Analysis
-
max time kernel
97s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 04:34
Static task
static1
Behavioral task
behavioral1
Sample
305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe
Resource
win7-20241023-en
General
-
Target
305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe
-
Size
52KB
-
MD5
36e36eac62063270f816f3da89c0c660
-
SHA1
466a57b24505b4d0558be41e6865e1156f00ee5b
-
SHA256
305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57bea
-
SHA512
f3fb301d96d4b32236576c40ccd2afd58156e0d035732b823050fd9ac163f1628d820cf896e29c7028434d8e6b0f37a5fe6a2b5626c01e4082c286980aad499f
-
SSDEEP
768:FlQ4hrvaEGU4aikqykezg2XpfYKjYioRoYWjl5:fLhE1Dezg2ZfYHoPB5
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\T: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\Z: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\E: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\H: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\M: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\W: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\I: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\N: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\O: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\P: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\R: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\U: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\V: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\G: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\J: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\L: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\Q: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\S: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\X: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened (read-only) \??\Y: 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\WINDOWS\SysWOW64\WERMGR.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\FSUTIL.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\LOGMAN.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\RESMON.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\SDCHANGE.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\BITSADMIN.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\REGISTER-CIMPROVIDER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\WOWREG32.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\TOKENBROKERCOOKIES.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\MSDT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\PRINTUI.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\XCOPY.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\BTHUDTASK.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\COMPUTERDEFAULTS.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\DCCW.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\DEVICEPAIRINGWIZARD.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\WERFAULTSECURE.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\CMSTP.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\FIXMAPI.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\IME\SHARED\IMESEARCH.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\SETX.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\TTTRACER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\CERTUTIL.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\DDODIAG.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\DOSKEY.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\IME\SHARED\IMCCPHR.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\IME\IMEJP\IMJPUEX.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\OPENFILES.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\SYSTEMUWPLAUNCHER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\WECUTIL.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\INPUTSWITCHTOASTHANDLER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\OPOSHOST.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\SORT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\WERFAULT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\BOOTCFG.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\CREDENTIALUIBROKER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\EXPAND.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\HH.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\SYNCHOST.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\DWWIN.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\IME\IMETC\IMTCLNWZ.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\INSTALLSHIELD\SETUP.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\NETSH.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\ISOBURN.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\NDADMIN.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\NET1.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\NETBTUGC.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\ATTRIB.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\AUDITPOL.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\AUTOCHK.