Analysis
-
max time kernel
94s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 22:02
Static task
static1
Behavioral task
behavioral1
Sample
424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe
Resource
win7-20240903-en
General
-
Target
424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe
-
Size
92KB
-
MD5
635066b619008b0d673ca5c780db3764
-
SHA1
a8c8c6b82d4f6bdd30451de7e129750678f131a1
-
SHA256
424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7
-
SHA512
0d49a299d1a425fbfbc4b8cdbd922692fc6a67fc5c3914f66f814e58c9d9005c90eb0b779ea368df151afc513f8bc5c7631bf5a540b142cbd1134caeaa952704
-
SSDEEP
1536:DHB0UxMkzOt7HcvJGt5AdHIOWnToIf12ZqTUgatwoHVo:DhAWJGSCTBf12Z1gfoHV
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\WINDOWS\SysWOW64\COM\MIGREGDB.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\IME\SHARED\IMECFMUI.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\MAKECAB.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\MSINFO32.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\RMACTIVATE_SSP_ISV.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\SYSTEMPROPERTIESCOMPUTERNAME.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\THUMBNAILEXTRACTIONHOST.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\TSTHEME.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\BYTECODEGENERATOR.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\CMSTP.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\HELP.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\MSTSC.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\ROUTE.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\WINRSHOST.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\PKGMGR.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\SORT.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\SYSTEMPROPERTIESHARDWARE.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\DPLAYSVR.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\EXPAND.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\F12\IECHOOSER.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\IEXPRESS.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\MTSTOCOM.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\TAPIUNATTEND.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\TZUTIL.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\WSMPROVHOST.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\SECINIT.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\USERINIT.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\WHOAMI.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\DLLHST3G.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\IEUNATT.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\NET.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\NETPLWIZ.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\RDPSAPROXY.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\WWAHOST.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\CIPHER.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\ICSUNATTEND.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\ONEDRIVESETUP.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\RUNONCE.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\TSWPFWRP.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\BTHUDTASK.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\CMD.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\CMDL32.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\TTDINJECT.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\UNREGMP2.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\TAR.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\TASKKILL.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\TIMEOUT.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\COLORCPL.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\CONTROL.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\ESENTUTL.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\NETCFGNOTIFYOBJECTHOST.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\ROBOCOPY.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\WEVTUTIL.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\NSLOOKUP.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\WPDSHEXTAUTOPLAY.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\BACKGROUNDTRANSFERHOST.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\FTP.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\HH.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\INSTALLSHIELD\_ISDEL.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\MAVINJECT.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\NETIOUGC.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\WUSA.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SysWOW64\EUDCEDIT.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPNETWK.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.XBOXGAMINGOVERLAY_2.34.28001.0_X64__8WEKYB3D8BBWE\GAMEBAR.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ARH.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT\EDGE\APPLICATION\PWAHELPER.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\RMID.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\JRE\BIN\JAVACPL.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\PPTICO.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESX86\MICROSOFT OFFICE\OFFICE16\DCF\COMMON.SHOWHELP.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE16\OSPPREARM.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-000F-0000-1000-0000000FF1CE}\OSMCLIENTICON.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\VIDEOLAN\VLC\VLC.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT\EDGEUPDATE_BK\MICROSOFTEDGEUPDATE.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE-1.8\BIN\JP2LAUNCHER.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESCOMMONX64\MICROSOFT SHARED\OFFICE16\MSOICONS.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-000F-0000-1000-0000000FF1CE}\PJ11ICON.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.WINDOWS.PHOTOS_2019.19071.12548.0_X64__8WEKYB3D8BBWE\MICROSOFT.PHOTOS.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE-1.8\BIN\POLICYTOOL.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-000F-0000-1000-0000000FF1CE}\GRV_ICONS.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.STOREPURCHASEAPP_11811.1001.18.0_X64__8WEKYB3D8BBWE\STOREEXPERIENCEHOST.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\MIP.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-000F-0000-1000-0000000FF1CE}\XLICONS.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.YOURPHONE_0.19051.7.0_X64__8WEKYB3D8BBWE\YOURPHONE.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MAIL\WAB.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MEDIA PLAYER\WMLAUNCH.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JCONSOLE.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-000F-0000-1000-0000000FF1CE}\JOTICON.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\MOZILLA FIREFOX\CRASHREPORTER.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.OFFICE.ONENOTE_16001.12026.20112.0_X64__8WEKYB3D8BBWE\ONENOTESHARE.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPRPH.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\READER_SL.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH\JAVA.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JCMD.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\SETLANG.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESX86\MICROSOFT OFFICE\OFFICE16\DCF\FILECOMPARE.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE 15\CLIENTX64\OFFICECLICKTORUN.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT\EDGE\APPLICATION\92.0.902.67\BHO\IE_TO_EDGE_STUB.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT\EDGE\APPLICATION\92.0.902.67\IDENTITY_HELPER.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE-1.8\BIN\RMIREGISTRY.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESCOMMONX64\MICROSOFT SHARED\DW\DW20.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGIN-CONTAINER.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACROBROKER.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\INTERNET EXPLORER\IEINSTAL.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JAVAC.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JAVAPACKAGER.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE-1.8\BIN\JJS.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT\EDGEUPDATE_BK\1.3.147.37\MICROSOFTEDGECOMREGISTERSHELLARM64.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\RMIC.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESCOMMONX64\MICROSOFT SHARED\SOURCE ENGINE\OSE.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESX86\MICROSOFT OFFICE\OFFICE16\DCF\SPREADSHEETCOMPARE.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.MICROSOFT3DVIEWER_6.1908.2042.0_X64__8WEKYB3D8BBWE\3DVIEWER.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.MICROSOFTSOLITAIRECOLLECTION_4.4.8204.0_X64__8WEKYB3D8BBWE\SOLITAIRE.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.MSPAINT_6.1907.29027.0_X64__8WEKYB3D8BBWE\PAINTSTUDIO.VIEW.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\CHROME.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\RMIREGISTRY.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\JRE\BIN\SSVAGENT.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\GRAPH.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\ADDINS\MICROSOFT POWER QUERY FOR EXCEL INTEGRATED\BIN\MICROSOFT.MASHUP.CONTAINER.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\ADDINS\MICROSOFT POWER QUERY FOR EXCEL INTEGRATED\BIN\MICROSOFT.MASHUP.CONTAINER.NETFX45.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.WINDOWSMAPS_5.1906.1972.0_X64__8WEKYB3D8BBWE\MAPS.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.36.371\GOOGLEUPDATECORE.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\OFFICE16\LICLUA.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JAVAFXPACKAGER.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JHAT.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\WINDOWS\INSTALLER\$PATCHCACHE$\MANAGED\68AB67CA7DA73301B744CAF070E41400\15.7.20033\LOGTRANSPORT2.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\WSATCONFIG.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SYSTEMAPPS\MICROSOFT.WINDOWS.ADDSUGGESTEDFOLDERSTOLIBRARYDIALOG_CW5N1H2TXYEWY\ADDSUGGESTEDFOLDERSTOLIBRARYDIALOG.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_ADDINPROCESS_B77A5C561934E089_4.0.15805.0_NONE_74BABA51266F3010\ADDINPROCESS.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\NGENTASK.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\JSC.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_HYPERV-COMPUTE-GUESTCOMPUTESERVICE_31BF3856AD364E35_10.0.19041.1202_NONE_024525BDC81DF50D\VMCOMPUTEAGENT.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\SERVICEMODELREG.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\INSTALLER\$PATCHCACHE$\MANAGED\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ACRORD32.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\ASSEMBLY\GAC_32\MSBUILD\V4.0_4.0.0.0__B03F5F7F11D50A3A\MSBUILD.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\APPLAUNCH.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\ILASM.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.5\DATASVCUTIL.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\MICROSOFT.WORKFLOW.COMPILER.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\NGEN.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\VBC.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SYSTEMAPPS\MICROSOFT.ASYNCTEXTSERVICE_8WEKYB3D8BBWE\MICROSOFT.ASYNCTEXTSERVICE.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_EDMGEN_B77A5C561934E089_4.0.15805.0_NONE_AE80A3049486A75F\EDMGEN.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\ASSEMBLY\GAC_MSIL\DFSVC\2.0.0.0__B03F5F7F11D50A3A\DFSVC.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\ILASM.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\CASPOL.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.5\ADDINPROCESS32.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SERVICING\TRUSTEDINSTALLER.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\ASPNET_STATE.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\SMSVCHOST.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_ASPNET_REGBROWSERS_B03F5F7F11D50A3A_10.0.19041.1_NONE_82A36C559596820A\ASPNET_REGBROWSERS.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_HYPERV-COMMANDLINE-TOOL_31BF3856AD364E35_10.0.19041.928_NONE_0B17415AE0DD0379\F\HVC.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\ASPNET_WP.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.5\EDMGEN.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_ADOBE-FLASH-FOR-WINDOWS_31BF3856AD364E35_10.0.19041.82_NONE_2358A116979CC599\FLASHUTIL_ACTIVEX.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\INSTALLUTIL.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSBUILD.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGSVCS.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\APPLAUNCH.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SYSMON.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\DFSVC.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SYSTEMAPPS\WINDOWS.CBSPREVIEW_CW5N1H2TXYEWY\CAMERABARCODESCANNERPREVIEW.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\ADDINPROCESS32.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\COMSVCCONFIG.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\CSC.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\APPLAUNCH.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\JSC.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SYSTEMAPPS\MICROSOFT.AAD.BROKERPLUGIN_CW5N1H2TXYEWY\MICROSOFT.AAD.BROKERPLUGIN.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\MSBUILD.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.5\ADDINPROCESS.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_ASPNET_COMPILER_B03F5F7F11D50A3A_10.0.19041.1_NONE_9202844CD514AB44\ASPNET_COMPILER.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.0\WINDOWS COMMUNICATION FOUNDATION\SMSVCHOST.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\VBC.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\ADDINUTIL.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_BSDTAR_31BF3856AD364E35_10.0.19041.1_NONE_0C1F19C50B5E5F6E\TAR.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\INSTALLER\$PATCHCACHE$\MANAGED\68AB67CA7DA73301B744CAF070E41400\15.7.20033\RDRSERVICESUPDATER.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\ASPNET_REGSQL.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ASPNET_COMPILER.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORSVW.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.0\WINDOWS COMMUNICATION FOUNDATION\SERVICEMODELREG.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\DATASVCUTIL.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WFSERVICESREG.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\COMSVCCONFIG.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SYSTEMAPPS\MICROSOFTWINDOWS.CLIENT.CBS_CW5N1H2TXYEWY\INPUTAPP\TEXTINPUTHOST.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\ASSEMBLY\GAC_MSIL\SMSVCHOST\3.0.0.0__B03F5F7F11D50A3A\SMSVCHOST.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ILASM.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.5\ADDINUTIL.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\SYSTEMAPPS\NCSIUWPAPP_8WEKYB3D8BBWE\NCSIUWPAPP.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_INSTALLUTIL_B03F5F7F11D50A3A_4.0.15805.0_NONE_D67D06EF0C4A2E1C\INSTALLUTIL.EXE 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe"C:\Users\Admin\AppData\Local\Temp\424cce0ed667aff2ade14ed386884188c4f14fecaf5b810d313407dbcb0953b7.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:864