Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 04:34
Static task
static1
Behavioral task
behavioral1
Sample
305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe
Resource
win7-20241023-en
General
-
Target
305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe
-
Size
52KB
-
MD5
36e36eac62063270f816f3da89c0c660
-
SHA1
466a57b24505b4d0558be41e6865e1156f00ee5b
-
SHA256
305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57bea
-
SHA512
f3fb301d96d4b32236576c40ccd2afd58156e0d035732b823050fd9ac163f1628d820cf896e29c7028434d8e6b0f37a5fe6a2b5626c01e4082c286980aad499f
-
SSDEEP
768:FlQ4hrvaEGU4aikqykezg2XpfYKjYioRoYWjl5:fLhE1Dezg2ZfYHoPB5
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\V: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\W: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\Y: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\H: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\K: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\L: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\N: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\X: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\Z: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\I: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\M: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\R: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\U: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\E: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\G: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\T: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\J: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\P: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\Q: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\S: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\WINDOWS\SysWOW64\IEXPRESS.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\REGISTERIEPKEYS.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\RMACTIVATE_ISV.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\WSMPROVHOST.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\ICSUNATTEND.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\REGEDIT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\REGSVR32.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\CTTUNESVR.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\SNDVOL.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\SCHTASKS.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\FORFILES.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\NSLOOKUP.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\REKEYWIZ.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\DLLHST3G.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\IME\IMEJP10\IMJPDADM.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\ISOBURN.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSTEM32\DRIVERSTORE\FILEREPOSITORY\BRMFCMF.INF_AMD64_NEUTRAL_67B5984F8E8FF717\BRMFRSMG.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\MIGWIZ\POSTMIG.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\PERFMON.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\IME\IMETC10\IMTCPROP.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\ODBCAD32.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\DISKPERF.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\EVENTCREATE.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\VERCLSID.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\SYSTEMINFO.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\TSWPFWRP.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\CHKDSK.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\GRPCONV.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\HH.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\IME\IMEJP10\IMJPMGR.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\MSTSC.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\AT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\DPLAYSVR.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\NDADMIN.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\POWERCFG.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\SVCHOST.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\TSTHEME.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\TASKENG.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\WBEM\WMIADAP.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\WINRSHOST.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\SYSTEMPROPERTIESADVANCED.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\NETSTAT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\PCAUI.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\RASPHONE.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\WHERE.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\MSINFO32.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\MUIUNATTEND.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\SDCHANGE.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\CIPHER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\WUAPP.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\WIMSERV.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\HOSTNAME.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\PRESENTATIONHOST.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\MIGAUTOPLAY.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\TAPIUNATTEND.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\WHERE.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\DPLAYSVR.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\COM\MIGREGDB.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\SORT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\FINGER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\MSIEXEC.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\CERTREQ.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\DRIVERQUERY.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SYSWOW64\FSUTIL.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JAVAFXPACKAGER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT GAMES\SOLITAIRE\SOLITAIRE.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\WINDOWS MAIL\WINMAIL.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\OFFICE14\OFFICE SETUP CONTROLLER\ODEPLOY.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\JAVAW.