02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b

Analysis

max time kernel
147s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/04/2024, 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe
Size

653KB
MD5

1b6aa7da8e5647dbcbf79272726879e1
SHA1

4b041b8e2f0ebfe5c8761edea03c7945b12e4bee
SHA256

02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b
SHA512

4895cde54a735910fc045e729d948acec9a8a3ae6f5591ce37d74d9e62ae785b63d4961d731bb8fd0c4bfe753dece1e1f583000496c8c17ad189040a3bf73e28
SSDEEP

12288:Lu3hilMMG0yucvwOLrXLKfTeSdZ5KrAziuRuWxnFW9E71KGQvLQ0R0JwcMBM5jnG:q3hilMMRz2rCTLdCrUuCnFr71KGQzew1

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2332	1DDD.tmp

Loads dropped DLL 2 IoCs

pid	Process
1504	02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe
1504	02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\odbcjt32.dll	1DDD.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atiumdva.dll	1DDD.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\nvd3dum.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\d3dim.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\dplayx.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\mfc40.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\d3dxof.dll	1DDD.tmp
File opened for modification	C:\Windows\SysWOW64\mfc140.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\setupSNK.exe	1DDD.tmp
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\crtdll.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\dmscript.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\msrd2x40.dll	1DDD.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\amdpcom32.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\ivfsrc.ax	1DDD.tmp
File created	C:\Windows\SysWOW64\mfc40u.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\msjtes40.dll	1DDD.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr120_clr0400.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\d3dim700.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\FXSXP32.dll	1DDD.tmp
File opened for modification	C:\Windows\SysWOW64\mfc140u.dll	1DDD.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igd10umd32.dll	1DDD.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\nvwgf2um.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\migration\MediaPlayer-DLMigPlugin.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\msrd3x40.dll	1DDD.tmp
File opened for modification	C:\Windows\SysWOW64\vccorlib120.dll	1DDD.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atidxx32.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\mspbde40.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\olecli32.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\InstallShield\setup.exe	1DDD.tmp
File created	C:\Windows\SysWOW64\dplaysvr.exe	1DDD.tmp
File opened for modification	C:\Windows\SysWOW64\mfc120u.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\msjter40.dll	1DDD.tmp
File opened for modification	C:\Windows\SysWOW64\mfc110u.dll	1DDD.tmp
File opened for modification	C:\Windows\SysWOW64\VBAME.DLL	1DDD.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr100.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\regedit.exe	1DDD.tmp
File opened for modification	C:\Windows\SysWOW64\FM20.DLL	1DDD.tmp
File opened for modification	C:\Windows\SysWOW64\mfc120.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\msexch40.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\mstext40.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\mswdat10.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\msxbde40.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\rdvgumd32.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\ir32_32.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\msrepl40.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\mswstr10.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-MediaPlayer\MediaPlayer-DLMigPlugin.dll	1DDD.tmp
File opened for modification	C:\Windows\SysWOW64\mfc100u.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\msjet40.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\sqlunirl.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\msltus40.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\msorcl32.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\msvbvm60.dll	1DDD.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr120.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\dpwsockx.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\expsrv.dll	1DDD.tmp
File opened for modification	C:\Windows\SysWOW64\mfc100.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\msexcl40.dll	1DDD.tmp
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	1DDD.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atiumdag.dll	1DDD.tmp
File opened for modification	C:\Windows\SysWOW64\atl100.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\audiodev.dll	1DDD.tmp
File created	C:\Windows\SysWOW64\iac25_32.ax	1DDD.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\IA32.api	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1CORE.DLL	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONTAB32.DLL	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXSEC32.DLL	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\DESKSAM.SAM	1DDD.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.dll	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX8.x3d	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\xmlrwbin.dll	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7FR.DLL	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\VBE7.DLL	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPCORE.DLL	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XPAGE3C.DLL	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLVBS.DLL	1DDD.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\USP10.DLL	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCNPST64.DLL	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7ES.DLL	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OSETUP.DLL	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INTLDATE.DLL	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSYUBIN7.DLL	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OMSMAIN.DLL	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\TaxonomyControl.dll	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OL.SAM	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACER3X.DLL	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACETXT.DLL	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordcnv.dll	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm.api	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Common Files\System\MSMAPI\1033\MSMAPI32.DLL	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mset7tk.dll	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\MSGR3EN.DLL	1DDD.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.aup	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msolui100.dll	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OISAPP.DLL	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONPPTAddin.dll	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	1DDD.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXSLE.dll	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEEXCL.DLL	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IPDESIGN.DLL	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAME.DLL	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.dll	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\ITIRCL55.DLL	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\TRANSMGR.DLL	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7FR.DLL	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Acrofx32.dll	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Csi.dll	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GKPowerPoint.dll	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLPH.DLL	1DDD.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PTXT9.DLL	1DDD.tmp

