Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 23:02
Static task
static1
Behavioral task
behavioral1
Sample
58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe
Resource
win7-20241023-en
General
-
Target
58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe
-
Size
92KB
-
MD5
beabed330e74015a2102b15691960c20
-
SHA1
43b11ab832f4ea5f6a33963741bf30bf1974b133
-
SHA256
58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea
-
SHA512
e078c0d9b3a638b6bf6debfed2f713ab12a30cb9cdfb371bf73206e91a7303ea7ebefdd944f2a29c6ac0352966004e686bee71951063d8e1515dbb95407fa6a3
-
SSDEEP
1536:RHB0UxMkzOt7HcvJGt5AdHIOWnToIf12ZqTUgauoe3o:RhAWJGSCTBf12Z1gvoe3
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\WINDOWS\SysWOW64\WBEM\WMIPRVSE.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\BACKGROUNDTASKHOST.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\SETHC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\SNDVOL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\LABEL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\NET1.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\NETIOUGC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\REPLACE.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\RMACTIVATE_ISV.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\CMDL32.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\DDODIAG.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\DIALER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\SYSTEMPROPERTIESPERFORMANCE.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\NET.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\PRESENTATIONHOST.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\RMACTIVATE.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\TASKMGR.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\UNLODCTR.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\AUTOCHK.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\BOOTCFG.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\EASEOFACCESSDIALOG.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\MRINFO.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\REG.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\CTFMON.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\DISM\DISMHOST.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\ESENTUTL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\SETX.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\WERMGR.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\WINRTNETMUAHOSTSERVER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\PSR.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\WRITE.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\CMSTP.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\DWWIN.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\MUIUNATTEND.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\REGINI.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\SORT.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\TPMINIT.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\CERTREQ.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\DLLHST3G.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\FLTMC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\MAKECAB.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\MMGASERVER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\OPOSHOST.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\PROVLAUNCH.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\RASERVER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\COMPACT.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\FTP.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\IME\SHARED\IMECFMUI.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\XCOPY.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\BYTECODEGENERATOR.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\FIND.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\WSMPROVHOST.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\ISCSICPL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\NEWDEV.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\RDRLEAKDIAG.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\UTILMAN.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\WWAHOST.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\APPIDTEL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\CLEANMGR.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\DRIVERQUERY.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\EHSTORAUTHN.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\MSTSC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\WOWREG32.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SysWOW64\AUTOFMT.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\MSOUC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESCOMMONX86\MICROSOFT SHARED\EQUATION\EQNEDT32.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESX64\MICROSOFT ANALYSIS SERVICES\AS OLEDB\140\SQLDUMPER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-000F-0000-1000-0000000FF1CE}\PPTICO.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\MSINFO32.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\KLIST.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\ADDINS\MICROSOFT POWER QUERY FOR EXCEL INTEGRATED\BIN\MICROSOFT.MASHUP.CONTAINER.LOADER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.MICROSOFTSTICKYNOTES_3.6.73.0_X64__8WEKYB3D8BBWE\MICROSOFT.NOTES.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MEDIA PLAYER\WMPLAYER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESCOMMONX64\MICROSOFT SHARED\SOURCE ENGINE\OSE.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-000F-0000-1000-0000000FF1CE}\GRV_ICONS.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-000F-0000-1000-0000000FF1CE}\OSMADMINICON.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\MOZILLA FIREFOX\UPDATER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.MIXEDREALITY.PORTAL_2000.19081.1301.0_X64__8WEKYB3D8BBWE\MIXEDREALITYPORTAL.BROKERED.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JAVA-RMI.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JAVAH.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\WORDCONV.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT\EDGE\APPLICATION\92.0.902.67\IDENTITY_HELPER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACROLAYOUTRECOGNIZER\ACROLAYOUTRECOGNIZER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\INK\PIPANEL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.36.371\GOOGLEUPDATECORE.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\MSOASB.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-001F-040C-1000-0000000FF1CE}\MISC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.GETSTARTED_8.2.22942.0_X64__8WEKYB3D8BBWE\FMUI\FMUI.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.XBOXIDENTITYPROVIDER_12.50.6001.0_X64__8WEKYB3D8BBWE\XBOXIDP.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.36.371\GOOGLECRASHHANDLER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\123.0.6312.123\INSTALLER\CHRMSTP.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\INTERNET EXPLORER\EXTEXPORT.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE-1.8\BIN\JAVA.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\MOZILLA MAINTENANCE SERVICE\MAINTENANCESERVICE.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\VIDEOLAN\VLC\VLC-CACHE-GEN.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\LOGTRANSPORT2.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.36.371\GOOGLEUPDATEONDEMAND.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MEDIA PLAYER\WMPRPH.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\JRE\BIN\JAVA-RMI.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\MSOIA.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-000F-0000-1000-0000000FF1CE}\WORDICON.