Analysis Overview
SHA256
f854eae566632d08bac772d181deb89fdfe786026f10aa4e905a7053b925589d
Threat Level: Shows suspicious behavior
The file f854eae566632d08bac772d181deb89fdfe786026f10aa4e905a7053b925589d was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 18:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 18:58
Reported
2024-04-07 19:01
Platform
win7-20240221-en
Max time kernel
140s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\msjter40.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\msrd3x40.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\rdvgumd32.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atiumdva.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\d3d8.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Windows\SysWOW64\FM20.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfc100.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\mstext40.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcr110.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Windows\SysWOW64\vcomp140.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\regedit.exe | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfc140.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSCOMCTL.OCX | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\msltus40.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\mspbde40.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcr120_clr0400.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\msxbde40.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\FXSXP32.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfc100u.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Windows\SysWOW64\VBAME.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\amdpcom32.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\nvwgf2um.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\ir32_32.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\msrd2x40.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\sqlunirl.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\InstallShield\_isdel.exe | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\migration\MediaPlayer-DLMigPlugin.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\msexch40.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\msrepl40.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcr100.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\explorer.exe | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfc120.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\mfc40u.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\dplaysvr.exe | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\iac25_32.ax | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\odbcjt32.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\setupSNK.exe | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-MediaPlayer\MediaPlayer-DLMigPlugin.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\nvd3dum.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\audiodev.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\d3dim700.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\dpwsockx.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\ir50_32.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfc110u.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\msjet40.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\expsrv.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atiumdag.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\InstallShield\setup.exe | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\dplayx.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\msorcl32.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\mswstr10.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igd10umd32.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igdumd32.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\msexcl40.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Windows\SysWOW64\vccorlib120.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Windows\SysWOW64\atl100.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Windows\SysWOW64\atl110.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\crtdll.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\d3dim.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\d3dxof.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfc110.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\dmscript.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\ir41_32.ax | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\SysWOW64\msjtes40.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\EMABLT32.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MSOCFU.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7EN.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7ES.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\EScript.api | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\GKPowerPoint.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\MSGR3EN.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Onix32.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\JPEGIM32.FLT | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\INLAUNCH.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MAPISHELL.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\NAME.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PPCORE.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VSTO\vstoee.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\Ole DB\xmlrw.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OLKFSTUB.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\DESKSAM.SAM | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeXMP.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1CORE.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msmdlocal.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MAPIPH.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OMSMAIN.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEREP.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OSETUP.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSLID.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\GKExcel.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OUTLMIME.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm.api | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\FPSRVUTL.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\GKWord.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Wordcnv.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\XPAGE3C.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\ACT3.SAM | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\MSOSV.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\AUTHZAX.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MCPS.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MEDCAT.