Analysis Overview
SHA256
5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530
Threat Level: Shows suspicious behavior
The file 5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-19 19:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-19 19:09
Reported
2025-01-19 19:11
Platform
win7-20240903-en
Max time kernel
26s
Max time network
16s
Command Line
Signatures
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-M..RESENTATIONSETTINGS_31BF3856AD364E35_6.1.7601.17514_NONE_CB4D60191A09A7B0\PRESENTATIONSETTINGS.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-S..OPERTIESPERFORMANCE_31BF3856AD364E35_6.1.7600.16385_NONE_B6CB9ED71C8B43D5\SYSTEMPROPERTIESPERFORMANCE.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\VBC.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-MAGNIFY_31BF3856AD364E35_6.1.7600.16385_NONE_CA22C913B260E66A\MAGNIFY.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-REMOTEASSISTANCE-EXE_31BF3856AD364E35_6.1.7600.16385_NONE_934D08D31B96D4EE\MSRA.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICEPACKCOORDINATOR_31BF3856AD364E35_6.1.7601.17514_NONE_92E727843E307E1B\SPREVIEW.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_NETFX-CLR_ILASM_EXE_B03F5F7F11D50A3A_6.1.7601.17514_NONE_8FBF4B0735F59A32\ILASM.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_SECURITY-MALWARE-WINDOWS-DEFENDER_31BF3856AD364E35_6.1.7601.17514_NONE_B5E2B6396ECEA306\MSASCUI.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-COM-DTC-RUNTIME_31BF3856AD364E35_6.1.7600.16385_NONE_7547F48C79B40229\MSDTC.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ASPNET_REGBROWSERS.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.0\WINDOWS COMMUNICATION FOUNDATION\WSATCONFIG.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-D..ING-MANAGEMENT-CORE_31BF3856AD364E35_6.1.7601.17514_NONE_895A2B74415EA575\DISMHOST.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_64\PRESENTATIONFONTCAC#\0246845F487E5F33D3564EFF578665A3\PRESENTATIONFONTCACHE.NI.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-CONTROL_31BF3856AD364E35_6.1.7600.16385_NONE_F560EAE4C42EDB14\CONTROL.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-DXP-DEVICEEXPERIENCE_31BF3856AD364E35_6.1.7601.17514_NONE_A54B31331066C8E2\DXPSERVER.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-EUDC-SETTINGS_31BF3856AD364E35_6.1.7601.17514_NONE_B84DC938EED78546\EUDCSETTINGS.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-WMI-SNMP-PROVIDER_31BF3856AD364E35_6.1.7601.17514_NONE_08E183F8DD5F48B7\SMI2SMIR.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\DFSVC\261C09179EAE03D67C9B6F3E70B603BD\DFSVC.NI.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-COM-COMPLUS-UI_31BF3856AD364E35_6.1.7600.16385_NONE_0C9CB55C61E99805\DCOMCNFG.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-RASCONNECTIONMANAGER_31BF3856AD364E35_6.1.7601.17514_NONE_BD4644E077251730\CMSTP.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SHAREDACCESS_31BF3856AD364E35_6.1.7600.16385_NONE_60C2504D62FD4F0E\ICSUNATTEND.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MSBUILD_B03F5F7F11D50A3A_6.1.7601.17514_NONE_0DE23DAF595F5711\MSBUILD.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_NETFX-APPLAUNCH_EXE_B03F5F7F11D50A3A_6.1.7601.17514_NONE_51E5E402131AFC4A\APPLAUNCH.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.0\WINDOWS COMMUNICATION FOUNDATION\SMSVCHOST.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-LEGACYHWUI_31BF3856AD364E35_6.1.7600.16385_NONE_3E69140A61F1EFF5\HDWWIZ.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-T..LICATIONS-CLIENTSKU_31BF3856AD364E35_6.1.7601.17514_NONE_7D0125C85CC31D2A\RDPSHELL.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_WINDOWSSEARCHENGINE_31BF3856AD364E35_7.0.7601.17514_NONE_D18028273214FA77\SEARCHFILTERHOST.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\VBC.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-WAB-APP_31BF3856AD364E35_6.1.7601.17514_NONE_A0CF62EFEE3228A3\WAB.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\APPLAUNCH.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\NOTEPAD.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-TELNET-SERVER-TLNTSVR_31BF3856AD364E35_6.1.7600.16385_NONE_1AB997FB0A83AFDD\TLNTSVR.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\MICROSOFT.WORKFLOW.COMPILER.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICEPACKCOORDINATOR_31BF3856AD364E35_6.1.7601.17514_NONE_92E727843E307E1B\SPINSTALL.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_NETFX-LDR64_EXE_31BF3856AD364E35_6.1.7600.16385_NONE_F98E4869675AB367\LDR64.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IE-HTMLAPPLICATION_31BF3856AD364E35_11.2.9600.16428_NONE_3BB1024F1E6BC086\MSHTA.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\ADDINPROCESS.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IE-IELOWUTIL_31BF3856AD364E35_11.2.9600.16428_NONE_E8CD1F348648EBD1\IELOWUTIL.