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.ZUNEVIDEO_10.19071.19011.0_X64__8WEKYB3D8BBWE\VIDEO.UI.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\ADOBE\ARM\1.0\ADOBEARM.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\APPVSHNOTIFY.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-000F-0000-1000-0000000FF1CE}\OSMCLIENTICON.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\MOZILLA FIREFOX\CRASHREPORTER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\PPTICO.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\XLICONS.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGIN-CONTAINER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.549981C3F5F10_1.1911.21713.0_X64__8WEKYB3D8BBWE\CORTANA.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT\EDGE\APPLICATION\92.0.902.67\INSTALLER\SETUP.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JAVAC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\JRE\BIN\KTAB.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE-1.8\BIN\JAVAW.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT\EDGEUPDATE_BK\1.3.147.37\MICROSOFTEDGEUPDATECORE.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\123.0.6312.123\CHROME_PWA_LAUNCHER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE-1.8\BIN\KINIT.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\CLVIEW.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\WOW_HELPER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\JAVA\JAVA UPDATE\JAUREG.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\GRAPH.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT\EDGEUPDATE_BK\1.3.147.37\MICROSOFTEDGECOMREGISTERSHELLARM64.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.WINDOWS.PHOTOS_2019.19071.12548.0_X64__8WEKYB3D8BBWE\MICROSOFT.PHOTOS.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.WINDOWSCAMERA_2018.826.98.0_X64__8WEKYB3D8BBWE\WINDOWSCAMERA.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\RMID.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\CLIENT\APPVDLLSURROGATE32.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMLAUNCH.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\DW20.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\MSBUILD.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\MICROSOFT.WORKFLOW.COMPILER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSTEMAPPS\MICROSOFT.BIOENROLLMENT_CW5N1H2TXYEWY\BIOENROLLMENTHOST.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\INSTALLER\$PATCHCACHE$\MANAGED\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ADELRCP.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\CSC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\CASPOL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\REGASM.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.0\WPF\XAMLVIEWER\XAMLVIEWER_V0300.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\VBC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\EDMGEN.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.0\WINDOWS COMMUNICATION FOUNDATION\COMSVCCONFIG.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\REGSVCS.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSTEMAPPS\MICROSOFT.CREDDIALOGHOST_CW5N1H2TXYEWY\CREDDIALOGHOST.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSTEMAPPS\MICROSOFT.WINDOWS.APPREP.CHXAPP_CW5N1H2TXYEWY\CHXSMARTSCREEN.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\INSTALLER\$PATCHCACHE$\MANAGED\68AB67CA7DA73301B744CAF070E41400\15.7.20033\LOGTRANSPORT2.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\INSTALLER\$PATCHCACHE$\MANAGED\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_4BITMAPIBROKER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.0\WINDOWS COMMUNICATION FOUNDATION\SMCONFIGINSTALLER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\APPLAUNCH.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_ADOBE-FLASH-FOR-WINDOWS_31BF3856AD364E35_10.0.19041.82_NONE_2358A116979CC599\FLASHUTIL_ACTIVEX.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\INSTALLUTIL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.5\DATASVCUTIL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\NGENTASK.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ILASM.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\DATASVCUTIL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.0\WINDOWS COMMUNICATION FOUNDATION\SMCONFIGINSTALLER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSTEMAPPS\MICROSOFT.WINDOWS.XGPUEJECTDIALOG_CW5N1H2TXYEWY\XGPUEJECTDIALOG.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\ASSEMBLY\GAC_MSIL\COMSVCCONFIG\3.0.0.0__B03F5F7F11D50A3A\COMSVCCONFIG.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.0\WINDOWS COMMUNICATION FOUNDATION\SMSVCHOST.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\CVTRES.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\COMSVCCONFIG.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\JSC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CVTRES.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\VBC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ASPNET_REGSQL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\ASPNET_STATE.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\VBC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\INSTALLER\$PATCHCACHE$\MANAGED\68AB67CA7DA73301B744CAF070E41400\15.7.20033\EULA.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\ASSEMBLY\GAC_32\MSBUILD\V4.0_4.0.0.0__B03F5F7F11D50A3A\MSBUILD.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\ADDINUTIL.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\WSATCONFIG.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\INSTALLER\$PATCHCACHE$\MANAGED\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ADOBECOLLABSYNC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\APPLAUNCH.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DFSVC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\CSC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\VBC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_ASPNET_COMPILER_B03F5F7F11D50A3A_4.0.15805.0_NONE_73CC8B3E43BA1056\ASPNET_COMPILER.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\ASSEMBLY\GAC_32\MSBUILD\3.5.0.0__B03F5F7F11D50A3A\MSBUILD.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\BITLOCKERDISCOVERYVOLUMECONTENTS\BITLOCKERTOGO.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ASPNET_STATE.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSTEMAPPS\MICROSOFT.XBOXGAMECALLABLEUI_CW5N1H2TXYEWY\XBOX.TCUI.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\HH.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\NETFXSBS10.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_ASPNET_REGBROWSERS_B03F5F7F11D50A3A_4.0.15805.0_NONE_646D7347043BE71C\ASPNET_REGBROWSERS.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\JSC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\ASPNET_STATE.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.0\WINDOWS COMMUNICATION FOUNDATION\SERVICEMODELREG.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\CSC.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\PRINTDIALOG\PRINTDIALOG.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSTEMAPPS\MICROSOFT.WINDOWS.SEARCH_CW5N1H2TXYEWY\SEARCHAPP.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\ASSEMBLY\GAC_MSIL\SMSVCHOST\V4.0_4.0.0.0__B03F5F7F11D50A3A\SMSVCHOST.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ASPNET_WP.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\SYSTEMAPPS\MICROSOFT.WINDOWS.APPRESOLVERUX_CW5N1H2TXYEWY\APPRESOLVERUX.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\ADDINPROCESS.EXE 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe"C:\Users\Admin\AppData\Local\Temp\58fe399b4515136d9190dd1d7a9654c7a5b43ec1e15e063839a6625f8a326bea.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1836