Malware Analysis Report

2024-11-30 02:36

Sample ID 240407-xmsnqaca25
Target f854eae566632d08bac772d181deb89fdfe786026f10aa4e905a7053b925589d
SHA256 f854eae566632d08bac772d181deb89fdfe786026f10aa4e905a7053b925589d
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f854eae566632d08bac772d181deb89fdfe786026f10aa4e905a7053b925589d

Threat Level: Shows suspicious behavior

The file f854eae566632d08bac772d181deb89fdfe786026f10aa4e905a7053b925589d was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:58

Reported

2024-04-07 19:01

Platform

win7-20240221-en

Max time kernel

140s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f854eae566632d08bac772d181deb89fdfe786026f10aa4e905a7053b925589d.dll,#1

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\msjter40.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\msrd3x40.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\rdvgumd32.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atiumdva.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\d3d8.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Windows\SysWOW64\FM20.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Windows\SysWOW64\mfc100.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\mstext40.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Windows\SysWOW64\msvcr110.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Windows\SysWOW64\vcomp140.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\regedit.exe C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Windows\SysWOW64\mfc140.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Windows\SysWOW64\MSCOMCTL.OCX C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\msltus40.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\mspbde40.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Windows\SysWOW64\msvcr120_clr0400.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\msxbde40.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\FXSXP32.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Windows\SysWOW64\mfc100u.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Windows\SysWOW64\VBAME.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\amdpcom32.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\nvwgf2um.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\ir32_32.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\msrd2x40.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\sqlunirl.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\InstallShield\_isdel.exe C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\migration\MediaPlayer-DLMigPlugin.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\msexch40.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\msrepl40.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Windows\SysWOW64\msvcr100.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Windows\SysWOW64\mfc120.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\mfc40u.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\dplaysvr.exe C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\iac25_32.ax C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\odbcjt32.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\setupSNK.exe C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-MediaPlayer\MediaPlayer-DLMigPlugin.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\nvd3dum.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\audiodev.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\d3dim700.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\dpwsockx.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\ir50_32.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Windows\SysWOW64\mfc110u.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\msjet40.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\expsrv.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atiumdag.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\InstallShield\setup.exe C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\dplayx.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\msorcl32.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\mswstr10.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igd10umd32.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igdumd32.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\msexcl40.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Windows\SysWOW64\vccorlib120.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Windows\SysWOW64\atl100.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Windows\SysWOW64\atl110.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\crtdll.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\d3dim.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\d3dxof.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Windows\SysWOW64\mfc110.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\dmscript.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\ir41_32.ax C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\SysWOW64\msjtes40.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EMABLT32.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOCFU.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7EN.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7ES.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\EScript.api C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GKPowerPoint.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\MSGR3EN.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Onix32.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\JPEGIM32.FLT C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INLAUNCH.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MAPISHELL.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NAME.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPCORE.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\vstoee.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\xmlrw.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OLKFSTUB.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\DESKSAM.SAM C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeXMP.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1CORE.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msmdlocal.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MAPIPH.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OMSMAIN.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEREP.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OSETUP.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSLID.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GKExcel.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLMIME.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm.api C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\FPSRVUTL.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GKWord.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordcnv.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XPAGE3C.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\ACT3.SAM C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\MSOSV.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AUTHZAX.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MCPS.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDCAT.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXP_PDF.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msolui100.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ogalegit.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\ODBC.SAM C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7ES.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\JP2KLib.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MLSHEXT.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPST32.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\ANALYS32.XLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\SOLVER32.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ACE.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\MSB1ESEN.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\Synchronization.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\wow64_microsoft-windows-wow64_31bf3856ad364e35_6.1.7601.17932_none_d088def7226177d5\acwow64.