Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2022, 10:00
Static task
static1
Behavioral task
behavioral1
Sample
08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe
Resource
win10v2004-20221111-en
General
-
Target
08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe
-
Size
1.1MB
-
MD5
c9234f802b4fb9bcf16237d438fa86e6
-
SHA1
81b2eb0d8d06c0006929a3e0ebdaf6615aca1908
-
SHA256
08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7
-
SHA512
8c018af20bad4de00125fe1cdbeb7b8bb059846b7b67c75d31cd12bb909b7f012517bb7d31641a2d7156cf3a9798cccd14dd542f5e2079bd0d47a29c96102bd3
-
SSDEEP
24576:VM6foBca4H/sQ0NG6LdS9tbtOTxGIraEgsKiZZK3QASvzK6r:jfe/k/su6LatMDcsKKZYSvzKM
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 11 2668 rundll32.exe 12 2668 rundll32.exe 45 2668 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AdobeID\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\AdobeID.dll" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AdobeID\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 3 IoCs
pid Process 2668 rundll32.exe 4352 svchost.exe 1240 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2668 set thread context of 3748 2668 rundll32.exe 91 -
Drops file in Program Files directory 20 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\application.ini rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeID.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\adoberfp.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\init.js rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\reflow.api rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\FullTrustNotifier.exe rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Flash.mpp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\adoberfp.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-disabled.svg rundll32.exe File opened for modification C:\Program Files\7-Zip\7z.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2656 3432 WerFault.exe 80 -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\65A3FCD29309972AA2E993584A547C1B49842F26 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\65A3FCD29309972AA2E993584A547C1B49842F26\Blob = 03000000010000001400000065a3fcd29309972aa2e993584a547c1b49842f2620000000010000006e0200003082026a308201d3a0030201020208454d26b4610653bc300d06092a864886f70d01010b0500305a3122302006035504030c1942616c74696d6f6f65204379626572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b3009060355040613024945301e170d3230313231393131303232325a170d3234313231383131303232325a305a3122302006035504030c1942616c74696d6f6f65204379626572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b300906035504061302494530819f300d06092a864886f70d010101050003818d0030818902818100b009c25363d83a3ea9dccae4f2eaf96f1aace69a872f2f8c9b6baa537ff13ddd74f079b9405ad6e9ddd6421fe7e49a0a04e207f155f8437a24caddc6ded2314041ab4152466ca53bc25270c3d047141ff9464c4028ca994b8014d689725026b1b5ccf5e3977b5a9b5f6d0c8cd42ecb6ce667b513484dbd8420ed0d02e05ef94b0203010001a3393037300f0603551d130101ff040530030101ff30240603551d11041d301b821942616c74696d6f6f65204379626572547275737420526f6f74300d06092a864886f70d01010b05000381810040dbd87e9a91bcd996383cb38433de6a75635fb8b89787db3468d424d9cab0e0d85332eb10fab50c51b545cb979d430eab5fe1c3568b736f8953bacd6e8ec930937b8bf09f048b59fd48d8de6cff2260d8421b932f73bc62d8f1c369ab1c8f53af0c44e0bea854d46947066d716453503c9e70e20a576ac729fb9377a4010ea5 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 4352 svchost.exe 4352 svchost.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 4352 svchost.exe 4352 svchost.exe 4352 svchost.exe 4352 svchost.exe 4352 svchost.exe 4352 svchost.exe 4352 svchost.exe 4352 svchost.exe 4352 svchost.exe 4352 svchost.exe 4352 svchost.exe 4352 svchost.exe 4352 svchost.exe 4352 svchost.exe 4352 svchost.exe 4352 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2668 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3748 rundll32.exe 2668 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3432 wrote to memory of 2668 3432 08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe 81 PID 3432 wrote to memory of 2668 3432 08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe 81 PID 3432 wrote to memory of 2668 3432 08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe 81 PID 2668 wrote to memory of 3748 2668 rundll32.exe 91 PID 2668 wrote to memory of 3748 2668 rundll32.exe 91 PID 2668 wrote to memory of 3748 2668 rundll32.exe 91 PID 4352 wrote to memory of 1240 4352 svchost.exe 95 PID 4352 wrote to memory of 1240 4352 svchost.exe 95 PID 4352 wrote to memory of 1240 4352 svchost.exe 95 PID 2668 wrote to memory of 3940 2668 rundll32.exe 97 PID 2668 wrote to memory of 3940 2668 rundll32.exe 97 PID 2668 wrote to memory of 3940 2668 rundll32.exe 97 PID 2668 wrote to memory of 2320 2668 rundll32.exe 99 PID 2668 wrote to memory of 2320 2668 rundll32.exe 99 PID 2668 wrote to memory of 2320 2668 rundll32.exe 99 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe"C:\Users\Admin\AppData\Local\Temp\08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2668 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 239733⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3748
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3940
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:2320
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 5562⤵
- Program crash
PID:2656
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3432 -ip 34321⤵PID:3668
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4548
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\adobeid.dll",bEUn2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:1240
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
726KB
MD5c3af683c9c6920324e495f78c375fc53
SHA1330fb8e030e63b57919e59a2405007ed956a8206
SHA256ebd4c8bc1d96ea8a79428f937a2364eac9a541a7af023c4ea37bc582ae8c6686
SHA512baec7d3b455c0b6d27871217a226b5bdefd033917660d90d95a03263baf1d40f98ec125b0182ea093293335b9f83dfdc9fa93d0e617ce770210452f5c4cbe29b
-
Filesize
726KB
MD5c3af683c9c6920324e495f78c375fc53
SHA1330fb8e030e63b57919e59a2405007ed956a8206
SHA256ebd4c8bc1d96ea8a79428f937a2364eac9a541a7af023c4ea37bc582ae8c6686
SHA512baec7d3b455c0b6d27871217a226b5bdefd033917660d90d95a03263baf1d40f98ec125b0182ea093293335b9f83dfdc9fa93d0e617ce770210452f5c4cbe29b
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize820B
MD5a8664f5906d9060a0a87bc01e35179bb
SHA11bbbc9f10431d2941805907a8a6d4009f4e2938c
SHA256a8ed53b828f69fb5e6e28eef9a38b5753320aa7a942b4a4c2dbf67705d21e309
SHA512389a4be3833050f89ea0bc5327514b3d80753eb6a214d4ad58d8c1b22770dcca2cdf099d4563db98e3d3f9530474b147e49cbed4b5b3e3a9e315a797f056049f
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe.xml
Filesize9KB
MD5996f11041df0526341cebbbd40a98390
SHA137f652515ef8c662840086d743f7f68d327cce52
SHA256bb39de067132d2ccbb7a3c066743010f070a3c3856f42ccc892da0b40012771e
SHA5126cafa4b3bd8c56d20859a4f8fb7109e3ca4c690d0746b13f9f2eaa19d88bfca469dc45d71fb91f5658f9cd300f285aafb9e212ebd7c1496aadb6046da4e56c03
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe.xml
Filesize6KB
MD57e913c1a399dd176eea1bb8f2be26268
SHA16be9a44820ffbabb10202af890da00c9aa2dfec2
SHA2565295393602a18f301613c7160e24f88816070a41cf69b32c821b6d3858541b4a
SHA512dc52de8489f586081c246a297a35987eb7f74e122f475df88cfdc683787fe532e609db3b43915c73f7f172e1a4fc13efacd1b52252d1041e5c8f4dd190009105
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml
Filesize3KB
MD51a3168a15983b890b16390a23a89a02e
SHA1d56ce16d88d79159a27c2d1cd3770dc56d897ebe
SHA256334782208e9520975f597b19a273fcc6f3a8a7caffd2e4fb22213f6b957f4946
SHA512f2be33992fd70d90eb94973c19924229bb70da4ce21c9777cfccbf56b0635452b382d2846afe2b0cc80a83d3b6a2c855557855cfb22fc681d182b2b605daa668
-
Filesize
2.3MB
MD5b3422857a7d7e642950c80522bb39ba3
SHA1316de4d290078b0aec174a6a161c1dac654bcd01
SHA2565fa7cac49ed9e36fc87f8ccd4cf164bb8e2487c348374a267544a1e01dd1b509
SHA512941ec15dd866f1125181cf57d4a00337e078f3172689b996584fe103647b006953fab2059ce2c7ce8cfbf3bd4991db8a4ce7a57c5ba125347ce6209595786cb8
-
Filesize
2.3MB
MD5b63af1a19730beb752f7eb64812f9e9e
SHA16613300d11a6532284715d4d42bf954fa2f4f467
SHA2566b0ef8c1101b0a4db4019bd38c191c645efbf2a3306c4474e202a6642d1ff7b5
SHA51296c1db795e860e1919c31d22d74c255279b8fc85a25f187c13562267203ee889309b839880a34d28bf1e7fd16e0d2f52ccf59d0e5beca57b487ce31dd370b749
-
Filesize
31B
MD54870433b19757ef8721b38acf2baa272
SHA1d9def40343d41a6a80e936fc12db58ebb3e3fdb8
SHA256cf39cf82fe54738a64f566a0f947ddabf90b7af56a899596fb34dca2a67ddfbc
SHA51279c72e2c4d8a8538879f11c09877f78ea363ee28f70da66cae50a3372e600a1939372945dc4542a5ee649c18adb5e7d1129fc97635d48c165737193f8b682550
-
Filesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
Filesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
Filesize
726KB
MD5c3af683c9c6920324e495f78c375fc53
SHA1330fb8e030e63b57919e59a2405007ed956a8206
SHA256ebd4c8bc1d96ea8a79428f937a2364eac9a541a7af023c4ea37bc582ae8c6686
SHA512baec7d3b455c0b6d27871217a226b5bdefd033917660d90d95a03263baf1d40f98ec125b0182ea093293335b9f83dfdc9fa93d0e617ce770210452f5c4cbe29b