Analysis Overview
SHA256
90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761
Threat Level: Shows suspicious behavior
The file 90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Checks computer location settings
Deletes itself
Enumerates connected drives
Indicator Removal: File Deletion
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 00:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 00:13
Reported
2024-11-14 00:15
Platform
win7-20240729-en
Max time kernel
34s
Max time network
34s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eqsA68C.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
Indicator Removal: File Deletion
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eqsA68C.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe
"C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe"
C:\Users\Admin\AppData\Local\Temp\eqsA68C.tmp
"C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\90B55F~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | efbkfqpcdh.com | udp |
| US | 8.8.8.8:53 | cffhqznqzd.com | udp |
Files
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | 20dbf807dc0e5a499a0f9c149941ce8b |
| SHA1 | b5ef8f64df0fdc4c04774416f8b6293ae765046c |
| SHA256 | 6480ddaac6f2b2107dbb6e6a4dc56d4d3a6fa210925ee2e6e3a1e1172d33f43a |
| SHA512 | 5167d7eec74fa19c602aa66dbaeb210395662cf217fe6d044e2bfbbf80e3f64274c2ad296105a4df868c89ea5e8eb8db6567d621f24cffd0bae20f2a0307767a |
C:\Program Files\7-Zip\RCXA6B2.tmp
| MD5 | fc80202a8fc434099a9449b2a14c2d75 |
| SHA1 | 9ca544e9bd5f4bfd84e9b769a9adeea8c86d2555 |
| SHA256 | d3c794a3f404eb37cbf4038683a85678d04b28fc6f5d98f2a24116738de07b51 |
| SHA512 | 98292dc9a96ff137205a7874d3495eae8baa0b51e968d616257a7e7ae4291fe010f47bef923039002827d0ff115f154aafe11bf321d534e0a7870faa40f6d2d4 |
\Users\Admin\AppData\Local\Temp\eqsA68C.tmp
| MD5 | c1fae6798a1f41b2c714e675dc8ac3d6 |
| SHA1 | d9717662fc6684631649ce95b2afad6e26268fd7 |
| SHA256 | 8a5222d3f146218b1a6b3f775ddd8eeef27c1f4319febf6a8512b7b9df6ac8f1 |
| SHA512 | 7a7cb32aaa4755668bdb94ae4068363abb2667af4ac31fc85d9f9d2cac1da198a4266d07ac53b54b208e76b8d22b8243ffb751b49b8a3ae89197f30a5373ddb1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 00:13
Reported
2024-11-14 00:15
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
96s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eqsA8B3.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
Reads user/profile data of web browsers
Indicator Removal: File Deletion
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\RCXB5B2.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\iexplore.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\RCXAA78.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\RCXAEE9.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\RCXADAE.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javaw.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jinfo.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXC194.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\RCXAD99.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\RCXB39F.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Java\Java Update\RCXC51C.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\RCXAFF5.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXC1C9.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\RCXC53F.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\RCXB4F9.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\RCXCA4B.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateComRegisterShell64.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\RCXA8C4.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXC4CA.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\wmpnetwk.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\RCXB39E.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\RCXB953.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\RCXAFAE.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXC083.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\RCXAE2E.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\RCXB592.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\RCXAEB2.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\RCXAED7.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\RCXB336.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\RCXBAF4.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeComRegisterShellARM64.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\RCXAE7A.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\RCXB9B3.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\RCXBAF3.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\RCXADD2.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\pack200.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\RCXBA5A.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\RCXBABD.tmp | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eqsA8B3.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe
"C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe"
C:\Users\Admin\AppData\Local\Temp\eqsA8B3.tmp
"C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\90B55F~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | efbkfqpcdh.com | udp |
| US | 8.8.8.8:53 | cffhqznqzd.com | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
memory/2956-0-0x0000000000401000-0x0000000000402000-memory.dmp
C:\Program Files\7-Zip\7zFM.exe
| MD5 | 1bf497954f9b22947bf856f1c4cf33ed |
| SHA1 | 7a9e1c64e903c5c6aff112474aab04ad33f3986e |
| SHA256 | 904a17390af456be07648b518538f02441eef0c49d13ab73ea2161ef177728ed |
| SHA512 | 0548ea08ac9d314f994f8e6bce9fdc863b1529780c0e10139508ddb5d26be9b74c9d521c50f2d1c16410ab6336de72f4ac05ed79bcf65e74592ed46796905ff1 |
C:\Users\Admin\AppData\Local\Temp\eqsA8B3.tmp
| MD5 | c1fae6798a1f41b2c714e675dc8ac3d6 |
| SHA1 | d9717662fc6684631649ce95b2afad6e26268fd7 |
| SHA256 | 8a5222d3f146218b1a6b3f775ddd8eeef27c1f4319febf6a8512b7b9df6ac8f1 |
| SHA512 | 7a7cb32aaa4755668bdb94ae4068363abb2667af4ac31fc85d9f9d2cac1da198a4266d07ac53b54b208e76b8d22b8243ffb751b49b8a3ae89197f30a5373ddb1 |
C:\Program Files\7-Zip\RCXA8E5.tmp
| MD5 | fc80202a8fc434099a9449b2a14c2d75 |
| SHA1 | 9ca544e9bd5f4bfd84e9b769a9adeea8c86d2555 |
| SHA256 | d3c794a3f404eb37cbf4038683a85678d04b28fc6f5d98f2a24116738de07b51 |
| SHA512 | 98292dc9a96ff137205a7874d3495eae8baa0b51e968d616257a7e7ae4291fe010f47bef923039002827d0ff115f154aafe11bf321d534e0a7870faa40f6d2d4 |
memory/232-63-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe
| MD5 | 57a9abf61d8908651d30523aacd254e2 |
| SHA1 | b72f79795b0b62d3a29cf2726504ba9277115c3c |
| SHA256 | 1e00ff16725a7104d17a694cdcec26fcd3d57fceee579a670a6347c99a069e4b |
| SHA512 | 88ab9f0d65eb4ef7f03d1fa090f6777670e76958dba5301003aacc3bf3ddb7d33952f927c13a771ff6e0e26af4dcb1d7fc673e209b25585ff04d4d386cd51ae4 |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCXB6CD.tmp
| MD5 | 1ffc6d56a9477cfddc2b005bab60a2de |
| SHA1 | 1ac454a224b1f155ebe69d1588c85dde755ac0c4 |
| SHA256 | e23750b53fe1d8f667e49d1829663ca733b3e7ba86c8ff91015f6913eefb218a |
| SHA512 | a17488bc85ed5f177e952c399565edb84d23d4fb62ce6665d3c638f624869f0dfdde6eb94b587b0efb6645fd55f49d4619b6413cbd0345d70b8189d0b4b02a77 |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCXB8E5.tmp
| MD5 | 301df11b1d56ea84b641035869e1714d |
| SHA1 | e26a679087b947dd12e130dcbfb0157430f51168 |
| SHA256 | ceaeb65fdfebc6ba36b69e3df628fc4e1f1048f44c3b0b0f2815e9b4aa68df64 |
| SHA512 | 4914e20e99d295314a2dc63962f187cad0c2efe2e770b4265643f6e4a8c231eda9595945780d1e9e9572ea5cfc4985fd2593ec08d98a1b43c4ec5e1753d54a51 |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\RCXB993.tmp
| MD5 | cfdf29654da360dc586d65d4eb06179d |
| SHA1 | 5464f625f5aebe7fc3169309a9403e25ec09432a |
| SHA256 | ac520da6b4a8e12c081ab9ea659fe5bd5eb076c40b203bd7156cb1ad9f8459d7 |
| SHA512 | 30473bcb9ab74f4913c3a093a0626a915f09bd8067270f473924fcbde533a3eab3c9e5f97c1c56358fec054ceaf7f3ca3d707152d008e45c77f02deb46e18ce1 |
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\RCXCAA1.tmp
| MD5 | 5802188c8db128cc08d0cc233c555673 |
| SHA1 | f7e4a8b406c9842cad07d9ef88a0708b2ff05054 |
| SHA256 | 4f8443a155baba126fb11442b750d1be42f99ca555d9b1495aa9a5fda8b8dfa1 |
| SHA512 | 4d59a416d89992a10d27f2d39fdd3d1570c721c2bd7e52288c3a64aa172bdab316e35ce5d61ee686c56fd771a84415f1c435844c8a9b020198de17a1524eb132 |
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe
| MD5 | 0a270e18172df5d4429adf9947d5c133 |
| SHA1 | b11acf6a6afe13596572b09667fdc7b516548856 |
| SHA256 | ab628b8022e1219d5018d8cd715edb8abd0b68b76dd5b02bd0ef518fe7f7e6b9 |
| SHA512 | 16e76bab982f3841c7672809e2ae4f74105e4cec9d46d384a201931d718ccd3726d3a0c9184cc54b6d74caac64c3c74aa014d5478d60bead2e2bbee31827f1e2 |
C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe
| MD5 | 410d9f384a4d2da54039ccb1b7b485b3 |
| SHA1 | 1fd2a6afbde16738ce290bb3c84f2e3e07599ca6 |
| SHA256 | 2bad93eb2c981ea0109e265cc6555d515024d94ea396358068048752865068b3 |
| SHA512 | eb40a7b394c289e198790922d0687f1e9e2443133b65a9d7fff9cdfacabe23126db1bd83fdcf5f9fea574247b5ecc2744b7d7f5a22b7714d163128b08a81e948 |
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
| MD5 | ff5fb87c32e28f0dd64b248df04513ce |
| SHA1 | 8b92146d4405432d32d73ea1f89dc3744c180208 |
| SHA256 | 2612bfcdf8fa6c4f0cc8b8f1aaa15da9cae07f3bb2ecc2facb174f31311ebbf9 |
| SHA512 | 4c602ebde7dc6133435209a751d8f4b5c6702bc20e0c01fa163d67429ac01fcc2a54db570c196374ff5846389b32c4db5b3357ee27509442574d9487e984d718 |
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\RCXCC11.tmp
| MD5 | b4888eb7f3abc796d0589767fb54c734 |
| SHA1 | 21d766acd5fec6697251702f7986a70f86677296 |
| SHA256 | 514179077a0fa1fd9ab8f3b58835334b9b990ddf74232e9ee57de030eb7d7598 |
| SHA512 | 41e910e48f7d99c25e1f2014c3dbbb5bcf38ac9c24bd5188c9e6a8b43db98e4dbe10eafeb0b633858fa807d3b0c9187b533b8553ca226a4cc360ee14579facc0 |