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\DW\DWTRIG20.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS SIDEBAR\SIDEBAR.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\READER 9.0\READER\ACRORD32.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\READER 9.0\READER\EULA.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\READER 9.0\RESOURCE\ICONS\SC_READER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\APPLETVIEWER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\SERVERTOOL.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT GAMES\PURBLE PLACE\PURBLEPLACE.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MOZILLA FIREFOX\UPDATER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\READER 9.0\READER\ACROBROKER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.36.151\GOOGLECRASHHANDLER64.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\INKWATSON.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\MSINFO32.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JMC.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\SSVAGENT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JDB.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\RMIREGISTRY.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.36.151\GOOGLEUPDATESETUP.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\PACK200.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\WINDOWS NT\ACCESSORIES\WORDPAD.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\ADOBE AIR\VERSIONS\1.0\AIRAPPINSTALLER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\MSTORDB.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\OFFICESOFTWAREPROTECTIONPLATFORM\OSPPSVC.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JCONSOLE.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT GAMES\MULTIPLAYER\BACKGAMMON\BCKGZM.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\WORDICON.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPSIDESHOWGADGET.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JRUNSCRIPT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\SERIALVER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\KINIT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT GAMES\CHESS\CHESS.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\106.0.5249.119\ELEVATION_SERVICE.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MOZILLA FIREFOX\MINIDUMP-ANALYZER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\INK\PIPANEL.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\READER 9.0\SETUP FILES\{AC76BA86-7AD7-1033-7B44-A90000000001}\SETUP.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\WINWORD.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MEDIA PLAYER\WMLAUNCH.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VSTO\10.0\VSTOINSTALLER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JAVAP.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT GAMES\MULTIPLAYER\SPADES\SHVLZM.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\WINDOWS MAIL\WABMIG.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\PPTICO.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JPS.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\RMID.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\VIDEOLAN\VLC\UNINSTALL.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\OIS.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT GAMES\MINESWEEPER\MINESWEEPER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MOZILLA FIREFOX\PRIVATE_BROWSING.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPCONFIG.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\INSTALL\{06715A9D-70D2-4C5C-9F8A-D2392905D83D}\CHROME_INSTALLER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JAVAC.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\PACK200.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\LIB\VISUALVM\PLATFORM\LIB\NBEXEC64.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\KTAB.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\GROOVEMN.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\ONENOTEM.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MAIL\WABMIG.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS NT\ACCESSORIES\WORDPAD.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-CONTROL_31BF3856AD364E35_6.1.7600.16385_NONE_F560EAE4C42EDB14\CONTROL.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-GROUPPOLICY-SCRIPT_31BF3856AD364E35_6.1.7600.16385_NONE_C10C2A29895D4994\GPSCRIPT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IE-GC-REGISTERIEPKEYS_31BF3856AD364E35_8.0.7601.17514_NONE_A0C922C3B170DD5D\REGISTERIEPKEYS.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-S..BOXGAMES-BACKGAMMON_31BF3856AD364E35_6.1.7600.16385_NONE_668D031845881638\BCKGZM.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SNMP-EVNTCMD_31BF3856AD364E35_6.1.7600.16385_NONE_14F9B9481DB6293B\EVNTCMD.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\INSTALLUTIL.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\ASPNET_STATE.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-B..VIRONMENT-OS-LOADER_31BF3856AD364E35_6.1.7601.17514_NONE_B94CBFA183466A89\WINRESUME.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-EUDCEDIT_31BF3856AD364E35_6.1.7601.17514_NONE_B7BE8A14D61DB17A\EUDCEDIT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-R..-COMMANDLINE-EDITOR_31BF3856AD364E35_6.1.7600.16385_NONE_8D8925A444607F8C\REG.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-S..NBOXGAMES-SOLITAIRE_31BF3856AD364E35_6.1.7600.16385_NONE_D1124C00155DFD14\SOLITAIRE.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-VSSSERVICE_31BF3856AD364E35_6.1.7601.17514_NONE_B8F2D3E62E76FE08\VSSVC.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-I..EOPTIONALCOMPONENTS_31BF3856AD364E35_8.0.7601.17514_NONE_1E7B93842C84C912\CONFIGUREIEOPTIONALCOMPONENTS.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\INSTALLER\{90140000-0011-0000-0000-0000000FF1CE}\GRVICONS.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-OS-KERNEL_31BF3856AD364E35_6.1.7601.21863_NONE_6E8A5C3D2BAC37E9\NTOSKRNL.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_64\MICROSOFT.W71DAF281#\5ADA68CFA2258A2D4E3C3779106FAF9B\MICROSOFT.WORKFLOW.COMPILER.NI.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-LPKSETUP_31BF3856AD364E35_6.1.7601.17514_NONE_7F7F66788318015D\LPREMOVE.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-REGISTRY-EDITOR_31BF3856AD364E35_6.1.7600.16385_NONE_5023A70BF589AD3E\REGEDT32.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-T..ES-COMMANDLINETOOLS_31BF3856AD364E35_6.1.7601.17514_NONE_42D65ED50FA3C682\QPROCESS.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-CLIP_31BF3856AD364E35_6.1.7600.16385_NONE_A7B238407D550501\CLIP.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-MUICACHEBUILDER_31BF3856AD364E35_6.1.7601.17514_NONE_1C140627131A6DF3\MCBUILDER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-RUNAS_31BF3856AD364E35_6.1.7600.16385_NONE_5FBE9F67BEC0F818\RUNAS.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SMSVCHOST\1BC1EE3C3AA45D28DCF4657BCEB2FCB4\SMSVCHOST.NI.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-RECDISC-MAIN_31BF3856AD364E35_6.1.7601.17514_NONE_E2A1FFE0CA40CFF2\RECDISC.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SECURITY-TOOLS-KLIST_31BF3856AD364E35_6.1.7600.16385_NONE_9D299157E03CE00F\KLIST.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-IE-HTMLAPPLICATION_31BF3856AD364E35_11.2.9600.16428_NONE_4605ACA152CC8281\MSHTA.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-D..ANDLINEPROPERTYTOOL_31BF3856AD364E35_6.1.7601.17514_NONE_0D44B8D3DF1C79A9\IMJPUEXC.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-LABEL_31BF3856AD364E35_6.1.7600.16385_NONE_570561EB2B9C151D\LABEL.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-SYSTRAY_31BF3856AD364E35_6.1.7600.16385_NONE_F327D2F6575DA8CE\SYSTRAY.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-TPM-ADMINSNAPIN_31BF3856AD364E35_6.1.7600.16385_NONE_77536D124094B997\TPMINIT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCORSVW.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IE-IEETWCOLLECTOR_31BF3856AD364E35_11.2.9600.16428_NONE_A56DA9E617D4F97E\IEETWCOLLECTOR.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SECURITY-SYSKEY_31BF3856AD364E35_6.1.7600.16385_NONE_74578A893F33207C\SYSKEY.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-TPM-ADMINSNAPIN_31BF3856AD364E35_6.1.7600.16385_NONE_D3720895F8F22ACD\TPMINIT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-I..TIONAL-CHINESE-CORE_31BF3856AD364E35_6.1.7601.17514_NONE_C1FEAD4E4BF85947\IMTCPROP.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-PERFORMANCETOOLSGUI_31BF3856AD364E35_6.1.7601.17514_NONE_04846DECEBF43C4C\RESMON.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-WOW64_31BF3856AD364E35_6.1.7601.22091_NONE_D0D0722C3BB0DC09\USER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-S..ROPERTIESPROTECTION_31BF3856AD364E35_6.1.7600.16385_NONE_6388ACF17DD74912\SYSTEMPROPERTIESPROTECTION.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\IEEXEC.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-WINRSPLUGINS_31BF3856AD364E35_6.1.7600.16385_NONE_160CCC8A92FAE520\WINRS.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-WAB-APP_31BF3856AD364E35_6.1.7601.17514_NONE_44B0C76C35D4B76D\WABMIG.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IE-SETUP-SUPPORT_31BF3856AD364E35_8.0.7601.17514_NONE_3EB101CAEC1ACC2C\IE4UINIT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-TCPIP-UTILITY_31BF3856AD364E35_6.1.7601.17514_NONE_90ECF919657DACF4\NETSTAT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-AUTOCHKCONFIGURATOR_31BF3856AD364E35_6.1.7600.16385_NONE_1898D1BBE9180B39\CHKNTFS.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-BITS-BITSADMIN_31BF3856AD364E35_6.1.7601.17514_NONE_4F18FAED6AAE2509\BITSADMIN.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-DIRECTX-DIRECTPLAY4_31BF3856AD364E35_6.1.7600.16385_NONE_76E6C1802136B090\DPLAYSVR.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-DISKPART_31BF3856AD364E35_6.1.7601.17514_NONE_6ADFCF45F42EFFCF\DISKPART.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\X86_NETFX-MSCORSVW_EXE_B03F5F7F11D50A3A_6.1.7600.16385_NONE_F47D7472A4C4E67E\MSCORSVW.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-FAX-SERVICE_31BF3856AD364E35_6.1.7601.17514_NONE_0B499F2C96E8F6B2\FXSUNATD.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-RUNAS_31BF3856AD364E35_6.1.7600.16385_NONE_BBDD3AEB771E694E\RUNAS.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-WMI-CORE-PROVIDERHOST_31BF3856AD364E35_6.1.7601.17514_NONE_78DD6E4CD6655603\WMIPRVSE.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-CIPHER_31BF3856AD364E35_6.1.7600.16385_NONE_090B7101BEC9A9E2\CIPHER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-CHARMAP_31BF3856AD364E35_6.1.7600.16385_NONE_4E4EAF05BE0C2D8F\CHARMAP.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-M..OMMANDLINEUTILITIES_31BF3856AD364E35_6.1.7600.16385_NONE_D911DF4E81059B22\SUBST.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-TAKEOWN_31BF3856AD364E35_6.1.7601.17514_NONE_58116B392C3DA43C\TAKEOWN.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-WHOAMI_31BF3856AD364E35_6.1.7600.16385_NONE_2A716FFD9B872F68\WHOAMI.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-D..IME-EASHARED-IMEPAD_31BF3856AD364E35_6.1.7601.17514_NONE_3C93AC15FD731ACF\IMEPADSV.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-ISCSI_INITIATOR_UI_31BF3856AD364E35_6.1.7600.16385_NONE_D7C180D4BD657495\ISCSICPL.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\INSTALLUTIL.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-CALC_31BF3856AD364E35_6.1.7600.16385_NONE_05B2F2E2346CFEA4\CALC.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-CONVERT_31BF3856AD364E35_6.1.7601.17514_NONE_FAFB502ABEF1BE40\AUTOCONV.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-RASCONNECTIONMANAGER_31BF3856AD364E35_6.1.7601.17514_NONE_BD4644E077251730\CMDL32.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-TELNET-SERVER-TLNTSESS_31BF3856AD364E35_6.1.7600.16385_NONE_05EBF19CA2304436\TLNTSESS.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\MSIL_SMSVCHOST_B03F5F7F11D50A3A_6.1.7601.17514_NONE_E6B622BD1115139E\SMSVCHOST.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2136 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2136 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe 2136 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe"C:\Users\Admin\AppData\Local\Temp\305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2136
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1