Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/10/2024, 21:14
Static task
static1
Behavioral task
behavioral1
Sample
452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe
Resource
win7-20241023-en
General
-
Target
452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe
-
Size
92KB
-
MD5
4cd82bdf6641b6bd80b73399ed6f97bb
-
SHA1
666c9a05429d054df4f2672be12ba9caa457ac21
-
SHA256
452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191
-
SHA512
793026271da0fcb0e03fbb3d930ed04714b5a512243216450f23e9394f7e7e8338b6064c0aeb6aa8c66a9dfd859d2c4beaa71ff4b3f9ae4064ee6e5940e07dc4
-
SSDEEP
1536:DHB0UxMkzOt7HcvJGt5AdHIOWnToIf12ZqTUgafoMSo:DhAWJGSCTBf12Z1g+oMS
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\WINDOWS\SysWOW64\RASAUTOU.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\UPNPCONT.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\DIALER.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\PASSWORDONWAKESETTINGFLYOUT.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\THUMBNAILEXTRACTIONHOST.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\WSCADMINUI.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\CMDKEY.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\COMPUTERDEFAULTS.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\PREVHOST.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\SETHC.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\SYSTEMPROPERTIESREMOTE.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\CMMON32.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\MMGASERVER.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\NETSTAT.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\ODBCCONF.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\RASDIAL.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\CLOUDNOTIFICATIONS.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\RMCLIENT.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\CHARMAP.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\DFRGUI.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\DXDIAG.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\MTSTOCOM.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\PICKERHOST.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\CMSTP.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\REGISTER-CIMPROVIDER.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\USERINIT.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\ICACLS.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\INSTALLSHIELD\_ISDEL.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\TPMINIT.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\WBEM\WMIPRVSE.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\WINDOWS.MEDIA.BACKGROUNDPLAYBACK.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\MOUNTVOL.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\SYSTRAY.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\CLICONFG.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\FC.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\IME\IMETC\IMTCLNWZ.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\NEWDEV.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\WINRTNETMUAHOSTSERVER.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\DOSKEY.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\DPNSVR.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\FTP.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\IME\IMEJP\IMJPUEXC.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\SHUTDOWN.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\AGENTACTIVATIONRUNTIMESTARTER.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\MCBUILDER.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\REGEDT32.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\XCOPY.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\AUTOCHK.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\RMACTIVATE_SSP_ISV.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\AUTOFMT.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\CREDENTIALUIBROKER.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\NETIOUGC.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\EXPLORER.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\ICSUNATTEND.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\IEUNATT.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\BITSADMIN.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\CERTUTIL.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\CHOICE.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\COMP.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\DISKPART.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\SVCHOST.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\TIMEOUT.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SysWOW64\SYSTEMINFO.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\JAVA\JRE-1.8\BIN\TNAMESERV.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.XBOXIDENTITYPROVIDER_12.50.6001.0_X64__8WEKYB3D8BBWE\XBOXIDP.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\INK\TABTIP32.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH\JAVAWS.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\123.0.6312.123\NOTIFICATION_HELPER.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\RMIC.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.SKYPEAPP_14.53.77.0_X64__KZF8QXF38ZG5C\SKYPEAPP.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.36.371\GOOGLEUPDATEBROKER.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPSHARE.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.XBOXSPEECHTOTEXTOVERLAY_1.17.29001.0_X64__8WEKYB3D8BBWE\SPEECHTOTEXTOVERLAY64-RETAIL.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEINSTAL.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MEDIA PLAYER\SETUP_WM.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\TNAMESERV.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\PROTOCOLHANDLER.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-001F-0409-1000-0000000FF1CE}\MISC.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\MOZILLA FIREFOX\UPDATER.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\VSTO\10.0\VSTOINSTALLER.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MAIL\WABMIG.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\SHAPECOLLECTOR.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\JRE\BIN\JAVA.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.BINGWEATHER_4.25.20211.0_X64__8WEKYB3D8BBWE\MICROSOFT.MSN.WEATHER.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\ADOBE\ARM\1.0\ADOBEARMHELPER.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\123.0.6312.123\INSTALLER\CHRMSTP.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\PDFREFLOW.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JAVAW.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JRUNSCRIPT.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\ORBD.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.549981C3F5F10_1.1911.21713.0_X64__8WEKYB3D8BBWE\WIN32BRIDGE.SERVER.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT\EDGE\APPLICATION\92.0.902.67\INSTALLER\SETUP.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MAVINJECT32.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\INTERNET EXPLORER\IELOWUTIL.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE-1.8\BIN\RMIREGISTRY.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\INTEGRATION\ADDONS\ONEDRIVESETUP.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\MSOSYNC.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\SDXHELPERBGT.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.HEIFIMAGEEXTENSION_1.0.22742.0_X64__8WEKYB3D8BBWE\CODECPACKS.HEIF.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACRORD32INFO.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\DOTNET\DOTNET.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\SERVERTOOL.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT\EDGEUPDATE_BK\1.3.147.37\MICROSOFTEDGEUPDATECORE.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.36.371\GOOGLECRASHHANDLER.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT\EDGE\APPLICATION\92.0.902.67\MSEDGE.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESCOMMONX64\MICROSOFT SHARED\DW\DW20.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESX86\MICROSOFT OFFICE\OFFICE16\DCF\COMMON.DBCONNECTION.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-000F-0000-1000-0000000FF1CE}\OUTICON.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.MICROSOFT3DVIEWER_6.1908.2042.0_X64__8WEKYB3D8BBWE\3DVIEWER.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.WINDOWSCAMERA_2018.826.98.0_X64__8WEKYB3D8BBWE\WINDOWSCAMERA.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.WINDOWSCOMMUNICATIONSAPPS_16005.11629.20316.0_X64__8WEKYB3D8BBWE\HXACCOUNTS.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\EXTCHECK.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JARSIGNER.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.XBOX.TCUI_1.23.28002.0_X64__8WEKYB3D8BBWE\TCUI-APP.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGIN-CONTAINER.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.GETSTARTED_8.2.22942.0_X64__8WEKYB3D8BBWE\WHATSNEW.STORE.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\UNPACK200.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\VPREVIEW.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\PPTICO.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-000F-0000-1000-0000000FF1CE}\XLICONS.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.OFFICE.ONENOTE_16001.12026.20112.0_X64__8WEKYB3D8BBWE\ONENOTESHARE.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.STOREPURCHASEAPP_11811.1001.18.0_X64__8WEKYB3D8BBWE\STOREEXPERIENCEHOST.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ARH.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OFFICECLICKTORUN.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\MSOEV.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JAVAP.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JSTAT.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\ASPNET_STATE.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SYSTEMAPPS\MICROSOFT.WINDOWS.PEOPLEEXPERIENCEHOST_CW5N1H2TXYEWY\PEOPLEEXPERIENCEHOST.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\ASSEMBLY\GAC_MSIL\DFSVC\2.0.0.0__B03F5F7F11D50A3A\DFSVC.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SYSTEMAPPS\MICROSOFT.XBOXGAMECALLABLEUI_CW5N1H2TXYEWY\XBOX.TCUI.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ASPNET_STATE.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ASPNET_WP.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\LDR64.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\NGEN.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\NETFXSBS10.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.5\DATASVCUTIL.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.5\ADDINPROCESS.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\INSTALLER\$PATCHCACHE$\MANAGED\68AB67CA7DA73301B744CAF070E41400\15.7.20033\READER_SL.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\ASPNET_WP.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.0\WINDOWS COMMUNICATION FOUNDATION\COMSVCCONFIG.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.5\WFSERVICESREG.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\ASPNET_REGIIS.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SYSTEMAPPS\PARENTALCONTROLS_CW5N1H2TXYEWY\WPCUAPAPP.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\ASSEMBLY\GAC_MSIL\WSATCONFIG\3.0.0.0__B03F5F7F11D50A3A\WSATCONFIG.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\CSC.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SYSTEMAPPS\MICROSOFT.WINDOWS.ASSIGNEDACCESSLOCKAPP_CW5N1H2TXYEWY\ASSIGNEDACCESSLOCKAPP.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DW20.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.0\WINDOWS COMMUNICATION FOUNDATION\SMSVCHOST.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\ILASM.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\INSTALLER\$PATCHCACHE$\MANAGED\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ADOBECOLLABSYNC.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SPLWOW64.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\REGSVCS.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\IEEXEC.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\EDMGEN.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.5\VBC.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\MICROSOFT.WORKFLOW.COMPILER.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SYSTEMAPPS\SHELLEXPERIENCEHOST_CW5N1H2TXYEWY\SHELLEXPERIENCEHOST.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\BITLOCKERDISCOVERYVOLUMECONTENTS\BITLOCKERTOGO.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\APPLAUNCH.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\WSATCONFIG.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SYSTEMAPPS\MICROSOFT.WINDOWS.CALLINGSHELLAPP_CW5N1H2TXYEWY\CALLINGSHELLAPP.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\DFSVC.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SYSTEMAPPS\MICROSOFTWINDOWS.UNDOCKEDDEVKIT_CW5N1H2TXYEWY\UNDOCKEDDEVKIT.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\INSTALLER\$PATCHCACHE$\MANAGED\68AB67CA7DA73301B744CAF070E41400\15.7.20033\EULA.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\DATASVCUTIL.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\NGENTASK.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SYSTEMAPPS\MICROSOFT.LOCKAPP_CW5N1H2TXYEWY\LOCKAPP.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\BOOT\PCAT\MEMTEST.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\JSC.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.0\WINDOWS COMMUNICATION FOUNDATION\SMSVCHOST.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\ASPNET_REGBROWSERS.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\JSC.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SYSTEMAPPS\MICROSOFT.WINDOWS.APPRESOLVERUX_CW5N1H2TXYEWY\APPRESOLVERUX.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\ASSEMBLY\GAC_32\MSBUILD\3.5.0.0__B03F5F7F11D50A3A\MSBUILD.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORSVW.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\DATASVCUTIL.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGSVCS.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\ASSEMBLY\GAC_64\MSBUILD\3.5.0.0__B03F5F7F11D50A3A\MSBUILD.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ASPNET_COMPILER.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.0\WINDOWS COMMUNICATION FOUNDATION\SMCONFIGINSTALLER.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\ASSEMBLY\GAC_MSIL\SMSVCHOST\V4.0_4.0.0.0__B03F5F7F11D50A3A\SMSVCHOST.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\ASPNET_COMPILER.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SYSTEMAPPS\MICROSOFT.WINDOWS.ADDSUGGESTEDFOLDERSTOLIBRARYDIALOG_CW5N1H2TXYEWY\ADDSUGGESTEDFOLDERSTOLIBRARYDIALOG.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SYSTEMAPPS\MICROSOFT.WINDOWS.FILEPICKER_CW5N1H2TXYEWY\FILEPICKER.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\VBC.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\NGEN.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\EDMGEN.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\ILASM.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SYSMON.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe File opened for modification C:\WINDOWS\SYSTEMAPPS\MICROSOFT.ECAPP_8WEKYB3D8BBWE\MICROSOFT.ECAPP.EXE 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe"C:\Users\Admin\AppData\Local\Temp\452733dc7e7cc2f2807f0b10cb6194899dc56fe0ed56140bf1bf53244c23b191.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:456