ada1089ec7496a6d1b9ee387b04cfa285b83857d19d76e5b91f634c63f157194

Analysis

max time kernel
152s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2023, 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ada1089ec7496a6d1b9ee387b04cfa285b83857d19d76e5b91f634c63f157194.exe
Size

1.5MB
MD5

ff1f2341ec95807f992ff1830c5040ad
SHA1

f649baedba935a42165602e91b78740834b73cd9
SHA256

ada1089ec7496a6d1b9ee387b04cfa285b83857d19d76e5b91f634c63f157194
SHA512

b98dd3eb32a5dbd2966765ce7a1ff8acca2ad53ce77812c084415372bcc18091a67f3489941509687417f26a7f7a7592d2d1eca4b1514a5dc12024ffd046ed8a
SSDEEP

24576:dbLR/JSAX7LguMMjrmo9GJS5m9X56dOA/85RkV4l7/ZS4hu3ZRiurQLU0:U4WSGJ/9X0OAUfkVy7/ZS4hubiur

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1736	84FF.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmdlocal.dll	84FF.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\PPSLAX.DLL	84FF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\ReadOutLoud.api	84FF.tmp
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	jp2launcher.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	jp2launcher.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso20win32client.dll	84FF.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	84FF.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPSRVUTL.DLL	84FF.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\MSVCR110.DLL	84FF.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL	84FF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll	84FF.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msvcr120.dll	84FF.tmp
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	jp2launcher.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPWEC.DLL	84FF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp	84FF.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msoshext.dll	84FF.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	84FF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Search.api	84FF.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\SystemX86\concrt140.dll	84FF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIDE.dll	84FF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.dll	84FF.tmp
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	84FF.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSO.DLL	84FF.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL	84FF.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSCLT.DLL	84FF.tmp
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll	84FF.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso98win32client.dll	84FF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api	84FF.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	84FF.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\mfc140u.dll	84FF.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcr120.dll	84FF.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIELinkedNotes.dll	84FF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\d3dcompiler_47.dll	84FF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	84FF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libGLESv2.dll	84FF.tmp
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll	84FF.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	84FF.tmp
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	jp2launcher.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	84FF.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ONNXRuntime-0.5.X.dll	84FF.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe	84FF.tmp
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdate.dll	84FF.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\xmsrv.dll	84FF.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\IEAWSDC.DLL	84FF.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIE.dll	84FF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api	84FF.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmgdsrv.dll	84FF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	84FF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm.api	84FF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\EScript.api	84FF.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OLKFSTUB.DLL	84FF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\rt3d.dll	84FF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	84FF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\d3dcompiler_43.dll	84FF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	84FF.tmp
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	jp2launcher.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MeetingJoinAxOC.dll	84FF.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAMEEXT.DLL	84FF.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\STSCOPY.DLL	84FF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\logsession.dll	84FF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libcef.dll	84FF.tmp
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	84FF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.177.11\MicrosoftEdgeUpdateCore.exe	84FF.tmp
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	jp2launcher.exe

Drops file in Windows directory 57 IoCs

description	ioc	Process
File created	C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\concrt140.dll_x86	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Accessibility.api_NON_OPT	84FF.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDFFile_8.ico	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ReadOutLoud.api	84FF.tmp
File created	C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.dll	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Bib.dll_NON_OPT	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroForm.api__NON_OPT	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroPDF.dll	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AGM.dll	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\drvDX9.x3d	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\F_CENTRAL_vccorlib120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Search.api	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adobearm.exe.BDCA7721_F290_4124_BBED_7A15FE7694EB	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\WindowsMedia.mpp	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcr100_x86	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrocef.exe.15EE1C08_ED51_465D_B6F3_FB152B1CC435	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\nppdf32.dll_Apollo	84FF.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\FDFFile_8.ico	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroPDFImpl.dll	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\EScript.api	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\SendMail.api	84FF.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\XDPFile_8.ico	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\SaveAsRTF.api_NON_OPT	84FF.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDXFile_8.ico	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Annots.api	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\F_CENTRAL_msvcr120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\sqlite.dll	84FF.tmp
File created	C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\wpfgfx_v0300.dll	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adobearmhelper.exe.BDCA7721_F290_4124_BBED_7A15FE7694EB	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\MCIMPP.mpp	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rt3d.dll	84FF.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\APIFile_8.ico	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100u_x86	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logsession.dll	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\QuickTime.mpp	84FF.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SC_Reader.ico	84FF.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\XFDFFile_8.ico	84FF.tmp
File created	C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100_x86	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Flash.mpp	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Multimedia.api_NON_OPT	84FF.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SecStoreFile.ico	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Ace.dll_NON_OPT	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adoberfp.dll	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\nppdf32.dll	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\libcef.dll.15EE1C08_ED51_465D_B6F3_FB152B1CC435	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\PPKLite.api	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_atl100_x86	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\drvSOFT.x3d	84FF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe	84FF.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4836	jp2launcher.exe
4836	jp2launcher.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
352	ada1089ec7496a6d1b9ee387b04cfa285b83857d19d76e5b91f634c63f157194.exe
352	ada1089ec7496a6d1b9ee387b04cfa285b83857d19d76e5b91f634c63f157194.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
352	ada1089ec7496a6d1b9ee387b04cfa285b83857d19d76e5b91f634c63f157194.exe
352	ada1089ec7496a6d1b9ee387b04cfa285b83857d19d76e5b91f634c63f157194.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4836	jp2launcher.exe
352	ada1089ec7496a6d1b9ee387b04cfa285b83857d19d76e5b91f634c63f157194.exe
352	ada1089ec7496a6d1b9ee387b04cfa285b83857d19d76e5b91f634c63f157194.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 352 wrote to memory of 1736	352	ada1089ec7496a6d1b9ee387b04cfa285b83857d19d76e5b91f634c63f157194.exe	86
PID 352 wrote to memory of 1736	352	ada1089ec7496a6d1b9ee387b04cfa285b83857d19d76e5b91f634c63f157194.exe	86
PID 352 wrote to memory of 1736	352	ada1089ec7496a6d1b9ee387b04cfa285b83857d19d76e5b91f634c63f157194.exe	86
PID 352 wrote to memory of 4920	352	ada1089ec7496a6d1b9ee387b04cfa285b83857d19d76e5b91f634c63f157194.exe	87
PID 352 wrote to memory of 4920	352	ada1089ec7496a6d1b9ee387b04cfa285b83857d19d76e5b91f634c63f157194.exe	87
PID 4920 wrote to memory of 4836	4920	javaws.exe	89
PID 4920 wrote to memory of 4836	4920	javaws.exe	89

C:\Users\Admin\AppData\Local\Temp\ada1089ec7496a6d1b9ee387b04cfa285b83857d19d76e5b91f634c63f157194.exe
"C:\Users\Admin\AppData\Local\Temp\ada1089ec7496a6d1b9ee387b04cfa285b83857d19d76e5b91f634c63f157194.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:352
- C:\Users\Admin\AppData\Local\Temp\84FF.tmp
  C:\Users\Admin\AppData\Local\Temp\84FF.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:1736
- C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe" -J-Djdk.disableLastUsageTracking=true -SSVBaselineUpdate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_66" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNjZcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNjZcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzY2XGxpYlxwbHVnaW4uamFyAC1EamRrLmRpc2FibGVMYXN0VXNhZ2VUcmFja2luZz10cnVlAC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxiaW5camF2YXcuZXhlAC1Eam5scHgudm1hcmdzPUxVUnFaR3N1WkdsellXSnNaVXhoYzNSVmMyRm5aVlJ5WVdOcmFXNW5QWFJ5ZFdVQQ== -ma LVNTVkJhc2VsaW5lVXBkYXRlAC1ub3RXZWJKYXZh
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
3eaf655600524fa2905ef0a2f65149dc

SHA1
7b902a4f88b011535f76d47d096f935c788b8120

SHA256
5a1b0bacebadd89164c237499f4d1558d025fb28c7c6ff368753e2c1220ff4f3

SHA512
cf2a6b0f2db19fb1c2cd45ce8d79d74d0432e5b3fde3b86e7186a4d144eac633f8b4431132bb5f8474d4f86c51ff14c9be458ecff11dec00ab023143e694c8c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
85b2dece0b7b6f14e5dc46f797bb8310

SHA1
fe764e1b847d172a3d9e75473b9badd6422cac4e

SHA256
75825549417798a64ad66b6e7da78901589ae72116b3075dcc34b45ea68dadc9

SHA512
5baffb937e6d24f5782f827fa1d55af1b01fb5ba6819c7601109f677edd26e3f2807acad54a90f191c12369fab81445e560de6bfb18d3cfb8a090ef1380e0383

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
e607520d21ad069d131593a63cf98ef9

SHA1
565f6f61e914673e1516d68b5c3b2c572f2b197a

SHA256
6f047a0d73273f4fd8b5e1ad12fd9a1b3a728b800e6b7a738cdd125019b565b2

SHA512
21eb0c7a97c20305ffbb9a5e195b76f0a66859029f549480d0d31121a580fd676d817a3a7dd8c9f65e35b5f5980a04134e28f9faede410240c8cd3342736c734

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
698B

MD5
f4a015d18c2dbf2bfcb01c781b744e84

SHA1
00257b7fcaec12df09a9138298f6ae396bdcdb3a

SHA256
351242407c53c9f452b7fcffd4f1fa008f5f04920b7dbeb65603a1118a2b8551

SHA512
1e4ab62996fd332489d4445689351b97470a8790c620a5070e6b48a9461393106923947b0981649b387e29f93fb7f21fbfbfb5b49af97188c786ca3e9bd030cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
698B

MD5
f4a015d18c2dbf2bfcb01c781b744e84

SHA1
00257b7fcaec12df09a9138298f6ae396bdcdb3a

SHA256
351242407c53c9f452b7fcffd4f1fa008f5f04920b7dbeb65603a1118a2b8551

SHA512
1e4ab62996fd332489d4445689351b97470a8790c620a5070e6b48a9461393106923947b0981649b387e29f93fb7f21fbfbfb5b49af97188c786ca3e9bd030cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1QD0OQIU\l10n[1]

Filesize
4KB

MD5
1fd5111b757493a27e697d57b351bb56

SHA1
9ca81a74fa5c960f4e8b3ad8a0e1ec9f55237711

SHA256
85bbec802e8624e7081abeae4f30bd98d9a9df6574bd01fe5251047e8fdaf59f

SHA512
80f532e4671d685fa8360ef47a09efcb3342bcfcf929170275465f9800bfbfffc35728a1ba496d4c04a1fdefb2776af02262c3774f83fea289585a5296d560b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1QD0OQIU\masthead_left[1]

Filesize
4KB

MD5
b663555027df2f807752987f002e52e7

SHA1
aef83d89f9c712a1cbf6f1cd98869822b73d08a6

SHA256
0ce32c034dfb7a635a7f6e8152666def16d860b6c631369013a0f34af9d17879

SHA512
b104ed3327fed172501c5aa990357b44e3b31bb75373fb8a4ea6470ee6a72e345c9dc4bcf46a1983c81adb567979e6e8e6517d943eb204c3f7fac559cd17c451

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2DXCP35H\common[1]

Filesize
1KB

MD5
f5bb484d82e7842a602337e34d11a8f6

SHA1
09ea1dee4b7c969771e97991c8f5826de637716f

SHA256
219108bfef63f97562c4532681b03675c9e698c5ae495205853dbcbfd93faf1a

SHA512
a23cc05b94842e1f3a53c2ea8a0b78061649e0a97fcd51c8673b2bcb6de80162c841e9fdde212d3dfd453933df2362dcb237fe629f802bafaa144e33ca78b978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2DXCP35H\host[1]

Filesize
1KB

MD5
a752a4469ac0d91dd2cb1b766ba157de

SHA1
724ae6b6d6063306cc53b6ad07be6f88eaffbab3

SHA256
1e67043252582aea0e042f5a7be4a849b7cd01b133a489c3b2e67c10ade086f3

SHA512
abc2899705a23f15862acf3d407b700bb91c545722c02c7429745ab7f722507285c62614dcb87ea846f88fc0779345cb2e22dc3ad5f8113f6907821505be2c02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7H3JZN74\auwelcome[1]

Filesize
3KB

MD5
b7cda1f5ab4cd32381f522d8680897f9

SHA1
e20623be30c92f0c483520c589fa9d617d7a0fea

SHA256
f264387739979a9e8683682ced5b539211b051f3d8d6b3b5fa6912efbb8591a4

SHA512
e71fe1d527d9306322db91ac600d83c59e9e8fedefb9a43d474c31bf5eb11ab440d8e47f74af0aa416f35311144fb9412af2be91140af962576da6c39dcf9918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7H3JZN74\layout[1]

Filesize
2KB

MD5
cc86b13a186fa96dfc6480a8024d2275

SHA1
d892a7f06dc12a0f2996cc094e0730fe14caf51a

SHA256
fab91ced243da62ec1d938503fa989462374df470be38707fbf59f73715af058

SHA512
0e3e4c9755aa8377e00fc9998faab0cd839dfa9f88ce4f4a46d8b5aaf7a33e59e26dbf55e9e7d1f8ef325d43302c68c44216adb565913d30818c159a182120fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7H3JZN74\masthead_fill[1]

Filesize
1KB

MD5
91a7b390315635f033459904671c196d

SHA1
b996e96492a01e1b26eb62c17212e19f22b865f3

SHA256
155d2a08198237a22ed23dbb6babbd87a0d4f96ffdc73e0119ab14e5dd3b7e00

SHA512
b3c8b6f86ecf45408ac6b6387ee2c1545115ba79771714c4dd4bbe98f41f7034eae0257ec43c880c2ee88c44e8fc48c775c5bb4fd48666a9a27a8f8ac6bcfdcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EGWOM5I1\auwelcome_en[1]

Filesize
975B

MD5
89f6511366c1bcfee77d354fa17e6f75

SHA1
231e2ec9ca5873bdd3e2ff94947fe6342ff046e0

SHA256
d84f6975371b7b3f8b17e14a1eaf161d29504788355859e9513ae39c3cd8188e

SHA512
5bdc1414acc16d5f1d4d1f93d81d546740aa98143efcd9613eb0d53f9253bde65dc4d9ee20499a67c30a6f21bdc7165f006bbf2cf436a52967cd78262148f0b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EGWOM5I1\rtutils[1]