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXP_PDF.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msolui100.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\ogalegit.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\ODBC.SAM | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7ES.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\JP2KLib.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MLSHEXT.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MSPST32.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\ANALYS32.XLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\SOLVER32.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ACE.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\MSB1ESEN.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\Synchronization.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-wow64_31bf3856ad364e35_6.1.7601.17932_none_d088def7226177d5\acwow64.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_netfx-csharp_compiler_csc_b03f5f7f11d50a3a_6.1.7600.16385_none_d2fff1dae966863c\csc.exe | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-mulanttsvoicecommon_31bf3856ad364e35_6.1.7600.16385_none_48330de9affd2c5d\MSTTSEngine.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-wow64_31bf3856ad364e35_6.1.7601.22091_none_d0d0722c3bb0dc09\acwow64.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\Backup\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e_user32.dll_55f4ed20 | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-wmi-core_31bf3856ad364e35_6.1.7601.17514_none_21ceb2d66a98ec2f\mofcomp.exe | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-msmpeg2vdec_31bf3856ad364e35_6.1.7600.16385_none_90cd9ae919559d36\msmpeg2vdec.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-diskmanagement_31bf3856ad364e35_6.1.7600.16385_none_016e0bdad110d4d1\dmdlgs.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-timedate_31bf3856ad364e35_6.1.7601.17514_none_91b39661220c0b0a\timedate.cpl | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_netfx-tlbref_dll_b03f5f7f11d50a3a_6.1.7600.16385_none_3598d90610375bf9\TLBREF.DLL | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-ie-feedsbs_31bf3856ad364e35_8.0.7601.17514_none_190fa02cb006154d\msfeedsbs.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-u..ountcontrolsettings_31bf3856ad364e35_6.1.7601.17514_none_85ac7bd736dda285\UserAccountControlSettings.exe | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.4148_none_51ca66a2bbe76806\ATL90.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_netfx35linq-csharp_31bf3856ad364e35_6.1.7601.17514_none_193318f5726bf1d7\csc.exe | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\Backup\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.1.7601.17514_none_5d772bc73c15dfe5_crypt32.dll_9c3ccf73 | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-processmodel_31bf3856ad364e35_6.1.7601.17514_none_1f3c3defefc3a10e\w3wp.exe | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-help-datalayer_31bf3856ad364e35_6.1.7600.16385_none_c490fde17faa7eaa\apds.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-msauditevtlog_31bf3856ad364e35_6.1.7600.16385_none_c718d071d9c10a2d\auditpol.exe | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-n..protection-statusui_31bf3856ad364e35_6.1.7600.16385_none_3d715a438950ce7b\NAPSTAT.EXE | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\Backup\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13_wininit.exe_7a527f28 | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-aclui_31bf3856ad364e35_6.1.7600.16385_none_54e0b44114fa502d\aclui.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-g..ppolicy-policymaker_31bf3856ad364e35_6.1.7601.17514_none_39509edea73e0ced\gpprefcl.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-m..cursor-library-ansi_31bf3856ad364e35_6.1.7600.16385_none_4e209b19020866d5\odbccr32.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-rsaenh-dll_31bf3856ad364e35_6.1.7600.16385_none_5f9d65eb12980e45\rsaenh.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-n..tion_service_iasnap_31bf3856ad364e35_6.1.7600.16385_none_795116adb6780e59\iasnap.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-terminalservices-theme_31bf3856ad364e35_6.1.7600.16385_none_d5bc65ffdc22ec35\TSTheme.exe | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_11.2.9600.16428_none_1c0dbd69636d746a\ieUnatt.exe | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-authentication-authui_31bf3856ad364e35_6.1.7601.17514_none_0dfae70253a9fb02\authui.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-d..japanese-propertyui_31bf3856ad364e35_6.1.7600.16385_none_929776facb7f4f74\imjputyc.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_04801f69e1dbd8e6\NlbMigPlugin.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\system_data_dll_gac_x86 | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-cmi_31bf3856ad364e35_6.1.7601.17514_none_abd5b433b8ccf7a4\cmiv2.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-n..ion_service_iassvcs_31bf3856ad364e35_6.1.7600.16385_none_e252e7f7210f96c7\iassvcs.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\Backup\x86_microsoft-windows-legacyhwui_31bf3856ad364e35_6.1.7600.16385_none_e24a7886a9947ebf_hdwwiz.exe_b6a1c2df | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-s..sor-native-whitebox_31bf3856ad364e35_6.1.7601.17514_none_a2fcd94e8fba36f5\secproc.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-t..-collaboration-core_31bf3856ad364e35_6.1.7601.17514_none_bd166048546cd135\rdpcore.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\Backup\wow64_microsoft-windows-htmlhelp_31bf3856ad364e35_6.1.7600.16385_none_2e9f92abd2ce43b6_hhsetup.dll_37c1de59 | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.7601.17514_none_c519dbeb6e585715\winhttp.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-ie-iexpress_31bf3856ad364e35_8.0.7600.16385_none_7f0c7a3c17077fce\wextract.exe | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_04801f69e1dbd8e6\ModemMigPlugin.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_netfx35linq-vb_compiler_orcas_31bf3856ad364e35_6.1.7601.17514_none_9809be824da2c173\vbc.exe | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-wordpad_31bf3856ad364e35_6.1.7601.17514_none_963528f4b7e5d0fd\wordpad.exe | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-ie-iexpress_31bf3856ad364e35_8.0.7600.16385_none_7f0c7a3c17077fce\iexpress.exe | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\FileTracker.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-msxml30_31bf3856ad364e35_6.1.7601.17514_none_f0e8f05be1d66e78\msxml3.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-p..randprintui-prnfldr_31bf3856ad364e35_6.1.7601.17514_none_de1f63755188e0a2\prnfldr.