Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 23:02
Static task
static1
Behavioral task
behavioral1
Sample
58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe
Resource
win7-20241023-en
General
-
Target
58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe
-
Size
92KB
-
MD5
beabed330e74015a2102b15691960c20
-
SHA1
43b11ab832f4ea5f6a33963741bf30bf1974b133
-
SHA256
58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea
-
SHA512
e078c0d9b3a638b6bf6debfed2f713ab12a30cb9cdfb371bf73206e91a7303ea7ebefdd944f2a29c6ac0352966004e686bee71951063d8e1515dbb95407fa6a3
-
SSDEEP
1536:RHB0UxMkzOt7HcvJGt5AdHIOWnToIf12ZqTUgauoe3o:RhAWJGSCTBf12Z1gvoe3
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\WINDOWS\SysWOW64\RMCLIENT.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\RRINSTALLER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\CIPHER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\CMSTP.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\COMP.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\IME\SHARED\IMEPADSV.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\DISPLAYSWITCH.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\ODBCAD32.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\POQEXEC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\MIGAUTOPLAY.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\NSLOOKUP.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\OSK.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\TRACERPT.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\CALC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\FIXMAPI.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\WINVER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\MOUNTVOL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\NEWDEV.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\IME\IMESC5\IMSCPROP.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\KTMUTIL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\TCPSVCS.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\CERTENROLLCTRL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\DCOMCNFG.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\LABEL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\FC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\IME\IMEJP10\IMJPDADM.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\W32TM.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\MSIEXEC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\ODBCAD32.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\RMACTIVATE_SSP.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\SYSTEMPROPERTIESCOMPUTERNAME.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\WOWREG32.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\PSR.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\ISCSICPL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\REAGENTC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\WININIT.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\VERIFIER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\NTPRINT.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\OPTIONALFEATURES.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\RDRLEAKDIAG.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\MOBSYNC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\NETIOUGC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\TASKMGR.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\WBEM\WINMGMT.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\MIGWIZ\MIGHOST.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\NET.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\SDCHANGE.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\MTSTOCOM.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\WPDSHEXTAUTOPLAY.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\SYSTEMPROPERTIESPERFORMANCE.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\WSCRIPT.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\XWIZARD.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\AUDITPOL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\INFDEFAULTINSTALL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\REGINI.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\SECEDIT.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\UNLODCTR.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\CACLS.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\MIGWIZ\MIGSETUP.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\MSHTA.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSWOW64\WSMANHTTPCONFIG.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\CERTENROLLCTRL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\FORFILES.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\RUNDLL32.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\106.0.5249.119\CHROME_PWA_LAUNCHER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\MICROSOFT GAMES\MINESWEEPER\MINESWEEPER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\OFFICE14\MSOXMLED.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\MISC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\MOZILLA MAINTENANCE SERVICE\UNINSTALL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\106.0.5249.119\NOTIFICATION_HELPER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\LIB\VISUALVM\PLATFORM\LIB\NBEXEC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\GROOVE.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\PACK200.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\KLIST.