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_64\MICROSOFT.W71DAF281#\5ADA68CFA2258A2D4E3C3779106FAF9B\MICROSOFT.WORKFLOW.COMPILER.NI.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\ASPNET_COMPILER.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-P..NG-SPOOLER-SPLWOW64_31BF3856AD364E35_6.1.7601.17514_NONE_25D05769A8973724\SPLWOW64.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_64\COMSVCCONFIG\D632B7434F821829827657E23AC98589\COMSVCCONFIG.NI.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-S..OXGAMES-MINESWEEPER_31BF3856AD364E35_6.1.7600.16385_NONE_FE560F0352E04F48\MINESWEEPER.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-UTILMAN_31BF3856AD364E35_6.1.7600.16385_NONE_5E9EA1964AEE5579\UTILMAN.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\NARRATOR\0BAE62C3FC6C327ED24989263988173D\NARRATOR.NI.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-CALC_31BF3856AD364E35_6.1.7600.16385_NONE_05B2F2E2346CFEA4\CALC.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IE-IEDIAG_31BF3856AD364E35_11.2.9600.16428_NONE_F937400AA65F97CC\IEDIAGCMD.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-LPKSETUP_31BF3856AD364E35_6.1.7601.17514_NONE_7F7F66788318015D\LPREMOVE.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-NOTEPADWIN_31BF3856AD364E35_6.1.7600.16385_NONE_9EBEBE8614BE1470\NOTEPAD.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-T..ES-COMMANDLINETOOLS_31BF3856AD364E35_6.1.7601.17514_NONE_42D65ED50FA3C682\RESET.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\INSTALLER\{90140000-0011-0000-0000-0000000FF1CE}\OUTICON.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\CASPOL.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-DPAPI-KEYS_31BF3856AD364E35_6.1.7600.16385_NONE_D9C7C4A2E721DA7E\DPAPIMIG.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-EHOME-EHTRAY_31BF3856AD364E35_6.1.7601.17514_NONE_88FF132E83A8A275\EHTRAY.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-LABEL_31BF3856AD364E35_6.1.7600.16385_NONE_B323FD6EE3F98653\LABEL.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-WMI-CORE_31BF3856AD364E35_6.1.7601.17514_NONE_177A088436382A34\WMIADAP.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.0\WINDOWS COMMUNICATION FOUNDATION\SMCONFIGINSTALLER.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-EHOME-DEVICES-MCXTASK_31BF3856AD364E35_6.1.7600.16385_NONE_B6BC1AAE9D0693C5\MCXTASK.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-EHOME-EHMSAS_31BF3856AD364E35_6.1.7600.16385_NONE_8707C620868FDF75\EHMSAS.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-ISOBURN_31BF3856AD364E35_6.1.7601.17514_NONE_4458AC8EAFDACBDD\ISOBURN.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_DIVACX64.INF_31BF3856AD364E35_6.1.7600.16385_NONE_CF37CC4C5BC25DC7\XLOG.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-M..OMMANDLINEUTILITIES_31BF3856AD364E35_6.1.7600.16385_NONE_D911DF4E81059B22\DOSKEY.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-PING-UTILITIES_31BF3856AD364E35_6.1.7600.16385_NONE_052696AEA98BCEFC\PING.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe
"C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-19 19:09
Reported
2025-01-19 19:11
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
96s
Command Line
Signatures
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\PROGRAM FILES (X86)\COMMON FILES\JAVA\JAVA UPDATE\JAUREG.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES (X86)\MICROSOFT\EDGE\APPLICATION\92.0.902.67\IDENTITY_HELPER.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\JAVA\JDK-1.8\JRE\BIN\JAVAWS.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\JAVA\JRE-1.8\BIN\ORBD.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\CLIENT\APPVLP.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\PPTICO.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPCONFIG.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-000F-0000-1000-0000000FF1CE}\PPTICO.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-001F-0C0A-1000-0000000FF1CE}\MISC.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.DESKTOPAPPINSTALLER_1.0.30251.0_X64__8WEKYB3D8BBWE\APPINSTALLERELEVATEDAPPSERVICECLIENT.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\APPLETVIEWER.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\JAVA\JRE-1.8\BIN\KTAB.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESCOMMONX64\MICROSOFT SHARED\SMART TAG\SMARTTAGINSTALL.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESCOMMONX86\MICROSOFT SHARED\EQUATION\EQNEDT32.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-000F-0000-1000-0000000FF1CE}\OHUB32.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.WINDOWS.PHOTOS_2019.19071.12548.0_X64__8WEKYB3D8BBWE\MICROSOFT.PHOTOS.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.WINDOWSMAPS_5.1906.1972.0_X64__8WEKYB3D8BBWE\MAPS.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES (X86)\WINDOWS MAIL\WABMIG.