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-uxtheme_31bf3856ad364e35_6.1.7600.16385_none_0c2e36cd54a163b4_uxtheme.dll_9f6cda06	1DDD.tmp
File created	C:\Windows\winsxs\x86_netfx-aspnet_wp_exe_b03f5f7f11d50a3a_6.1.7601.17514_none_994532c948ec8e69\aspnet_wp.exe	1DDD.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..llshield-wow64-main_31bf3856ad364e35_6.1.7600.16385_none_ca61f601a4548b8e\_isdel.exe	1DDD.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.7601.17514_none_b296f701dc00c582\ieUnatt.exe	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-directx-warp10_31bf3856ad364e35_6.1.7601.17514_none_ec6b0dcfb4ee778c\d3d10warp.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-m..ponents-mdac-sqlxml_31bf3856ad364e35_6.1.7600.16385_none_19499373ced38ce3\sqlxmlx.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_6.1.7601.17514_none_f71e39745cb0f950\RMActivate_ssp_isv.exe	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7600.16385_none_ca66ddfc9862f744\rtscom.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-wlanconnectionflow_31bf3856ad364e35_6.1.7600.16385_none_8a0b2bb6c9253b6f\WLanConn.dll	1DDD.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.dll	1DDD.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-scripting-vbscript_31bf3856ad364e35_6.1.7601.17514_none_b0d4b31078e74f85\vbscript.dll	1DDD.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-security-kerberos_31bf3856ad364e35_6.1.7601.17514_none_4f518cecfbcddc34\kerberos.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-i..nternetcontrolpanel_31bf3856ad364e35_8.0.7601.17514_none_abfb5733271ca1ff\inetcpl.cpl	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-m..mponents-jetintlerr_31bf3856ad364e35_6.1.7600.16385_none_0f472a3521bdcfd4\mswdat10.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7600.16385_none_ca66ddfc9862f744\journal.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-w..ywmdmshellextension_31bf3856ad364e35_6.1.7601.17514_none_8ff5b6498cc24750\audiodev.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-wmvsencd_31bf3856ad364e35_6.1.7600.16385_none_66500403061ec016\WMVSENCD.DLL	1DDD.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-legacyhwui_31bf3856ad364e35_6.1.7600.16385_none_e24a7886a9947ebf_hdwwiz.exe_b6a1c2df	1DDD.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-metabase_31bf3856ad364e35_6.1.7601.17514_none_a1aca7966cf36de2\isatq.dll	1DDD.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-msxml60_31bf3856ad364e35_6.1.7601.17514_none_f0e8ac03e1d6bb5b\msxml6.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-com-legacyole-olecli32_31bf3856ad364e35_6.1.7600.16385_none_673f800d98f1faf8\olecli32.dll	1DDD.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80_gdiplus.dll_423f7010	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-w..ig-registrar-wizard_31bf3856ad364e35_6.1.7600.16385_none_3d090e2060b5b3fc\wcnwiz.dll	1DDD.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_6.1.7601.17514_none_c79aef32ab85d92b\cmcfg32.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-directx-direct3d_31bf3856ad364e35_6.1.7600.16385_none_eb246466b6cc92e7\d3dim700.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-devtools_31bf3856ad364e35_8.0.7601.17514_none_5866bdf3151a6faf\iedvtool.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-msmq-installer_31bf3856ad364e35_6.1.7601.17514_none_7d190f1e5e76acbc\mqmigplugin.dll	1DDD.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-wmpdui_31bf3856ad364e35_6.1.7600.16385_none_5ca7e61c63366a5f_wmpdui.dll_ed891d84	1DDD.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.7601.17514_none_83801b5eed6392d9_gdiplus.dll_423f7010	1DDD.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-commandprompt_31bf3856ad364e35_6.1.7601.17514_none_f387767e655cd5ab\cmd.exe	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_6.1.7601.17514_none_632ae4bc5d173763\tracerpt.exe	1DDD.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_114ca177b1fcad24_newdev.dll_7eb7622f	1DDD.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-processmodel_31bf3856ad364e35_6.1.7601.17514_none_1f3c3defefc3a10e\w3wp.exe	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-help-storagelayer_31bf3856ad364e35_6.1.7600.16385_none_de737c19662130e7\apss.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\BitLockerToGo.exe	1DDD.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\wpfgfx_x86.dll	1DDD.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.1.7601.17514_none_39a9406d8100038f\iasrecst.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-opengl_31bf3856ad364e35_6.1.7600.16385_none_0e9b4c35eabb42b2\opengl32.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-riched32_31bf3856ad364e35_6.1.7601.17514_none_9f081dc1e0ddbddb\riched20.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_netfx-csharp_compiler_cscomp_b03f5f7f11d50a3a_6.1.7601.17514_none_fdc97e3a8e85f7b2\cscomp.dll	1DDD.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-storprop_31bf3856ad364e35_6.1.7600.16385_none_8c9c50707efb7dff\Storprop.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-duser_31bf3856ad364e35_6.1.7600.16385_none_5a4b046c5dce176a\duser.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-m..c-oracle-driver-dll_31bf3856ad364e35_6.1.7601.17514_none_6b16a37ea1353bb1\msorcl32.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-msmpeg2vdec_31bf3856ad364e35_7.1.7601.16492_none_8416bfe4a16d5fb1\msmpeg2vdec.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-ncrypt-dll_31bf3856ad364e35_6.1.7600.16385_none_5db4abb552efa414\ncrypt.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-p..randprintui-asyncui_31bf3856ad364e35_6.1.7600.16385_none_7bb7a83f5379babe\prnntfy.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-rasgetconnectedwizard_31bf3856ad364e35_6.1.7600.16385_none_39ea34b42d8bab89\rasgcw.dll	1DDD.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-ie-datacontrol_31bf3856ad364e35_11.2.9600.16428_none_00b2e64ae9989845\tdc.ocx	1DDD.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_11.2.9600.16428_none_1c0dbd69636d746a\ieUnatt.exe	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.1.7601.17514_none_720e868d9b0b6a44\Faultrep.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-indeo5-codecs_31bf3856ad364e35_6.1.7600.16385_none_24d6d974d24f7d95\iac25_32.ax	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-i..-setieinstalleddate_31bf3856ad364e35_11.2.9600.16428_none_8eaf79351dba1b94\SetIEInstalledDate.exe	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-i..devicescontrolpanel_31bf3856ad364e35_6.1.7600.16385_none_247621f7aa7542ff\ImagingDevices.exe	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-openfiles_31bf3856ad364e35_6.1.7600.16385_none_e6fcbd244bb7bf74\openfiles.exe	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-w..ion-twaincomponents_31bf3856ad364e35_6.1.7601.17514_none_8b399e33ba72bed9\twain_32.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7600.16385_none_ca66ddfc9862f744\InkEd.dll	1DDD.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-legacysnapin_31bf3856ad364e35_6.1.7601.17514_none_e99b83c8fd064a06\inetmgr.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-help-clientproxy_31bf3856ad364e35_6.1.7600.16385_none_c5205ab8750840b2\HelpPaneProxy.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-msftedit_31bf3856ad364e35_6.1.7601.17514_none_d7d862f19573a5ff\msftedit.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-rastls_31bf3856ad364e35_6.1.7601.17514_none_6e6c95d9ae65f958\rastls.dll	1DDD.tmp
File created	C:\Windows\winsxs\x86_netfx-mscories_dll_31bf3856ad364e35_6.1.7601.17514_none_c02a874d500cc338\mscories.dll	1DDD.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-sidebar_31bf3856ad364e35_6.1.7601.17514_none_37575b7e71a86712\sidebar.exe	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-timedate_31bf3856ad364e35_6.1.7601.17514_none_91b39661220c0b0a\timedate.cpl	1DDD.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-wab-app_31bf3856ad364e35_6.1.7601.17514_none_44b0c76c35d4b76d\wabfind.dll	1DDD.tmp

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1504	02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe
1504	02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe
1504	02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 2332	1504	02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe	28
PID 1504 wrote to memory of 2332	1504	02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe	28
PID 1504 wrote to memory of 2332	1504	02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe	28
PID 1504 wrote to memory of 2332	1504	02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe	28

C:\Users\Admin\AppData\Local\Temp\02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe
"C:\Users\Admin\AppData\Local\Temp\02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\1DDD.tmp
  C:\Users\Admin\AppData\Local\Temp\1DDD.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AdobeARM.log

Filesize
148B

MD5
33e57d8c90f5917141260031b62f512e

SHA1
ddf36e36e4420128a552b04326339ebca8f5eb64

SHA256
569e3026fabb4342d7d5e2282c0e697f546218f2761548be8580cc214bf9f5f3

SHA512
f790154fae721bbfc44ed28252d5d7fb127231d524db66079019d9dcf01e49b8a96c68dc7c97db1519f144ffd68eb67336863c0d557b95ad90f6d0435cb2e23a

Download Submit
\Users\Admin\AppData\Local\Temp\1DDD.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
memory/1504-1-0x0000000000240000-0x0000000000285000-memory.dmp

Filesize
276KB

Download
memory/1504-12-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1504-16-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download