Filesize
244B

MD5
c0a4cebb2c15be8262bf11de37606e07

SHA1
cafc2ccb797df31eecd3ae7abd396567de8e736d

SHA256
7da9aa32aa10b69f34b9d3602a3b8a15eb7c03957512714392f12458726ac5f1

SHA512
cc68f4bc22601430a77258c1d7e18d6366b6bf8f707d31933698b2008092ba5348c33fa8b03e18c4c707abf20ce3cbcb755226dc6489d2b19833809c98a11c74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EGWOM5I1\runtime[1]

Filesize
42KB

MD5
6c5474ad99d878e6b1cd24637489365c

SHA1
1737d292e967fe7827f77784733a570979c3243d

SHA256
b5136042c9eff11637305b4d81302c847c48850bbbca3c2c8ede3fe33467ea58

SHA512
0164a8105bbb23c8384d3547b38bab31e0f754eb1acd2d15a50702b279282cdbd4ebbf79b7d5e2e0073fcb24f24a29dfd2ec88da85c674a176ec69ae8cf156d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\84FF.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
C:\Users\Admin\AppData\Local\Temp\84FF.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
C:\Users\Admin\AppData\Local\Temp\au-descriptor-1.8.0_381-b09.xml

Filesize
6KB

MD5
bbc63cd248c5cb385a502cbbe9106fac

SHA1
2fff4bb372ee34489cc376ee060cd43341d5c6f5

SHA256
152f94d05078094ffb65e55d4d32992c2e30208c8e43f46cc5b56ae44f921216

SHA512
e70bd01b49bc78518fd1dad447780236549db5d41b0a9fc9314d6828989db91288da1ecc9bc00ff86b8bfea69fc85e72a5b3aab06f9c02d1335fa91ed504940c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hs_err_pid4836.log

Filesize
22KB

MD5
78cbb200d626e2ca9f76f12c446f209a

SHA1
05cf5b6c1efeac4697965ba71db1675989dac09c

SHA256
8da43f36cfeafd188a1249fbebc7cc379bcf7cca84d3c91fd9ad7a23f9b656bd

SHA512
a8c8773b90901bc97cddbb03c4f93c90aa240827791c23b0e80d496216fa88aad271614ea74b2c6e71356b2d37836a4468abb495206563d98e6c4a057cfb96a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
267KB

MD5
a8496b22f53c9383730b5b694d84ae74

SHA1
c48b5482345a674d9606e2f803c6e3a4219c8021

SHA256
a12fca1d937241b8803588c070a4fc3f2f7002fd2ecdb8c7208cd74b468850e5

SHA512
da34b55343bbea7ea94a99dbef975fabaaf7915993c994ad933a0fccf46a7bd56d50083fbac220116f83d5e1fa2dbd743d64b3ef3e1b63bc54403bc26544197f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
318KB

MD5
3e177cb859fb1d814916a96e3d5e1570

SHA1
98ddba91392fe2574480d0281f73c08042de37f6

SHA256
fcd17d78546e05ba6ae8543bd37a6d936c873012d631b53ebb8b2b8717ce81f2

SHA512
cadfc1f519e67a70e53c18f5213d5c2e9146112aa43055475e4099a0282838b955fbd4c8df921fb839a2af60671e5bdf0112c3b0c0bd515de237dd174149e4ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1045988481-1457812719-2617974652-1000\83aa4cc77f591dfc2374580bbd95f6ba_94bad847-4cfc-4a9a-8a1e-b2d1273cb668

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
memory/352-0-0x0000000002300000-0x0000000002350000-memory.dmp

Filesize
320KB

Download
memory/352-1-0x0000000002300000-0x0000000002350000-memory.dmp

Filesize
320KB

Download
memory/4836-299-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/4836-336-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/4836-337-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/4836-334-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/4836-335-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/4836-330-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/4836-332-0x0000000004F00000-0x0000000005F00000-memory.dmp

Filesize
16.0MB

Download
memory/4836-333-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/4836-331-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/4836-329-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/4836-328-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/4836-327-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/4836-326-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/4836-324-0x0000000004F00000-0x0000000005F00000-memory.dmp

Filesize
16.0MB

Download
memory/4836-311-0x0000000004F00000-0x0000000005F00000-memory.dmp

Filesize
16.0MB

Download
memory/4836-294-0x0000000004F00000-0x0000000005F00000-memory.dmp

Filesize
16.0MB

Download
memory/4836-281-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/4836-255-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/4836-46-0x0000000004F00000-0x0000000005F00000-memory.dmp

Filesize
16.0MB

Download