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\JAVAWS.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\SETUP_WM.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\INK\TABTIP32.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.36.151\GOOGLEUPDATECOMREGISTERSHELL64.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\DISABLEDGOOGLEUPDATE.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MEDIA PLAYER\WMPDMC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JAVAC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\SERIALVER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\CHROME.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS SIDEBAR\SIDEBAR.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\KTAB.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\TNAMESERV.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\DOWNLOAD\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\CHROME_INSTALLER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\SELFCERT.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JDB.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\READER 9.0\READER\ACRORD32INFO.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\READER 9.0\READER\EULA.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\GROOVEMN.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\EXTCHECK.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\DW\DWTRIG20.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\RMID.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPRPH.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\EQNEDT32.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\APPLETVIEWER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JAVA-RMI.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.36.151\GOOGLEUPDATESETUP.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\1033\ONELEV.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\VPREVIEW.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\WINDOWS PHOTO VIEWER\IMAGINGDEVICES.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\OFFICE14\MSOICONS.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\KEYTOOL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JSADEBUGD.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\UNPACK200.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMLAUNCH.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\READER 9.0\READER\ACROTEXTEXTRACTOR.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MAIL\WINMAIL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\SERVERTOOL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\WINDOWS DEFENDER\MPCMDRUN.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\INFOPATH.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MEDIA PLAYER\WMPRPH.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\DVD MAKER\DVDMAKER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\UNPACK200.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\MICROSOFT GAMES\MAHJONG\MAHJONG.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\ADOBE AIR\VERSIONS\1.0\ADOBE AIR APPLICATION INSTALLER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\ACCICONS.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\NATIVE2ASCII.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\ORBD.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JAVAFXPACKAGER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPCONFIG.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\JAVAWS.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\MICROSOFT GAMES\FREECELL\FREECELL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\ADOBE AIR\VERSIONS\1.0\ADOBE AIR UPDATER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\WINDOWS\WINSXS\AMD64_ASPNET_REGBROWSERS_B03F5F7F11D50A3A_6.1.7600.16385_NONE_96421D40C0E2903E\ASPNET_REGBROWSERS.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-ANYTIME-UPGRADE_31BF3856AD364E35_6.1.7600.16385_NONE_FB591B6CF023ADE3\WINDOWSANYTIMEUPGRADE.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-APPID_31BF3856AD364E35_6.1.7601.17514_NONE_B57215BAC8C6D647\APPIDCERTSTORECHECK.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-EHOME-DEVICES-MCXTASK_31BF3856AD364E35_6.1.7600.16385_NONE_B6BC1AAE9D0693C5\MCXTASK.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-M..ODEUPDATE-SERVICING_31BF3856AD364E35_6.1.7600.16385_NONE_FF7CF696BFB54620\UCSVC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-MSAUDITEVTLOG_31BF3856AD364E35_6.1.7600.16385_NONE_23376BF5921E7B63\AUDITPOL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-S..LINE-USER-INTERFACE_31BF3856AD364E35_6.1.7600.16385_NONE_38DC646BF68909F4\CMDKEY.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-P..NCETOOLSCOMMANDLINE_31BF3856AD364E35_6.1.7601.17514_NONE_BF4980401574A899\TRACERPT.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\ASPNET_COMPILER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\ADDINUTIL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-ALG_31BF3856AD364E35_6.1.7600.16385_NONE_04DE43C774CF8FE3\ALG.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-BTH-USER_31BF3856AD364E35_6.1.7601.17514_NONE_C33F455AEBCD9DBB\BTHUDTASK.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-EVENTCREATE_31BF3856AD364E35_6.1.7600.16385_NONE_3157C24B5944E2A3\EVENTCREATE.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-LPKSETUP_31BF3856AD364E35_6.1.7601.17514_NONE_7F7F66788318015D\LPREMOVE.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-NFS-CLIENTCMDTOOLS_31BF3856AD364E35_6.1.7600.16385_NONE_AD5854CA0A23343D\UMOUNT.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-PNPHOTPLUGUI_31BF3856AD364E35_6.1.7600.16385_NONE_44D62330646F757A\DEVICEEJECT.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\ILASM.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-COM-SURROGATE_31BF3856AD364E35_6.1.7600.16385_NONE_A018E05D0D33081D\DLLHOST.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-M..ONWIZARDAPPLICATION_31BF3856AD364E35_6.1.7601.17514_NONE_18A11C58AAF4D08C\MIGWIZ.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-OPTIONALTSPS_31BF3856AD364E35_6.1.7600.16385_NONE_3DF12FEBE293CE5D\TCMSETUP.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\INSTALLER\{90140000-0011-0000-0000-0000000FF1CE}\PUBS.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-CONSOLEHOST_31BF3856AD364E35_6.1.7601.22091_NONE_D2B1C721321AADF8\CONHOST.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ASPNET_REGBROWSERS.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\EDMGEN.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-DISPDIAG_31BF3856AD364E35_6.1.7600.16385_NONE_A0D95AFC49C833B6\DISPDIAG.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-ERRORREPORTINGFAULTS_31BF3856AD364E35_6.1.7601.17514_NONE_CE2D22115368DB7A\WERFAULTSECURE.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-NET1-COMMAND-LINE-TOOL_31BF3856AD364E35_6.1.7601.17514_NONE_E501F8E06B32B48F\NET1.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.0\WINDOWS COMMUNICATION FOUNDATION\SMSVCHOST.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IE-FEEDSBS_31BF3856AD364E35_11.2.9600.16428_NONE_DEA50217EFD0356B\MSFEEDSSYNC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-P..RASTRUCTURECONSUMER_31BF3856AD364E35_6.1.7601.17514_NONE_1202940E4711971E\PLASRV.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-REMOTEASSISTANCE-EXE_31BF3856AD364E35_6.1.7600.16385_NONE_934D08D31B96D4EE\MSRA.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\INSTALLER\{90140000-0011-0000-0000-0000000FF1CE}\OISICON.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\APPLAUNCH.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.5\DATASVCUTIL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_INFOCARD_B77A5C561934E089_6.1.7601.17514_NONE_583A8C60C0B305A1\INFOCARD.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-I..ETEXPLORER-OPTIONAL_31BF3856AD364E35_8.0.7601.17514_NONE_1196A9003B674A92\IEXPLORE.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-NOTEPADWIN_31BF3856AD364E35_6.1.7600.16385_NONE_9EBEBE8614BE1470\NOTEPAD.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-ROBOCOPY_31BF3856AD364E35_6.1.7601.17514_NONE_252D34F00303C6FA\ROBOCOPY.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ILASM.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-F..CLIENT-APPLICATIONS_31BF3856AD364E35_6.1.7601.17514_NONE_D71FB1D63F05EF22\WFS.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IE-FEEDSBS_31BF3856AD364E35_8.0.7601.17514_NONE_752E3BB068638683\MSFEEDSSYNC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-P..TING-TOOLS-PRINTBRM_31BF3856AD364E35_6.1.7601.17514_NONE_DFE02DE35BF41E0B\PRINTBRMUI.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-REGISTRY-EDITOR_31BF3856AD364E35_6.1.7600.16385_NONE_5023A70BF589AD3E\REGEDT32.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-S..EXECUTIONPREVENTION_31BF3856AD364E35_6.1.7600.16385_NONE_25D85B4A3E4A7709\SYSTEMPROPERTIESDATAEXECUTIONPREVENTION.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\COMSVCCONFIG\2BD538D545E15452202EF3B41080E2CE\COMSVCCONFIG.NI.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\MSBUILD.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-E..OTOCOL-HOST-SERVICE_31BF3856AD364E35_6.1.7600.16385_NONE_E63ED98817CF16B1\EAP3HOST.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-HELP-CLIENT_31BF3856AD364E35_6.1.7600.16385_NONE_C80D81C947C7B794\HELPPANE.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-RECOVER_31BF3856AD364E35_6.1.7600.16385_NONE_E2083F75CE4C0619\RECOVER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\EHOME\MCXTASK.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\EHOME\WTVCONVERTER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCORSVW.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\ASPNET_WP.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\VBC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-DIANTZ_31BF3856AD364E35_6.1.7600.16385_NONE_02BB0612DC529329\DIANTZ.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-M..AC-SQL-CLICONFG-EXE_31BF3856AD364E35_6.1.7600.16385_NONE_CC12387F7062EB3B\CLICONFG.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\ASPNET_COMPILER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-A..ATIBILITY-ASSISTANT_31BF3856AD364E35_6.1.7600.16385_NONE_8FBB77BB3CD808D1\PCALUA.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-A..ION-TELEMETRY-AGENT_31BF3856AD364E35_6.1.7601.17514_NONE_3092574C7D41010B\AITAGENT.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-RASCONNECTIONMANAGER_31BF3856AD364E35_6.1.7601.17514_NONE_BD4644E077251730\CMDL32.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-MEDIAPLAYER-CORE_31BF3856AD364E35_6.1.7601.17514_NONE_698FC88E65B943D6\WMPCONFIG.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\BFSVC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\EHOME\EHSHELL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\EHOME\LOADMXF.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe"C:\Users\Admin\AppData\Local\Temp\58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3012