA256
b19c6539228d8c64bbec068c8101792ee86e8c38d9488a787aa4cb922e2fc647

SHA512
5dfaa70902305b71e2425168850bba293a24bc2bc76f08991e1e2c8fe6f780b2287cb0e312c636bbef578734846f881c94479c151684e55415c4c8529dd8085e

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\RCX3BA1.tmp

Filesize
16KB

MD5
817d9fff70654665bd7691e149035535

SHA1
87ca326dc66256aaf51f44b216d2f8022beeda14

SHA256
1ad74640562a7b3c25ea0479640dbebbf3a2c4f31dcbf7696b1107e4dc095190

SHA512
1db389d7c4d9d4b23b7052b897b6f796bf027b0ec5e125c11ffdb954d7e01d2eece1c37cd78519bc84f63ec4d446cdc1b14ebabcbd0dce221b8f59fc952e2f3c

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
626KB

MD5
97943f8e7cd54d2d2fa5ff7a88078afe

SHA1
7653d2921a0de1c5ede1cb7a147b0f3fd78da475

SHA256
d18740207a99b70f898042859479a39278db1b318b7eb59d67100834c86e2ab4

SHA512
a9b2a0d6b1601de8a3aae74feed70422b2b8c1cc1c8aeb37751cd85f253766b16d5dcd638907e9947ae16ef85d3e9ed6cd41e434c6214810a4e5670684d8870d

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\RCX3BE5.tmp

Filesize
16KB

MD5
e6f438d111bf7a34a1a4d6fadbbf3b18

SHA1
e229f19e2a11b6dac111f118794f236e319b69dc

SHA256
07dd9e527307701c313d267fbe83d43a30899c91401951140f58b4d736d63f48

SHA512
54e161a041d00f0eabfbdcfa1e5254a16081186e9e87684e094dc303f7a5cc1bd11a97636a9fe0573c3a27d714bc1dd10110667711254cca60d52b1e615f3701

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\RCX3C75.tmp

Filesize
367KB

MD5
7cf4cb0b4265b22096287e98414b449c

SHA1
23707d9f3dc80b9b75d6a36768ba3b32d1672466

SHA256
20948aaa8787075fbadfc7cb7e59f125f2c78199b490fc46a115278731ef5a31

SHA512
d307d92c79d77e6839c92d563e020c43da5fdafe7b755ec50c7941dee2f2c97252210b983b3495fef415fa70e4252bad9e74bbf373b6b6ba7ff27634ee6f77cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqs7232.tmp

Filesize
377KB

MD5
cf6153a55aee80753afea53021a6e266

SHA1
4df435f5781db6c125e2ec084f629a71a67efe05

SHA256
992424b87abe32006b0d40ced3c4d9917affc29d62db28c69cc002e1df89e536

SHA512
0d733961e15d21da74c050924d30b7209d415044fab35c5e68ffd6a8052d1016497f0c3180a4f12e641c136cb272d2f952124cdfd62cdff71f7b6dc6ce3cf8b6

Download Submit