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-t..rvices-rdp-direct3d_31bf3856ad364e35_6.1.7601.17514_none_71ee5bc2f11cb563\rdpd3d.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PresentationHostDLL_X86.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-security-schannel_31bf3856ad364e35_6.1.7601.17514_none_8a90facfa04322fd\schannel.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-m..ponents-mdac-sqlwoa_31bf3856ad364e35_6.1.7600.16385_none_19575e8bcec889b5\sqlwoa.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100_x86 | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\Backup\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7601.17514_none_a088921d241bbb4e_scecli.dll_149e0f7b | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_04801f69e1dbd8e6\MediaPlayer-DLMigPlugin.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-winrsplugins_31bf3856ad364e35_6.1.7600.16385_none_160ccc8a92fae520\winrscmd.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7601.17514_none_6632670482fa3493\netlogon.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-m..ponents-mdac-msdart_31bf3856ad364e35_6.1.7600.16385_none_e5e8afbb6cf66487\msdart.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_system.data.oracleclient_b77a5c561934e089_6.1.7601.17514_none_c79237cc99cb8865\System.Data.OracleClient.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_0b66cb34258c936f\OEMHelpIns.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-t..framework-migration_31bf3856ad364e35_6.1.7600.16385_none_f0c791fc196de3b5\msctfmig.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_e460d9f113bbd54e\webcheck.dll | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-d..andlinepropertytool_31bf3856ad364e35_6.1.7601.17514_none_0d44b8d3df1c79a9\imjpuexc.exe | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-defrag-adminui_31bf3856ad364e35_6.1.7601.17514_none_9b1d78a9ee870c74\dfrgui.exe | C:\Users\Admin\AppData\Local\Temp\2913.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f854eae566632d08bac772d181deb89fdfe786026f10aa4e905a7053b925589d.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f854eae566632d08bac772d181deb89fdfe786026f10aa4e905a7053b925589d.dll,#1
C:\Users\Admin\AppData\Local\Temp\2913.tmp
C:\Users\Admin\AppData\Local\Temp\2913.tmp
Network
Files
memory/2488-0-0x0000000000530000-0x00000000005F3000-memory.dmp
memory/2488-1-0x0000000000530000-0x00000000005F3000-memory.dmp
\Users\Admin\AppData\Local\Temp\2913.tmp
| MD5 | c610e7ccd6859872c585b2a85d7dc992 |
| SHA1 | 362b3d4b72e3add687c209c79b500b7c6a246d46 |
| SHA256 | 14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041 |
| SHA512 | 8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 18:58
Reported
2024-04-07 19:01
Platform
win10v2004-20240226-en
Max time kernel
157s
Max time network
171s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msvcr120.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msolap.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso50win32client.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmdlocal.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso98win32client.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmgdsrv.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOIDCLIL.DLL | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\rt3d.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvSOFT.x3d | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zCon.sfx | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\mfc140u.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\concrt140.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\SystemX86\concrt140.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\concrt140.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso40UIwin32client.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\JitV.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWDWG.DLL | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm.api | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADALPREVIOUS.DLL | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Search.api | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOXMLMF.DLL | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\xmsrv.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MeetingJoinAxOC.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcr120.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msoshext.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHEV.DLL | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\nppdf32.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mfc140u.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libcef.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\GROOVEEX.DLL | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAMEEXT.DLL | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADAL.DLL | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\mfc140u.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAME.DLL | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\d3dcompiler_47.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libGLESv2.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPWEC.DLL | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvDX9.x3d | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\PortalConnectCore.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll | C:\Users\Admin\AppData\Local\Temp\856C.tmp | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1220 wrote to memory of 4724 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1220 wrote to memory of 4724 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1220 wrote to memory of 4724 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4724 wrote to memory of 3092 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Users\Admin\AppData\Local\Temp\856C.tmp |
| PID 4724 wrote to memory of 3092 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Users\Admin\AppData\Local\Temp\856C.tmp |
| PID 4724 wrote to memory of 3092 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Users\Admin\AppData\Local\Temp\856C.tmp |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f854eae566632d08bac772d181deb89fdfe786026f10aa4e905a7053b925589d.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f854eae566632d08bac772d181deb89fdfe786026f10aa4e905a7053b925589d.dll,#1
C:\Users\Admin\AppData\Local\Temp\856C.tmp
C:\Users\Admin\AppData\Local\Temp\856C.tmp
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
Files
memory/4724-0-0x0000000002750000-0x0000000002813000-memory.dmp
memory/4724-1-0x0000000002750000-0x0000000002813000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\856C.tmp
| MD5 | c610e7ccd6859872c585b2a85d7dc992 |
| SHA1 | 362b3d4b72e3add687c209c79b500b7c6a246d46 |
| SHA256 | 14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041 |
| SHA512 | 8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666 |