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\CHARMAP.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\RPCPING.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\WAITFOR.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\HDWWIZ.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\ROBOCOPY.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\WINRSHOST.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\RMCLIENT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\MMC.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\MSINFO32.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\NETCFGNOTIFYOBJECTHOST.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\RMACTIVATE.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\WBEM\WINMGMT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\CSCRIPT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\SysWOW64\CTFMON.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\MOZILLA FIREFOX\MAINTENANCESERVICE_INSTALLER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.WEBMEDIAEXTENSIONS_1.0.20875.0_X64__8WEKYB3D8BBWE\MICROSOFT.WEBMEDIAEXTENSIONS.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.XBOXAPP_48.49.31001.0_X64__8WEKYB3D8BBWE\XBOXAPP.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\SOURCE ENGINE\OSE.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\MSOASB.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\ORGCHART.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\APPVSHNOTIFY.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VSTO\10.0\VSTOINSTALLER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESX64\MICROSOFT ANALYSIS SERVICES\AS OLEDB\140\SQLDUMPER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.XBOXSPEECHTOTEXTOVERLAY_1.17.29001.0_X64__8WEKYB3D8BBWE\SPEECHTOTEXTOVERLAY64-RETAIL.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\KEYTOOL.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\PPTICO.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\SELFCERT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_85250\JAVA.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEINSTAL.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MAIL\WAB.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JAVAWS.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE-1.8\BIN\POLICYTOOL.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESX86\MICROSOFT OFFICE\OFFICE16\MSOHTMED.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\WINDOWS MAIL\WABMIG.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\JRE\BIN\JAVAW.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\MISC.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\MSOIA.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\SKYPESRV\SKYPESERVER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.XBOXGAMINGOVERLAY_2.34.28001.0_X64__8WEKYB3D8BBWE\GAMEBAR.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACROTEXTEXTRACTOR.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.36.371\GOOGLECRASHHANDLER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\IDLJ.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JHAT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\CLIENT\APPVLP.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-001F-0C0A-1000-0000000FF1CE}\MISC.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.DESKTOPAPPINSTALLER_1.0.30251.0_X64__8WEKYB3D8BBWE\APPINSTALLERPYTHONREDIRECTOR.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.WALLET_2.4.18324.0_X64__8WEKYB3D8BBWE\MICROSOFT.WALLET.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\PLUG_INS\PI_BROKERS\64BITMAPIBROKER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\INK\TABTIP32.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\KINIT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\NAMECONTROLSERVER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\OFFICEAPPGUARDWIN32.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT\EDGE\APPLICATION\PWAHELPER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\VIDEOLAN\VLC\VLC-CACHE-GEN.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.MICROSOFTSTICKYNOTES_3.6.73.0_X64__8WEKYB3D8BBWE\MICROSOFT.NOTES.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JARSIGNER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JAVAH.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JINFO.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.VP9VIDEOEXTENSIONS_1.0.22681.0_X64__8WEKYB3D8BBWE\CODECPACKS.VP9.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\PACK200.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-006E-0409-1000-0000000FF1CE}\MISC.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.MIXEDREALITY.PORTAL_2000.19081.1301.0_X64__8WEKYB3D8BBWE\MIXEDREALITYPORTAL.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.WINDOWSMAPS_5.1906.1972.0_X64__8WEKYB3D8BBWE\MAPS.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\INTERNET EXPLORER\EXTEXPORT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT\EDGE\APPLICATION\MSEDGE_PROXY.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JCONSOLE.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE-1.8\BIN\JAVA-RMI.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\VIDEOLAN\VLC\VLC.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESCOMMONX64\MICROSOFT SHARED\OFFICE16\OLICENSEHEARTBEAT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-000F-0000-1000-0000000FF1CE}\ACCICONS.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.WINDOWS.PHOTOS_2019.19071.12548.0_X64__8WEKYB3D8BBWE\MICROSOFT.PHOTOS.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OFFICECLICKTORUN.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\SERIALVER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\JRE\BIN\KTAB.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACROCEF\RDRSERVICESUPDATER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\ONENOTEM.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\SETLANG.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-000F-0000-1000-0000000FF1CE}\XLICONS.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-D..ED-CHINESE-MOIMEEXE_31BF3856AD364E35_10.0.19041.746_NONE_C3054A007D804943\F\CHSIME.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-REMOTEASSISTANCE-EXE_31BF3856AD364E35_10.0.19041.1110_NONE_B678EC2DEB73B201\F\SDCHANGE.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SHELLHOST_31BF3856AD364E35_10.0.19041.1_NONE_CC694AAFC259F133\SIHOST.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SMARTSCREEN_31BF3856AD364E35_10.0.19041.1052_NONE_323C9A9AD543E3A3\F\SMARTSCREEN.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-CONTAINER-MANAGER_31BF3856AD364E35_10.0.19041.1266_NONE_07A5D18B92D8B668\CMIMAGEWORKER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-A..NAGEMENT-APPVSYSTEM_31BF3856AD364E35_10.0.19041.1081_NONE_BDF809EB2DD695F9\R\APPVCLIENT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-G..ATION-WINCOMPONENTS_31BF3856AD364E35_10.0.19041.746_NONE_79BFC5CB57157E98\LOCATIONNOTIFICATIONWINDOWS.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-MUICACHEBUILDER_31BF3856AD364E35_10.0.19041.1_NONE_CFFDA9BF5435DB63\MCBUILDER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-P..NCETOOLSCOMMANDLINE_31BF3856AD364E35_10.0.19041.546_NONE_49716C2392052ACA\F\DISKPERF.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-A..NAGEMENT-APPVCLIENT_31BF3856AD364E35_10.0.19041.264_NONE_AA5417FD2708544D\SYNCAPPVPUBLISHINGSERVER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-A..NTSCONTROL.APPXMAIN_31BF3856AD364E35_10.0.19041.423_NONE_6C3451A09CBA3850\ACCOUNTSCONTROLHOST.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-B..ONMENT-CORE-TCBBOOT_31BF3856AD364E35_10.0.19041.1288_NONE_75442AF2FE19577C\R\TCBLAUNCH.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-P..INSTALLERANDPRINTUI_31BF3856AD364E35_10.0.19041.264_NONE_B435E08254CDA322\F\PRINTUI.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\WOW64_WINDOWSSEARCHENGINE_31BF3856AD364E35_7.0.19041.1151_NONE_F68DB62A3702882B\SEARCHINDEXER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-AUDIO-AUDIOCORE_31BF3856AD364E35_10.0.19041.264_NONE_5481650943811810\R\AUDIODG.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-EVENTLOG-COMMANDLINE_31BF3856AD364E35_10.0.19041.1202_NONE_3594628932065F23\WEVTUTIL.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-WAASMEDIC_31BF3856AD364E35_10.0.19041.1165_NONE_A82485B8F343811F\R\WAASMEDICAGENT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-TCPIP_31BF3856AD364E35_10.0.19041.746_NONE_49D38AFB2289B178\NETIOUGC.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-HYPER-V-VSTACK-VMWP_31BF3856AD364E35_10.0.19041.264_NONE_13222F28BEAA00A7\VMWP.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SECURESTARTUP-CPL_31BF3856AD364E35_10.0.19041.1_NONE_0D7764D82A75E629\BITLOCKERWIZARDELEV.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-TIERINGENGINE_31BF3856AD364E35_10.0.19041.746_NONE_8D7110D8C33B651F\R\TIERINGENGINESERVICE.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-TPM-TOOL_31BF3856AD364E35_10.0.19041.1202_NONE_72F9F7C7A1B307DD\TPMTOOL.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-HYPER-V-DRIVERS-HYPERVISOR_31BF3856AD364E35_10.0.19041.264_NONE_0E32F443C4669FED\F\HVAX64.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-FILEEXPLORER.APPXMAIN_31BF3856AD364E35_10.0.19041.546_NONE_476476BB5C3A0BBC\F\FILEEXPLORER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IE-IMPEXP-EXTEXPORT_31BF3856AD364E35_11.0.19041.1_NONE_17E048FCCDBCFAA0\EXTEXPORT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SECURITY-TOOLS-KLIST_31BF3856AD364E35_10.0.19041.1266_NONE_B5FA73367BBD2F91\R\KLIST.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-MSINFO32-EXE-COMMON_31BF3856AD364E35_10.0.19041.1110_NONE_0565D41CD46EC20A\R\MSINFO32.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-P..INSTALLERANDPRINTUI_31BF3856AD364E35_10.0.19041.264_NONE_BE8A8AD4892E651D\R\PRINTUI.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\EDMGEN.