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES (X86)\WINDOWS NT\ACCESSORIES\WORDPAD.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACRORD32.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES (X86)\MICROSOFT\EDGEUPDATE_BK\1.3.147.37\MICROSOFTEDGEUPDATEBROKER.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\OFFICE16\LICLUA.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\JAVA\JDK-1.8\JRE\BIN\JAVA.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESX86\MICROSOFT OFFICE\OFFICE16\DCF\FILECOMPARE.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\WINDOWS MAIL\WABMIG.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.GETHELP_10.1706.13331.0_X64__8WEKYB3D8BBWE\GETHELP.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-000F-0000-1000-0000000FF1CE}\PJ11ICON.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.MICROSOFTSOLITAIRECOLLECTION_4.4.8204.0_X64__8WEKYB3D8BBWE\SOLITAIRE.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\DOTNET\DOTNET.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\INTERNET EXPLORER\IELOWUTIL.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JCMD.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\NATIVE2ASCII.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\MISC.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\APPVCLEANER.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\JAVA\JRE-1.8\BIN\RMIREGISTRY.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\SDXHELPER.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESX86\MICROSOFT OFFICE\OFFICE16\DCF\COMMON.DBCONNECTION64.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPRPH.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\DOTNET\SHARED\MICROSOFT.NETCORE.APP\6.0.27\CREATEDUMP.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JSADEBUGD.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\SERIALVER.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\JAVA\JRE-1.8\BIN\RMID.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\PDFREFLOW.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\SCHEMAGEN.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\XJC.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\OFFICEAPPGUARDWIN32.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.XBOX.TCUI_1.23.28002.0_X64__8WEKYB3D8BBWE\TCUI-APP.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.36.371\GOOGLECRASHHANDLER64.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES (X86)\MICROSOFT\EDGE\APPLICATION\92.0.902.67\NOTIFICATION_HELPER.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\IDLJ.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\JAVA\JDK-1.8\BIN\JAR.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\JAVA\JDK-1.8\JRE\BIN\UNPACK200.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-000F-0000-1000-0000000FF1CE}\VISICON.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\WINDOWS\INSTALLER\{90160000-001F-0409-1000-0000000FF1CE}\MISC.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.OFFICE.ONENOTE_16001.12026.20112.0_X64__8WEKYB3D8BBWE\ONENOTESHARE.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.WEBPIMAGEEXTENSION_1.0.22753.0_X64__8WEKYB3D8BBWE\CODECPACKS.WEBP.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.WINDOWSSOUNDRECORDER_10.1906.1972.0_X64__8WEKYB3D8BBWE\SOUNDREC.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\ADDINS\MICROSOFT POWER QUERY FOR EXCEL INTEGRATED\BIN\MICROSOFT.MASHUP.CONTAINER.NETFX45.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESCOMMONX64\MICROSOFT SHARED\OFFICE16\OLICENSEHEARTBEAT.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGIN-CONTAINER.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\MOZILLA FIREFOX\UPDATER.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.549981C3F5F10_1.1911.21713.0_X64__8WEKYB3D8BBWE\CORTANA.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES (X86)\COMMON FILES\ADOBE\ARM\1.0\ADOBEARMHELPER.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.36.371\GOOGLEUPDATEBROKER.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\NGEN.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\SYSTEMAPPS\MICROSOFT.WINDOWS.CAPTUREPICKER_CW5N1H2TXYEWY\CAPTUREPICKER.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\ASSEMBLY\GAC_MSIL\SMSVCHOST\V4.0_4.0.0.0__B03F5F7F11D50A3A\SMSVCHOST.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\VBC.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\ASPNET_STATE.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.5\MSBUILD.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\SYSTEMAPPS\MICROSOFTWINDOWS.UNDOCKEDDEVKIT_CW5N1H2TXYEWY\UNDOCKEDDEVKIT.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_ADDINPROCESS_B77A5C561934E089_4.0.15805.0_NONE_74BABA51266F3010\ADDINPROCESS.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\INSTALLER\$PATCHCACHE$\MANAGED\68AB67CA7DA73301B744CAF070E41400\15.7.20033\LOGTRANSPORT2.