Analysis Overview
SHA256
acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568
Threat Level: Shows suspicious behavior
The file acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Checks computer location settings
Reads user/profile data of web browsers
Indicator Removal: File Deletion
Enumerates connected drives
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 02:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 02:37
Reported
2024-10-31 02:52
Platform
win7-20240903-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
Indicator Removal: File Deletion
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe
"C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\ACD4EE~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | efbkfqpcdh.com | udp |
| US | 8.8.8.8:53 | cffhqznqzd.com | udp |
Files
C:\Program Files\7-Zip\RCXB4C5.tmp
| MD5 | fc80202a8fc434099a9449b2a14c2d75 |
| SHA1 | 9ca544e9bd5f4bfd84e9b769a9adeea8c86d2555 |
| SHA256 | d3c794a3f404eb37cbf4038683a85678d04b28fc6f5d98f2a24116738de07b51 |
| SHA512 | 98292dc9a96ff137205a7874d3495eae8baa0b51e968d616257a7e7ae4291fe010f47bef923039002827d0ff115f154aafe11bf321d534e0a7870faa40f6d2d4 |
memory/2672-14-0x0000000000401000-0x0000000000402000-memory.dmp
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | a7f5691c267a8593b4ded27dace10ea2 |
| SHA1 | 0c31e43c52dc170d5484c2780f1907ded50988fd |
| SHA256 | 7363b2ea3295880e3c50677eb7db08d841bb40c9b072332737069e64dece820b |
| SHA512 | 146a15108b6079e8a6d057b45b369858c083094c6937ca781db5b6c4926f12d07850e9857ddeb8d5bc8c7918347d79b4412be59983de7c6bb3f382b41a1dda62 |
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
| MD5 | 866454fe10e1eeb551203a35a11be884 |
| SHA1 | 317da88a276a8638a35d6ab5618372fd7cb9f7cc |
| SHA256 | 265ae7b5af41972bba1f4741c4f96533b2e00657c32073a009b6bbd089641e4b |
| SHA512 | 213738511c335689d2230286ec6ed9dec7d9efbf9cbb2f7d08106d214482161630010171a3c939df83c9eac02caafb961913d8cf485b1c783d2b0e81f9831efc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 02:37
Reported
2024-10-31 02:52
Platform
win10v2004-20241007-en
Max time kernel
105s
Max time network
106s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
Reads user/profile data of web browsers
Indicator Removal: File Deletion
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\RCXB0B1.tmp | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\OFFICE16\RCX90A7.tmp | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\msoev.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\RCX9AF4.tmp | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\schemagen.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\RCX943E.tmp | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCXA848.tmp | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\RCXB08D.tmp | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX9D07.tmp | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\RCX9AA1.tmp | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX9CB4.tmp | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\RCX9256.tmp | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jcmd.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXA94E.tmp | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\RCXA0AA.tmp | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\RCXA96F.tmp | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Install\{9733680C-0D1E-4BD2-A74F-0CCF42A8BF32}\RCXAF23.tmp | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ExtExport.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\RCX964C.tmp | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\wmpnetwk.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\RCX9278.tmp | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\RCX93AF.tmp | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\RCX94CD.tmp | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jmap.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\serialver.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\wsgen.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javacpl.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\RCX9005.tmp | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\extcheck.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\RCXAFE3.tmp | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\RCXB006.tmp | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateComRegisterShell64.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\RCX977A.tmp | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4868 wrote to memory of 888 | N/A | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4868 wrote to memory of 888 | N/A | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4868 wrote to memory of 888 | N/A | C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe
"C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\ACD4EE~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | efbkfqpcdh.com | udp |
| US | 8.8.8.8:53 | cffhqznqzd.com | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/4868-0-0x0000000000401000-0x0000000000402000-memory.dmp
C:\Program Files\7-Zip\7zFM.exe
| MD5 | 6115395199a504e413155929b2f4d679 |
| SHA1 | 0aefc4e27f50d1ff073a4e406a52a0ce173d5822 |
| SHA256 | 585a1a54319259635c5c8cbed6015b07bb7c9f924a9c42f933b1174b8043d66d |
| SHA512 | 9f9c5a21ffa22f8dbbda4ac8b4584c3db4ec7bfb4849d98f0f39080420d3848c7332775ddeead77847d5aefd566e2cc7fff849c6c51cadc39ad7c9523998cadd |
C:\Program Files\7-Zip\RCX8F21.tmp
| MD5 | fc80202a8fc434099a9449b2a14c2d75 |
| SHA1 | 9ca544e9bd5f4bfd84e9b769a9adeea8c86d2555 |
| SHA256 | d3c794a3f404eb37cbf4038683a85678d04b28fc6f5d98f2a24116738de07b51 |
| SHA512 | 98292dc9a96ff137205a7874d3495eae8baa0b51e968d616257a7e7ae4291fe010f47bef923039002827d0ff115f154aafe11bf321d534e0a7870faa40f6d2d4 |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe
| MD5 | 2cd7c7e0b409aa489c97432ccda2e972 |
| SHA1 | 4200714ee3d1a78f714366d4ea34695476b81d0c |
| SHA256 | 29d210ad13dd8d05947b26d8fee3bd1b994fbbc4cfac25a121d2c7bd7cf7b860 |
| SHA512 | 9a93acae8e08b601ca24848e73e978346dc88fcfc4cd52156fe2c0a051084bb94345b0524fdcaff777948fe4cab8178423e9d4b1176c3913bdfc96c9e9f22e75 |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX9E18.tmp
| MD5 | 301df11b1d56ea84b641035869e1714d |
| SHA1 | e26a679087b947dd12e130dcbfb0157430f51168 |
| SHA256 | ceaeb65fdfebc6ba36b69e3df628fc4e1f1048f44c3b0b0f2815e9b4aa68df64 |
| SHA512 | 4914e20e99d295314a2dc63962f187cad0c2efe2e770b4265643f6e4a8c231eda9595945780d1e9e9572ea5cfc4985fd2593ec08d98a1b43c4ec5e1753d54a51 |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\RCX9FD0.tmp
| MD5 | cfdf29654da360dc586d65d4eb06179d |
| SHA1 | 5464f625f5aebe7fc3169309a9403e25ec09432a |
| SHA256 | ac520da6b4a8e12c081ab9ea659fe5bd5eb076c40b203bd7156cb1ad9f8459d7 |
| SHA512 | 30473bcb9ab74f4913c3a093a0626a915f09bd8067270f473924fcbde533a3eab3c9e5f97c1c56358fec054ceaf7f3ca3d707152d008e45c77f02deb46e18ce1 |
C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe
| MD5 | b73b798f76b328a5d063cacfda16baaa |
| SHA1 | eff6a12077159f5ae16ca222c9b15c2d41c6f283 |
| SHA256 | 0c845d2340de1bb8448b21d8dc2b95cf68e823da8b2509a007479f65855da75a |
| SHA512 | ff3db6d52854096b4e13cf8cb1cf2c756a13c1b10c98aaacab1af062ed6564305936147d749283b89f122a27178b79215c5b5a803ad354b75f80e5b58887573d |
C:\Program Files (x86)\Google\Update\RCXABB6.tmp
| MD5 | a0db8bdb48baaa4523eceef7349a1567 |
| SHA1 | fbee578b8a5358da84808926a411984f48f362d3 |
| SHA256 | 6bf310f40bd5e380fec75fcf810f675f2f7f180253ea8eee04bf47b13b835d4f |
| SHA512 | ae748e814aadde6bb62f3ea1717b4d419fb5c955981a9eff5c3c18975a9bba16c056c5d8644e9bd206b962151589490d98a0900f0abf49e52efb717755b9d347 |
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\RCXB0C2.tmp
| MD5 | 5802188c8db128cc08d0cc233c555673 |
| SHA1 | f7e4a8b406c9842cad07d9ef88a0708b2ff05054 |
| SHA256 | 4f8443a155baba126fb11442b750d1be42f99ca555d9b1495aa9a5fda8b8dfa1 |
| SHA512 | 4d59a416d89992a10d27f2d39fdd3d1570c721c2bd7e52288c3a64aa172bdab316e35ce5d61ee686c56fd771a84415f1c435844c8a9b020198de17a1524eb132 |
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\RCXB1E0.tmp
| MD5 | b4888eb7f3abc796d0589767fb54c734 |
| SHA1 | 21d766acd5fec6697251702f7986a70f86677296 |
| SHA256 | 514179077a0fa1fd9ab8f3b58835334b9b990ddf74232e9ee57de030eb7d7598 |
| SHA512 | 41e910e48f7d99c25e1f2014c3dbbb5bcf38ac9c24bd5188c9e6a8b43db98e4dbe10eafeb0b633858fa807d3b0c9187b533b8553ca226a4cc360ee14579facc0 |
C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\RCXB1F2.tmp
| MD5 | 781cbd9734adc3393e4538e832ba3967 |
| SHA1 | 6878a0fced5b9a59d07699098f5bc19e56bf278c |
| SHA256 | da61e6e997c8e0ded0cfb5c070d9f3b0c5a747d98107e27b46b365f3cea901ee |
| SHA512 | 55c6d64af485919f37312b80f4a03e0ee3a81ca66702f32fd76703bed46579d51828e0354fbbff2ebe1049462397deb58cb89092f8d3e94df9aac4b9b2122f5c |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveSetup.exe
| MD5 | a7f700f4afd0c2693eab70e5b32753a6 |
| SHA1 | 0eed3395dd7c1f16173035f2e7352eb4eaa2da56 |
| SHA256 | 39cbf7bf33466813364c826e00af8d466755d98a0e37901e81584ece4930c187 |
| SHA512 | 7ae91b742a5cda294a604ea3b99742315534b6dee6abf9809af9bf3fa061274fdf87a66e8a5ec7587bc23e0ca7acb0af40b625937e57d75cd3760e7ebd26f010 |