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-HNS-DIAGNOSTICSTOOL_31BF3856AD364E35_10.0.19041.423_NONE_841C30F68571C385\R\HNSDIAG.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-U..TE-ORCHESTRATORCORE_31BF3856AD364E35_10.0.19041.264_NONE_64B3F487E354744D\F\USOCOREWORKER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_NETFX-IEEXEC_B03F5F7F11D50A3A_10.0.19041.1_NONE_6A5DE40C0A30489E\IEEXEC.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_WINDOWS-SENSECLIENT-SERVICE_31BF3856AD364E35_10.0.19041.1288_NONE_1CEC63974464878F\F\SENSESAMPLEUPLOADER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_WINDOWSSEARCHENGINE_31BF3856AD364E35_7.0.19041.1151_NONE_EC390BD802A1C630\R\SEARCHPROTOCOLHOST.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-NETWORKUX-LEGACYUX_31BF3856AD364E35_10.0.19041.1_NONE_D374A4C62C9F2643\LEGACYNETUXHOST.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-WMPDMC-UX_31BF3856AD364E35_10.0.19041.1_NONE_A4547E4C96BE5F59\WMPDMC.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_NETFX-CLR_ILASM_EXE_B03F5F7F11D50A3A_10.0.19041.1_NONE_7C4B8C980A524548\ILASM.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_NETFX-DW_B03F5F7F11D50A3A_10.0.19041.1_NONE_46D7D57B97BD01E0\DW20.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\ASPNET_STATE.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-E..ORTINGCOMPATIBILITY_31BF3856AD364E35_10.0.19041.264_NONE_DC8146375466099A\R\DWWIN.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-P..ALCONTROLS.APPXMAIN_31BF3856AD364E35_10.0.19041.1_NONE_595F2A7ACAF53BBA\WPCUAPAPP.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-WIFINETWORKMANAGER_31BF3856AD364E35_10.0.19041.84_NONE_6461F879A9C4A23E\F\WIFITASK.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-A..EXTSERVICE.APPXMAIN_31BF3856AD364E35_10.0.19041.423_NONE_2CADE1BC915DCA0D\MICROSOFT.ASYNCTEXTSERVICE.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SCTASKS_31BF3856AD364E35_10.0.19041.1_NONE_4030851754B3E0FB\SCHTASKS.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-C..PLUS-SETUP-MIGREGDB_31BF3856AD364E35_10.0.19041.1_NONE_E341AEE7030E39C4\MIGREGDB.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-R..PDATE-OOB-COMPONENT_31BF3856AD364E35_10.0.19041.84_NONE_E539ABE3D27F675F\R\RDVGM.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-VIRTUALDISKSERVICE_31BF3856AD364E35_10.0.19041.1_NONE_20DBE0239A0C22B4\VDSLDR.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\X86_NETFX-CSHARP_COMPILER_CSC_B03F5F7F11D50A3A_10.0.19041.1_NONE_BF6140EFBE1A7808\CSC.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SYNCHOST_31BF3856AD364E35_10.0.19041.746_NONE_477A57E55B61ABA8\R\SYNCHOST.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_NETFX35CDF-CSD_CDF_INSTALLER_31BF3856AD364E35_10.0.19041.1_NONE_0E4D25C8CB52F8D0\WFSERVICESREG.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-NETSH_31BF3856AD364E35_10.0.19041.1_NONE_159203C1973658CD\NETSH.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-GROUPPOLICY-SCRIPT_31BF3856AD364E35_10.0.19041.572_NONE_4D40B8E902F83DD6\R\GPSCRIPT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-AUDIO-VOLUMECONTROL_31BF3856AD364E35_10.0.19041.964_NONE_A40A1F93665B43EB\SNDVOL.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-OPENWITH_31BF3856AD364E35_10.0.19041.1_NONE_2311DC3012116C15\OPENWITH.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-USO-DTUHANDLER_31BF3856AD364E35_10.0.19041.844_NONE_C0D0CB934C1C1F17\R\DTUHANDLER.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-EDP-NOTIFY_31BF3856AD364E35_10.0.19041.1202_NONE_9FE20FDB296D6341\EDPNOTIFY.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-S..ARTCARD-TPM-MANAGER_31BF3856AD364E35_10.0.19041.746_NONE_790F12933FBF7E0D\TPMVSCMGRSVR.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SYSTEMRESET_31BF3856AD364E35_10.0.19041.1266_NONE_5FD6523A3130632D\F\SYSRESETERR.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-LXSS-WSLCONFIG_31BF3856AD364E35_10.0.19041.117_NONE_7F3778D7035D9622\WSLCONFIG.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SMARTSCREEN_31BF3856AD364E35_10.0.19041.264_NONE_9B436D497F039D6D\SMARTSCREEN.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-ISOBURN_31BF3856AD364E35_10.0.19041.746_NONE_680D56683FAD152B\R\ISOBURN.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-WLAN-EXTENSION_31BF3856AD364E35_10.0.19041.1_NONE_AFD43CB1C2B70F77\WLANEXT.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-I..ETEXPLORER-OPTIONAL_31BF3856AD364E35_11.0.19041.1202_NONE_512E9D368C70B758\R\IEXPLORE.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-MEDIAPLAYER-CORE_31BF3856AD364E35_10.0.19041.1266_NONE_802F96A5044B0FBE\F\WMPSHARE.EXE 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3952 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe 3952 305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe"C:\Users\Admin\AppData\Local\Temp\305877b6560f36a0297d9c90cfa21f4bdceb0e4145d12e06f47dc704e9c57beaN.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3952
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1