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DW20.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.5\CSC.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.5\WFSERVICESREG.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_ASPNET_COMPILER_B03F5F7F11D50A3A_4.0.15805.0_NONE_73CC8B3E43BA1056\ASPNET_COMPILER.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\INSTALLER\$PATCHCACHE$\MANAGED\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ACROTEXTEXTRACTOR.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\CASPOL.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\REGSVCS.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\SYSTEMAPPS\WINDOWS.CBSPREVIEW_CW5N1H2TXYEWY\CAMERABARCODESCANNERPREVIEW.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\ASPNET_COMPILER.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\MSBUILD.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\COMSVCCONFIG.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\NOTEPAD.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_DATASVCUTIL_B77A5C561934E089_4.0.15805.0_NONE_5B1ADA239E3B0505\DATASVCUTIL.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ASPNET_REGIIS.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\ASPNET_REGSQL.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\CVTRES.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\VBC.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\APPLAUNCH.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\INSTALLUTIL.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\NGENTASK.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\SYSTEMAPPS\MICROSOFT.WINDOWS.PEOPLEEXPERIENCEHOST_CW5N1H2TXYEWY\PEOPLEEXPERIENCEHOST.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\ADDINPROCESS32.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\DFSVC.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_ADOBE-FLASH-FOR-WINDOWS_31BF3856AD364E35_10.0.19041.82_NONE_2358A116979CC599\FLASHUTIL_ACTIVEX.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\IEEXEC.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\INSTALLUTIL.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\SPLWOW64.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\SYSTEMAPPS\MICROSOFT.WINDOWS.SECUREASSESSMENTBROWSER_CW5N1H2TXYEWY\SECUREASSESSMENTBROWSER.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\MSBUILD.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINHLP32.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\ASSEMBLY\GAC_MSIL\WSATCONFIG\3.0.0.0__B03F5F7F11D50A3A\WSATCONFIG.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\LDR64.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_ASPNET_REGSQL_B03F5F7F11D50A3A_10.0.19041.1_NONE_C9157DDC38B83B1B\ASPNET_REGSQL.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\CSC.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\SYSTEMAPPS\MICROSOFTWINDOWS.CLIENT.CBS_CW5N1H2TXYEWY\INPUTAPP\TEXTINPUTHOST.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DFSVC.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\REGASM.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\APPLAUNCH.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.0\WINDOWS COMMUNICATION FOUNDATION\WSATCONFIG.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\WINSXS\AMD64_ASPNET_COMPILER_B03F5F7F11D50A3A_10.0.19041.1_NONE_9202844CD514AB44\ASPNET_COMPILER.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\ASSEMBLY\GAC_32\MSBUILD\3.5.0.0__B03F5F7F11D50A3A\MSBUILD.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\DATASVCUTIL.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\NGEN.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\SMSVCHOST.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\VBC.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\SYSTEMAPPS\MICROSOFT.WINDOWS.OOBENETWORKCONNECTIONFLOW_CW5N1H2TXYEWY\OOBENETWORKCONNECTIONFLOW.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\ASPNET_REGIIS.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\SPEECH\COMMON\SAPISVR.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\SYSTEMAPPS\MICROSOFT.ACCOUNTSCONTROL_CW5N1H2TXYEWY\ACCOUNTSCONTROLHOST.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\ILASM.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\DW20.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.0\WPF\PRESENTATIONFONTCACHE.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V3.5\DATASVCUTIL.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\INSTALLER\$PATCHCACHE$\MANAGED\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ACRORD32.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
| File opened for modification | C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ASPNET_REGBROWSERS.EXE | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe
"C:\Users\Admin\AppData\Local\Temp\5095c48550af05e9fb4c79a6c89031426e160497c8aafa72cdd8795d542e3530.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |