Analysis
-
max time kernel
26s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 19:09
Static task
static1
Behavioral task
behavioral1
Sample
5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe
Resource
win7-20240903-en
General
-
Target
5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe
-
Size
92KB
-
MD5
a9f6b8b6a8bb7225884ae4acad9ede21
-
SHA1
163ab5211709981d4872382a1fa6179fe9950038
-
SHA256
5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530
-
SHA512
c0df9ed57d272616e438e1d48fa09bf1a9b315687a38476d05a34b342a3c99fbeb392c50287a041f70f65ec60378b68de073f92aa713651e71f1153a823c2e6c
-
SSDEEP
1536:DHB0UxMkzOt7HcvJGt5AdHIOWnToIf12ZqTUgawozmoJ:DhAWJGSCTBf12Z1gtozm+
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\WINDOWS\SysWOW64\FTP.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\NET.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\MIGWIZ\MIGWIZ.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\RMCLIENT.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\SDCHANGE.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\ISOBURN.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\DFRGUI.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\INSTALLSHIELD\SETUP.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\REGSVR32.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\WEVTUTIL.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\VERCLSID.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\XPSRCHVW.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\NOTEPAD.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\RMACTIVATE_SSP.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\WECUTIL.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\CHKDSK.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\IEXPRESS.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\RASAUTOU.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\UTILMAN.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\WHOAMI.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\MSRA.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\DNSCACHEUGC.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\LABEL.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\PING.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\REGSVR32.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\SNDVOL.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\DIALER.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\DWWIN.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\TIMEOUT.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\TSWPFWRP.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\ATBROKER.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\HELP.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\ISCSICLI.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\OPTIONALFEATURES.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\REPLACE.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSTEM32\DRIVERSTORE\FILEREPOSITORY\DIVACX64.INF_AMD64_NEUTRAL_FA0F82F024789743\DITRACE.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\EHSTORAUTHN.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\GETMAC.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\RMACTIVATE_SSP.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\FINDSTR.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\ODBCCONF.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\USER.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\DVDPLAY.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\MOUNTVOL.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\SDBINST.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\WUAPP.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\CMMON32.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\IME\IMEJP10\IMJPDCT.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\INSTNM.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\OSK.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\SYSTEMPROPERTIESHARDWARE.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\TRACERT.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\AUTOCONV.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\SETIEINSTALLEDDATE.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\GPSCRIPT.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\MOBSYNC.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\POWERCFG.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\WAITFOR.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\WHERE.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\CALC.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\CHKNTFS.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\LOGMAN.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SysWOW64\RMACTIVATE_SSP_ISV.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\SYSWOW64\FINGER.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\UNPACK200.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\ADOBE\UPDATER6\ADOBE_UPDATER.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.36.151\GOOGLEUPDATESETUP.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\GRAPH.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\IDLJ.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JAVAP.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\KTAB.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\EXCELCNV.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\TNAMESERV.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\MOZILLA FIREFOX\UNINSTALL\HELPER.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\READER 9.0\READER\ACROTEXTEXTRACTOR.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\POWERPNT.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\MICROSOFT GAMES\SPIDERSOLITAIRE\SPIDERSOLITAIRE.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPSIDESHOWGADGET.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\BCSSYNC.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\IECONTENTSERVICE.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\SERIALVER.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\ORBD.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE7\BIN\ORBD.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\WINDOWS MAIL\WINMAIL.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\SCANPST.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MEDIA PLAYER\SETUP_WM.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\7-ZIP\UNINSTALL.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\MSINFO\MSINFO32.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\OFFICE14\OFFICE SETUP CONTROLLER\SETUP.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\MISC.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JAVAW.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\VIDEOLAN\VLC\UNINSTALL.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\DOWNLOAD\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\CHROME_INSTALLER.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\WINDOWS SIDEBAR\SIDEBAR.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.36.151\GOOGLECRASHHANDLER.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VSTO\10.0\VSTOINSTALLER.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\UNPACK200.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE14\MSOHTMED.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\WINDOWS MAIL\WAB.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JAVAH.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\MICROSOFT GAMES\CHESS\CHESS.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\MOZILLA FIREFOX\MAINTENANCESERVICE_INSTALLER.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\SETUP_WM.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\INTERNET EXPLORER\IEINSTAL.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\JAVAWS.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\VIDEOLAN\VLC\VLC.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\GROOVEMN.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\INKWATSON.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\POLICYTOOL.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\TNAMESERV.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\ADOBE AIR\VERSIONS\1.0\ADOBE AIR APPLICATION INSTALLER.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\106.0.5249.119\INSTALLER\CHRMSTP.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JAVAWS.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\WINDOWS DEFENDER\MPCMDRUN.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS PHOTO VIEWER\IMAGINGDEVICES.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\KLIST.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\SERVERTOOL.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES (X86)\MOZILLA MAINTENANCE SERVICE\MAINTENANCESERVICE.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JARSIGNER.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\ORBD.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\RMIC.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\STOPOPEN.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\PACK200.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\MICROSOFT GAMES\MAHJONG\MAHJONG.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\ADOBE AIR\VERSIONS\1.0\ADOBE AIR UPDATER.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS MEDIA PLAYER\WMPSHARE.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES (X86)\WINDOWS NT\ACCESSORIES\WORDPAD.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JSTACK.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-M..RESENTATIONSETTINGS_31BF3856AD364E35_6.1.7601.17514_NONE_CB4D60191A09A7B0\PRESENTATIONSETTINGS.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-S..OPERTIESPERFORMANCE_31BF3856AD364E35_6.1.7600.16385_NONE_B6CB9ED71C8B43D5\SYSTEMPROPERTIESPERFORMANCE.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\VBC.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-MAGNIFY_31BF3856AD364E35_6.1.7600.16385_NONE_CA22C913B260E66A\MAGNIFY.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-REMOTEASSISTANCE-EXE_31BF3856AD364E35_6.1.7600.16385_NONE_934D08D31B96D4EE\MSRA.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICEPACKCOORDINATOR_31BF3856AD364E35_6.1.7601.17514_NONE_92E727843E307E1B\SPREVIEW.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_NETFX-CLR_ILASM_EXE_B03F5F7F11D50A3A_6.1.7601.17514_NONE_8FBF4B0735F59A32\ILASM.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_SECURITY-MALWARE-WINDOWS-DEFENDER_31BF3856AD364E35_6.1.7601.17514_NONE_B5E2B6396ECEA306\MSASCUI.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-COM-DTC-RUNTIME_31BF3856AD364E35_6.1.7600.16385_NONE_7547F48C79B40229\MSDTC.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ASPNET_REGBROWSERS.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.0\WINDOWS COMMUNICATION FOUNDATION\WSATCONFIG.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-D..ING-MANAGEMENT-CORE_31BF3856AD364E35_6.1.7601.17514_NONE_895A2B74415EA575\DISMHOST.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_64\PRESENTATIONFONTCAC#\0246845F487E5F33D3564EFF578665A3\PRESENTATIONFONTCACHE.NI.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-CONTROL_31BF3856AD364E35_6.1.7600.16385_NONE_F560EAE4C42EDB14\CONTROL.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-DXP-DEVICEEXPERIENCE_31BF3856AD364E35_6.1.7601.17514_NONE_A54B31331066C8E2\DXPSERVER.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-EUDC-SETTINGS_31BF3856AD364E35_6.1.7601.17514_NONE_B84DC938EED78546\EUDCSETTINGS.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-WMI-SNMP-PROVIDER_31BF3856AD364E35_6.1.7601.17514_NONE_08E183F8DD5F48B7\SMI2SMIR.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\DFSVC\261C09179EAE03D67C9B6F3E70B603BD\DFSVC.NI.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-COM-COMPLUS-UI_31BF3856AD364E35_6.1.7600.16385_NONE_0C9CB55C61E99805\DCOMCNFG.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-RASCONNECTIONMANAGER_31BF3856AD364E35_6.1.7601.17514_NONE_BD4644E077251730\CMSTP.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SHAREDACCESS_31BF3856AD364E35_6.1.7600.16385_NONE_60C2504D62FD4F0E\ICSUNATTEND.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MSBUILD_B03F5F7F11D50A3A_6.1.7601.17514_NONE_0DE23DAF595F5711\MSBUILD.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_NETFX-APPLAUNCH_EXE_B03F5F7F11D50A3A_6.1.7601.17514_NONE_51E5E402131AFC4A\APPLAUNCH.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.0\WINDOWS COMMUNICATION FOUNDATION\SMSVCHOST.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-LEGACYHWUI_31BF3856AD364E35_6.1.7600.16385_NONE_3E69140A61F1EFF5\HDWWIZ.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-T..LICATIONS-CLIENTSKU_31BF3856AD364E35_6.1.7601.17514_NONE_7D0125C85CC31D2A\RDPSHELL.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_WINDOWSSEARCHENGINE_31BF3856AD364E35_7.0.7601.17514_NONE_D18028273214FA77\SEARCHFILTERHOST.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\VBC.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-WAB-APP_31BF3856AD364E35_6.1.7601.17514_NONE_A0CF62EFEE3228A3\WAB.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\APPLAUNCH.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\NOTEPAD.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-TELNET-SERVER-TLNTSVR_31BF3856AD364E35_6.1.7600.16385_NONE_1AB997FB0A83AFDD\TLNTSVR.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\MICROSOFT.WORKFLOW.COMPILER.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICEPACKCOORDINATOR_31BF3856AD364E35_6.1.7601.17514_NONE_92E727843E307E1B\SPINSTALL.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_NETFX-LDR64_EXE_31BF3856AD364E35_6.1.7600.16385_NONE_F98E4869675AB367\LDR64.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IE-HTMLAPPLICATION_31BF3856AD364E35_11.2.9600.16428_NONE_3BB1024F1E6BC086\MSHTA.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\ADDINPROCESS.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IE-IELOWUTIL_31BF3856AD364E35_11.2.9600.16428_NONE_E8CD1F348648EBD1\IELOWUTIL.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_64\MICROSOFT.W71DAF281#\5ADA68CFA2258A2D4E3C3779106FAF9B\MICROSOFT.WORKFLOW.COMPILER.NI.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\ASPNET_COMPILER.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-P..NG-SPOOLER-SPLWOW64_31BF3856AD364E35_6.1.7601.17514_NONE_25D05769A8973724\SPLWOW64.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_64\COMSVCCONFIG\D632B7434F821829827657E23AC98589\COMSVCCONFIG.NI.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-S..OXGAMES-MINESWEEPER_31BF3856AD364E35_6.1.7600.16385_NONE_FE560F0352E04F48\MINESWEEPER.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-UTILMAN_31BF3856AD364E35_6.1.7600.16385_NONE_5E9EA1964AEE5579\UTILMAN.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\NARRATOR\0BAE62C3FC6C327ED24989263988173D\NARRATOR.NI.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-CALC_31BF3856AD364E35_6.1.7600.16385_NONE_05B2F2E2346CFEA4\CALC.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IE-IEDIAG_31BF3856AD364E35_11.2.9600.16428_NONE_F937400AA65F97CC\IEDIAGCMD.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-LPKSETUP_31BF3856AD364E35_6.1.7601.17514_NONE_7F7F66788318015D\LPREMOVE.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-NOTEPADWIN_31BF3856AD364E35_6.1.7600.16385_NONE_9EBEBE8614BE1470\NOTEPAD.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-T..ES-COMMANDLINETOOLS_31BF3856AD364E35_6.1.7601.17514_NONE_42D65ED50FA3C682\RESET.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\INSTALLER\{90140000-0011-0000-0000-0000000FF1CE}\OUTICON.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\CASPOL.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-DPAPI-KEYS_31BF3856AD364E35_6.1.7600.16385_NONE_D9C7C4A2E721DA7E\DPAPIMIG.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-EHOME-EHTRAY_31BF3856AD364E35_6.1.7601.17514_NONE_88FF132E83A8A275\EHTRAY.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-LABEL_31BF3856AD364E35_6.1.7600.16385_NONE_B323FD6EE3F98653\LABEL.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-WMI-CORE_31BF3856AD364E35_6.1.7601.17514_NONE_177A088436382A34\WMIADAP.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.0\WINDOWS COMMUNICATION FOUNDATION\SMCONFIGINSTALLER.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-EHOME-DEVICES-MCXTASK_31BF3856AD364E35_6.1.7600.16385_NONE_B6BC1AAE9D0693C5\MCXTASK.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-EHOME-EHMSAS_31BF3856AD364E35_6.1.7600.16385_NONE_8707C620868FDF75\EHMSAS.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-ISOBURN_31BF3856AD364E35_6.1.7601.17514_NONE_4458AC8EAFDACBDD\ISOBURN.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_DIVACX64.INF_31BF3856AD364E35_6.1.7600.16385_NONE_CF37CC4C5BC25DC7\XLOG.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-M..OMMANDLINEUTILITIES_31BF3856AD364E35_6.1.7600.16385_NONE_D911DF4E81059B22\DOSKEY.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe File opened for modification C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-PING-UTILITIES_31BF3856AD364E35_6.1.7600.16385_NONE_052696AEA98BCEFC\PING.EXE 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe"C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2192