Analysis Overview
SHA256
93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2
Threat Level: Shows suspicious behavior
The file 93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 15:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 15:53
Reported
2024-10-27 15:55
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Reads user/profile data of web browsers
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe
"C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe"
Network
| Country | Destination | Domain | Proto |
| MD | 195.93.218.135:80 | tcp | |
| MD | 195.93.218.135:80 | tcp | |
| MD | 195.93.218.135:80 | tcp | |
| MD | 195.93.218.135:80 | tcp | |
| MD | 195.93.218.135:80 | tcp | |
| MD | 195.93.218.135:80 | tcp |
Files
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | e6f20229f88cff5e2819453ad8d100ad |
| SHA1 | 5d5ba29d42b9e811729a1fe964eeb4b416a1cb73 |
| SHA256 | bed04f134b8af28d3c020f3ca9ae4ae7c90430358c6b589e5a48af4aa142fe7d |
| SHA512 | be2ce60c512ac89ed305d10d45458bf9e9753c1c597638e2116b377f24290c35467c63c6fa28b981a89c56af2727ea188158743f836f40cfcf2c04cc01653d4f |
C:\Program Files\7-Zip\7zFM.exe
| MD5 | af59f8fcc27461a6c9db6cf1c4080da4 |
| SHA1 | cf69515b95e1cf51f70180dc1c4bec61fb69a6bf |
| SHA256 | 6200d4d7cd8a364738431b0b55c710a8769c8a0d9b95e277633738f9d4435f1d |
| SHA512 | 3baca97fd25ed29ceeb7b9d08e1c26ca3f3d1d44b080c83da032554f52ce26b65f6b9e95abbc692029d88beab99323f2c13770cbe21b501e605a003934c8fc97 |
C:\Program Files (x86)\Common Files\microsoft shared\DW\RCX2C5B.tmp
| MD5 | 854ac068a38c1ec7ff01c9dcf3d1b36f |
| SHA1 | 4bf7bf80bfecc08dbeed4e72aff04e0e77683f5f |
| SHA256 | 120eb79d35f3ac908eb89bdd56539a4bde5b23c2906efe7ccd97bf0e6da0d3af |
| SHA512 | 0221715cdcbb9ca2eb1daa87bfbfe92f821314bb4d565507a4cbde3bc09e8de70765005a83c594af623f0cd144f891758162498066c51425cfc948ca5b0d8903 |
C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE
| MD5 | 10b2097b668077b2c5a3bcbde969e80a |
| SHA1 | 84758052d41057c888f7835dcba777b1b6b27c9d |
| SHA256 | 13ed3605e87613f5e3c8348a004e1820a80bb48599dfdd58f29b06416e33ea7b |
| SHA512 | 2257dd921d75acd0f1e2df300d2fe10465e8ad3824585eafee2503a0ad6303f52c2c8c7aaed016529f302de744e1774d0d92bc464de6119f39a6fe8e2d58e96c |
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\RCX2CB8.tmp
| MD5 | 8ec77e62f4193408bcaef96ea8e8b8e0 |
| SHA1 | 6fa102f7dbbb6f08d0a7a2810c57eacfa55cd8f6 |
| SHA256 | 05a7204c0acbf7d8b1d0ab1a55907966b21e7bc99729c88845c3b42637a0860d |
| SHA512 | eb17bcdcc3952111cf756e90ad7d731da71cd56fe28710c24e26a65ed03697183838e94ab6135f856593bfcfad6e8fc5ed6e622a19ddf9686dbd66c730542492 |
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
| MD5 | 146e2ea79c72a7a3ed817683dd4caec2 |
| SHA1 | 65e6c8acda0e37d6f5ebb23ed8ebdd7f4036df88 |
| SHA256 | 85c934133aa31419574443fea5d6fb9040eb7c626e68f4c28e2d3b912c9327ac |
| SHA512 | 204ecb8fe5f756a334be1a8bb1fc744e6f0099a9387787dfe8b2bce136573d0c735d1d16eda820cd66935e09a1b40182fe4e7f801dbe06047ebf23c447386cbc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 15:53
Reported
2024-10-27 15:55
Platform
win10v2004-20241007-en
Max time kernel
107s
Max time network
116s
Command Line
Signatures
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\RCX590C.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\RCX3A93.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\RCX3CD0.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\RCX41B9.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\RCX4396.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\RCX579D.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jar.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\RCX4ADB.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\RCX5DCD.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\rmic.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\RCX3DCE.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\RCX5D22.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\kinit.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\RCX3C6A.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jdeps.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\RCX45C0.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX5352.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\RCX5E45.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Client\AppVLP.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateOnDemand.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX5364.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ielowutil.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jinfo.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\RCX3D65.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\kinit.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\RCX3D9A.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ielowutil.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX4622.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\minidump-analyzer.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Windows Photo Viewer\RCX4BDE.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Mail\wab.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\RCX5E23.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX4663.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\YourPhone.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jdb.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\RCX3F8D.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\RCX4419.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\RCX44D9.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\RCX4883.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\wmpnscfg.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\MSInfo\RCX37E3.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\RCX39A3.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\java.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\RCX5D11.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\RCX3CCF.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\RCX3DDF.tmp | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe
"C:\Users\Admin\AppData\Local\Temp\93b9ece8f36e8466f38ff59e45ef1679c070fa9aae4f652f7dc776796d4341c2N.exe"
Network
| Country | Destination | Domain | Proto |
| MD | 195.93.218.135:80 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| MD | 195.93.218.135:80 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| MD | 195.93.218.135:80 | tcp | |
| MD | 195.93.218.135:80 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| MD | 195.93.218.135:80 | tcp |
Files
memory/4728-0-0x0000000000401000-0x0000000000402000-memory.dmp
C:\Program Files\7-Zip\7z.exe
| MD5 | 0203c1d3a6ef38a14fedd980f8e0abd9 |
| SHA1 | c73c8d5fbcf304177e094bd6c25c1c6511624d1d |
| SHA256 | e04549d1008e512ab74fa7ecda859abf5f59e3af03d39ad51e55de1a45a131a2 |
| SHA512 | 1ec29d7c80fa7e35d56a544ee5d6790881255d411cd64a0fa7d8b18ccea0a48e7daa8e5ea8bd250da2d17eceffa4bcdf81233320cc058ceaf6528b05e9a86e97 |
C:\Program Files\7-Zip\7zFM.exe
| MD5 | af59f8fcc27461a6c9db6cf1c4080da4 |
| SHA1 | cf69515b95e1cf51f70180dc1c4bec61fb69a6bf |
| SHA256 | 6200d4d7cd8a364738431b0b55c710a8769c8a0d9b95e277633738f9d4435f1d |
| SHA512 | 3baca97fd25ed29ceeb7b9d08e1c26ca3f3d1d44b080c83da032554f52ce26b65f6b9e95abbc692029d88beab99323f2c13770cbe21b501e605a003934c8fc97 |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe
| MD5 | 28b85e75182d8482dbbccd359c061466 |
| SHA1 | bfbcbcff6f20084d8af50779a7b241878ca5cd39 |
| SHA256 | 6b15c2421e8add00d5a7da575f23707ef9091fd264bd7418c88a5672db5be1cf |
| SHA512 | 4fbf39b3cdf260cbb6a11d11d69646ceb71c51df6e465d939d5efe8fdf1b503736e18ac4521063d01638a9cf480015b64ca4e98b4ea47cb8aac665c28484e27a |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX4833.tmp
| MD5 | d54a18ccac3e291cf5d1780314b6959d |
| SHA1 | f1892ac192f6421782c5d3f4fa46e83d956dbc1e |
| SHA256 | 9b3a5b4f572bcce0f6838b9fb5eba7a2d2d7d9ec1e208bfc0f451ff61d098bde |
| SHA512 | 172dbc0d4b280e0212d82bc83f049505f99b429076d87a6b740483e33f63159087544e3cd6ab67ff05ec1eb0e5f89521da96db42187862b4574f9231a9341700 |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\RCX4883.tmp
| MD5 | 53889c85c32108f93022352ea52f0ddd |
| SHA1 | a0f6da80f0a2a2b700a2670e89c3e58a27ea956f |
| SHA256 | b19c6539228d8c64bbec068c8101792ee86e8c38d9488a787aa4cb922e2fc647 |
| SHA512 | 5dfaa70902305b71e2425168850bba293a24bc2bc76f08991e1e2c8fe6f780b2287cb0e312c636bbef578734846f881c94479c151684e55415c4c8529dd8085e |
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe
| MD5 | bf3cf632bd8e98824a6807ca6572e7ca |
| SHA1 | 6ea7f86a49c9404def9e03544e28d4c117dd85c5 |
| SHA256 | a2d545dd168d83cf8afbed580af6be4d7f649c2f0d0349be94d044393ef7ff0a |
| SHA512 | 760c3b963395d141b4521f112e3363009f47b9ccb7e2a48e883dedb80367f610e99a879e8de6f3fc03171effdfa9733ce805a4338eadf0aea780d6d8b042bb78 |