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_netfx-csharp_compiler_csc_b03f5f7f11d50a3a_6.1.7600.16385_none_d2fff1dae966863c\csc.exe C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-mulanttsvoicecommon_31bf3856ad364e35_6.1.7600.16385_none_48330de9affd2c5d\MSTTSEngine.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-wow64_31bf3856ad364e35_6.1.7601.22091_none_d0d0722c3bb0dc09\acwow64.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\Backup\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e_user32.dll_55f4ed20 C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-wmi-core_31bf3856ad364e35_6.1.7601.17514_none_21ceb2d66a98ec2f\mofcomp.exe C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-msmpeg2vdec_31bf3856ad364e35_6.1.7600.16385_none_90cd9ae919559d36\msmpeg2vdec.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-diskmanagement_31bf3856ad364e35_6.1.7600.16385_none_016e0bdad110d4d1\dmdlgs.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-timedate_31bf3856ad364e35_6.1.7601.17514_none_91b39661220c0b0a\timedate.cpl C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_netfx-tlbref_dll_b03f5f7f11d50a3a_6.1.7600.16385_none_3598d90610375bf9\TLBREF.DLL C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ie-feedsbs_31bf3856ad364e35_8.0.7601.17514_none_190fa02cb006154d\msfeedsbs.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-u..ountcontrolsettings_31bf3856ad364e35_6.1.7601.17514_none_85ac7bd736dda285\UserAccountControlSettings.exe C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.4148_none_51ca66a2bbe76806\ATL90.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_netfx35linq-csharp_31bf3856ad364e35_6.1.7601.17514_none_193318f5726bf1d7\csc.exe C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\Backup\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.1.7601.17514_none_5d772bc73c15dfe5_crypt32.dll_9c3ccf73 C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-processmodel_31bf3856ad364e35_6.1.7601.17514_none_1f3c3defefc3a10e\w3wp.exe C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-help-datalayer_31bf3856ad364e35_6.1.7600.16385_none_c490fde17faa7eaa\apds.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-msauditevtlog_31bf3856ad364e35_6.1.7600.16385_none_c718d071d9c10a2d\auditpol.exe C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-n..protection-statusui_31bf3856ad364e35_6.1.7600.16385_none_3d715a438950ce7b\NAPSTAT.EXE C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\Backup\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13_wininit.exe_7a527f28 C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-aclui_31bf3856ad364e35_6.1.7600.16385_none_54e0b44114fa502d\aclui.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..ppolicy-policymaker_31bf3856ad364e35_6.1.7601.17514_none_39509edea73e0ced\gpprefcl.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..cursor-library-ansi_31bf3856ad364e35_6.1.7600.16385_none_4e209b19020866d5\odbccr32.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-rsaenh-dll_31bf3856ad364e35_6.1.7600.16385_none_5f9d65eb12980e45\rsaenh.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-n..tion_service_iasnap_31bf3856ad364e35_6.1.7600.16385_none_795116adb6780e59\iasnap.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-terminalservices-theme_31bf3856ad364e35_6.1.7600.16385_none_d5bc65ffdc22ec35\TSTheme.exe C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_11.2.9600.16428_none_1c0dbd69636d746a\ieUnatt.exe C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-authentication-authui_31bf3856ad364e35_6.1.7601.17514_none_0dfae70253a9fb02\authui.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..japanese-propertyui_31bf3856ad364e35_6.1.7600.16385_none_929776facb7f4f74\imjputyc.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_04801f69e1dbd8e6\NlbMigPlugin.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\system_data_dll_gac_x86 C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-cmi_31bf3856ad364e35_6.1.7601.17514_none_abd5b433b8ccf7a4\cmiv2.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-n..ion_service_iassvcs_31bf3856ad364e35_6.1.7600.16385_none_e252e7f7210f96c7\iassvcs.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\Backup\x86_microsoft-windows-legacyhwui_31bf3856ad364e35_6.1.7600.16385_none_e24a7886a9947ebf_hdwwiz.exe_b6a1c2df C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-s..sor-native-whitebox_31bf3856ad364e35_6.1.7601.17514_none_a2fcd94e8fba36f5\secproc.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-t..-collaboration-core_31bf3856ad364e35_6.1.7601.17514_none_bd166048546cd135\rdpcore.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\Backup\wow64_microsoft-windows-htmlhelp_31bf3856ad364e35_6.1.7600.16385_none_2e9f92abd2ce43b6_hhsetup.dll_37c1de59 C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\wow64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.7601.17514_none_c519dbeb6e585715\winhttp.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ie-iexpress_31bf3856ad364e35_8.0.7600.16385_none_7f0c7a3c17077fce\wextract.exe C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_04801f69e1dbd8e6\ModemMigPlugin.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_netfx35linq-vb_compiler_orcas_31bf3856ad364e35_6.1.7601.17514_none_9809be824da2c173\vbc.exe C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-wordpad_31bf3856ad364e35_6.1.7601.17514_none_963528f4b7e5d0fd\wordpad.exe C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ie-iexpress_31bf3856ad364e35_8.0.7600.16385_none_7f0c7a3c17077fce\iexpress.exe C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\FileTracker.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-msxml30_31bf3856ad364e35_6.1.7601.17514_none_f0e8f05be1d66e78\msxml3.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-p..randprintui-prnfldr_31bf3856ad364e35_6.1.7601.17514_none_de1f63755188e0a2\prnfldr.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-t..rvices-rdp-direct3d_31bf3856ad364e35_6.1.7601.17514_none_71ee5bc2f11cb563\rdpd3d.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PresentationHostDLL_X86.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-security-schannel_31bf3856ad364e35_6.1.7601.17514_none_8a90facfa04322fd\schannel.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..ponents-mdac-sqlwoa_31bf3856ad364e35_6.1.7600.16385_none_19575e8bcec889b5\sqlwoa.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100_x86 C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\Backup\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7601.17514_none_a088921d241bbb4e_scecli.dll_149e0f7b C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_04801f69e1dbd8e6\MediaPlayer-DLMigPlugin.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-winrsplugins_31bf3856ad364e35_6.1.7600.16385_none_160ccc8a92fae520\winrscmd.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7601.17514_none_6632670482fa3493\netlogon.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..ponents-mdac-msdart_31bf3856ad364e35_6.1.7600.16385_none_e5e8afbb6cf66487\msdart.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_system.data.oracleclient_b77a5c561934e089_6.1.7601.17514_none_c79237cc99cb8865\System.Data.OracleClient.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_0b66cb34258c936f\OEMHelpIns.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-t..framework-migration_31bf3856ad364e35_6.1.7600.16385_none_f0c791fc196de3b5\msctfmig.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_e460d9f113bbd54e\webcheck.dll C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..andlinepropertytool_31bf3856ad364e35_6.1.7601.17514_none_0d44b8d3df1c79a9\imjpuexc.exe C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A
File created C:\Windows\winsxs\x86_microsoft-windows-defrag-adminui_31bf3856ad364e35_6.1.7601.17514_none_9b1d78a9ee870c74\dfrgui.exe C:\Users\Admin\AppData\Local\Temp\2913.tmp N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f854eae566632d08bac772d181deb89fdfe786026f10aa4e905a7053b925589d.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f854eae566632d08bac772d181deb89fdfe786026f10aa4e905a7053b925589d.dll,#1

C:\Users\Admin\AppData\Local\Temp\2913.tmp

C:\Users\Admin\AppData\Local\Temp\2913.tmp

Network

N/A

Files

memory/2488-0-0x0000000000530000-0x00000000005F3000-memory.dmp

memory/2488-1-0x0000000000530000-0x00000000005F3000-memory.dmp

\Users\Admin\AppData\Local\Temp\2913.tmp

MD5 c610e7ccd6859872c585b2a85d7dc992
SHA1 362b3d4b72e3add687c209c79b500b7c6a246d46
SHA256 14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041
SHA512 8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:58

Reported

2024-04-07 19:01

Platform

win10v2004-20240226-en

Max time kernel

157s

Max time network

171s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f854eae566632d08bac772d181deb89fdfe786026f10aa4e905a7053b925589d.dll,#1

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msvcr120.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msolap.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso50win32client.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmdlocal.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso98win32client.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmgdsrv.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOIDCLIL.DLL C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\rt3d.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvSOFT.x3d C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\7-Zip\7zCon.sfx C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\mfc140u.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\concrt140.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\SystemX86\concrt140.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\concrt140.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso40UIwin32client.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\JitV.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWDWG.DLL C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm.api C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADALPREVIOUS.DLL C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Search.api C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOXMLMF.DLL C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\xmsrv.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MeetingJoinAxOC.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcr120.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msoshext.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHEV.DLL C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\nppdf32.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mfc140u.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libcef.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\GROOVEEX.DLL C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAMEEXT.DLL C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADAL.DLL C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\mfc140u.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAME.DLL C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\d3dcompiler_47.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libGLESv2.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPWEC.DLL C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvDX9.x3d C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\PortalConnectCore.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll C:\Users\Admin\AppData\Local\Temp\856C.tmp N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f854eae566632d08bac772d181deb89fdfe786026f10aa4e905a7053b925589d.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f854eae566632d08bac772d181deb89fdfe786026f10aa4e905a7053b925589d.dll,#1

C:\Users\Admin\AppData\Local\Temp\856C.tmp

C:\Users\Admin\AppData\Local\Temp\856C.tmp

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

memory/4724-0-0x0000000002750000-0x0000000002813000-memory.dmp

memory/4724-1-0x0000000002750000-0x0000000002813000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\856C.tmp

MD5 c610e7ccd6859872c585b2a85d7dc992
SHA1 362b3d4b72e3add687c209c79b500b7c6a246d46
SHA256 14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041
SHA512 8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666