Analysis
-
max time kernel
144s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 04:14
Static task
static1
Behavioral task
behavioral1
Sample
eaedc41931e153e65ca1e0c8f7ae299464cf40ce8b80d6666c341f4785ca0689.exe
Resource
win7-20240508-en
General
-
Target
eaedc41931e153e65ca1e0c8f7ae299464cf40ce8b80d6666c341f4785ca0689.exe
-
Size
658KB
-
MD5
ff702899647851ff623c9603ebe0dbb6
-
SHA1
4d4fb40ce167f3abc3c25964209c33c938c23b03
-
SHA256
eaedc41931e153e65ca1e0c8f7ae299464cf40ce8b80d6666c341f4785ca0689
-
SHA512
7d13c08e54c12528a781f1a060153e96d4f04614c5faed0e6a6817242287ade147479888f7d961f2d0715b44804966929b1e20252a1a50a661c50722788a868f
-
SSDEEP
12288:qUtNGU1FAvYHaI7XHgZQKhJgeCmdTLgLdQHIVi1cxb+u2thIZo9McqH:BbGUvHFLHgZpJEMLgWHYi1cN+/go9McK
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
2710.tmppid process 2796 2710.tmp -
Loads dropped DLL 2 IoCs
Processes:
eaedc41931e153e65ca1e0c8f7ae299464cf40ce8b80d6666c341f4785ca0689.exepid process 2400 eaedc41931e153e65ca1e0c8f7ae299464cf40ce8b80d6666c341f4785ca0689.exe 2400 eaedc41931e153e65ca1e0c8f7ae299464cf40ce8b80d6666c341f4785ca0689.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 64 IoCs
Processes:
2710.tmpdescription ioc process File created C:\Windows\SysWOW64\ivfsrc.ax 2710.tmp File opened for modification C:\Windows\SysWOW64\mfc110.dll 2710.tmp File opened for modification C:\Windows\SysWOW64\vcomp140.dll 2710.tmp File opened for modification C:\Windows\SysWOW64\mfc120u.dll 2710.tmp File created C:\Windows\SysWOW64\msjter40.dll 2710.tmp File created C:\Windows\SysWOW64\msrd3x40.dll 2710.tmp File opened for modification C:\Windows\SysWOW64\VBAME.DLL 2710.tmp File opened for modification C:\Windows\SysWOW64\atl110.dll 2710.tmp File created C:\Windows\SysWOW64\msexcl40.dll 2710.tmp File created C:\Windows\SysWOW64\mswdat10.dll 2710.tmp File created C:\Windows\SysWOW64\mswstr10.dll 2710.tmp File created C:\Windows\SysWOW64\olecli32.dll 2710.tmp File created C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igdumd32.dll 2710.tmp File created C:\Windows\SysWOW64\dmscript.dll 2710.tmp File opened for modification C:\Windows\SysWOW64\mfc100u.dll 2710.tmp File opened for modification C:\Windows\SysWOW64\MSCOMCTL.OCX 2710.tmp File created C:\Windows\SysWOW64\sqlunirl.dll 2710.tmp File created C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atiumdag.dll 2710.tmp File created C:\Windows\SysWOW64\ir32_32.dll 2710.tmp File created C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\amdpcom32.dll 2710.tmp File created C:\Windows\SysWOW64\d3dim.dll 2710.tmp File created C:\Windows\SysWOW64\dplaysvr.exe 2710.tmp File created C:\Windows\SysWOW64\iac25_32.ax 2710.tmp File created C:\Windows\SysWOW64\msjtes40.dll 2710.tmp File created C:\Windows\SysWOW64\msxbde40.dll 2710.tmp File created C:\Windows\SysWOW64\expsrv.dll 2710.tmp File opened for modification C:\Windows\SysWOW64\mfc140.dll 2710.tmp File created C:\Windows\SysWOW64\msvbvm60.dll 2710.tmp File opened for modification C:\Windows\SysWOW64\msvcr100.dll 2710.tmp File created C:\Windows\SysWOW64\odbcjt32.dll 2710.tmp File created C:\Windows\SysWOW64\msrd2x40.dll 2710.tmp File created C:\Windows\SysWOW64\rdvgumd32.dll 2710.tmp File created C:\Windows\SysWOW64\audiodev.dll 2710.tmp File opened for modification C:\Windows\SysWOW64\concrt140.dll 2710.tmp File created C:\Windows\SysWOW64\crtdll.dll 2710.tmp File created C:\Windows\SysWOW64\explorer.exe 2710.tmp File created C:\Windows\SysWOW64\mfc40u.dll 2710.tmp File created C:\Windows\SysWOW64\InstallShield\setup.exe 2710.tmp File created C:\Windows\SysWOW64\d3dxof.dll 2710.tmp File created C:\Windows\SysWOW64\dpwsockx.dll 2710.tmp File created C:\Windows\SysWOW64\mspbde40.dll 2710.tmp File created C:\Windows\SysWOW64\msrepl40.dll 2710.tmp File created C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atidxx32.dll 2710.tmp File created C:\Windows\SysWOW64\d3d8.dll 2710.tmp File created C:\Windows\SysWOW64\mstext40.dll 2710.tmp File opened for modification C:\Windows\SysWOW64\msvcr120.dll 2710.tmp File opened for modification C:\Windows\SysWOW64\mfc110u.dll 2710.tmp File created C:\Windows\SysWOW64\mfc40.dll 2710.tmp File opened for modification C:\Windows\SysWOW64\msvcr120_clr0400.dll 2710.tmp File created C:\Windows\SysWOW64\msvcrt20.dll 2710.tmp File created C:\Windows\SysWOW64\sqlwoa.dll 2710.tmp File created C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\nvd3dum.dll 2710.tmp File created C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\nvwgf2um.dll 2710.tmp File created C:\Windows\SysWOW64\migration\MediaPlayer-DLMigPlugin.dll 2710.tmp File created C:\Windows\SysWOW64\dplayx.dll 2710.tmp File created C:\Windows\SysWOW64\FXSXP32.dll 2710.tmp File created C:\Windows\SysWOW64\ir41_32.ax 2710.tmp File opened for modification C:\Windows\SysWOW64\msvcr110.dll 2710.tmp File created C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atiumdva.dll 2710.tmp File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-MediaPlayer\MediaPlayer-DLMigPlugin.dll 2710.tmp File opened for modification C:\Windows\SysWOW64\atl100.dll 2710.tmp File created C:\Windows\SysWOW64\msltus40.dll 2710.tmp File opened for modification C:\Windows\SysWOW64\vccorlib120.dll 2710.tmp File created C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igd10umd32.dll 2710.tmp -
Drops file in Program Files directory 64 IoCs
Processes:
2710.tmpdescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MAPIPH.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE 2710.tmp File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe 2710.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXEV.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSLID.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\MSCONV97.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOHEVI.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OLKFSTUB.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7FR.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\JPEGIM32.FLT 2710.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceca35.dll 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\VVIEWDWG.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLNOTE.FAE 2710.tmp File opened for modification C:\Program Files (x86)\Common Files\DESIGNER\MSADDNDR.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FPLACE.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\IETAG.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCDDS.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCDDSF.DLL 2710.tmp File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeUpdater.dll 2710.tmp File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXSLE.dll 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\DBGHELP.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\VISSHE.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MIMEDIR.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\STSLIST.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MLSHEXT.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\TWCUTCHR.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.dll 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1036\MSGR3FR.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGM.dll 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE 2710.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1STAR.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll 2710.tmp File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.api 2710.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 2710.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACECORE.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Portal\PortalConnectCore.dll 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OWSSUPP.DLL 2710.tmp File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2710.tmp File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api 2710.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FDATE.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\FPSRVUTL.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBCONV.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SOA.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OL.SAM 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\RM.DLL 2710.tmp File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll 2710.tmp File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Accessibility.api 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mset7.dll 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\MSGR3EN.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MCPS.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FBIBLIO.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EntityPicker.dll 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORES.DLL 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\UmOutlookAddin.dll 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLAPPT.FAE 2710.tmp File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\NPSWF32.dll 2710.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe 2710.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\ORG97.SAM 2710.tmp -
Drops file in Windows directory 64 IoCs
Processes:
2710.tmpdescription ioc process File created C:\Windows\winsxs\x86_microsoft-windows-ie-vgx_31bf3856ad364e35_8.0.7600.16385_none_07c7aec5c1108570\VGX.dll 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-msmq-runtime-core_31bf3856ad364e35_6.1.7601.17514_none_5768e2ad17453bd6\mqrt.dll 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-networking-eqossnapin_31bf3856ad364e35_6.1.7600.16385_none_1741aed6f0e1757f\eqossnap.dll 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-ribbons_31bf3856ad364e35_6.1.7601.17514_none_8abc4ded863e0452\Ribbons.scr 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-c..fe-catsrvut-comsvcs_31bf3856ad364e35_6.1.7600.16385_none_7298bb510131906e\catsrvut.dll 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-fde_31bf3856ad364e35_6.1.7601.17514_none_aa136561b9ed4ae4\fde.dll 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-m..rds-datafactory-dll_31bf3856ad364e35_6.1.7601.17514_none_f1691d6d94363b2f\msadcf.dll 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-devicepairingdll_31bf3856ad364e35_6.1.7600.16385_none_6dd996716463e8a5\DevicePairing.dll 2710.tmp File created C:\Windows\winsxs\wow64_microsoft-windows-scripting-jscript9_31bf3856ad364e35_11.2.9600.16428_none_30d54a1007206a57\jscript9.dll 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.7601.17514_none_1eaaa4a07717236e\wininet.dll 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-s..-credentialprovider_31bf3856ad364e35_6.1.7600.16385_none_e2ed533e1c868930\BioCredProv.dll 2710.tmp File created C:\Windows\winsxs\wow64_microsoft-windows-mediaplayer-autoplay_31bf3856ad364e35_6.1.7601.17514_none_8375605f8afb0c19\wmlaunch.exe 2710.tmp File created C:\Windows\winsxs\wow64_microsoft-windows-streambufferengine_31bf3856ad364e35_6.1.7601.17514_none_9b0668f2fc6cec36\sbeio.dll 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-difxapi_31bf3856ad364e35_6.1.7600.16385_none_0819f3b1f785b1ce\difxapi.dll 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-directx-d3d10level9_31bf3856ad364e35_7.1.7601.16492_none_d67de7d188fdee8d\d3d10level9.dll 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-i..eoptionalcomponents_31bf3856ad364e35_11.2.9600.16428_none_87f259ebb3f177fa\ConfigureIEOptionalComponents.exe 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-rsaenh-dll_31bf3856ad364e35_6.1.7600.16385_none_5f9d65eb12980e45\rsaenh.dll 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-u..ountcontrolsettings_31bf3856ad364e35_6.1.7601.17514_none_85ac7bd736dda285\UserAccountControlSettings.exe 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-video-for-windows_31bf3856ad364e35_6.1.7601.17514_none_94395a96e7042cf4\avicap32.dll 2710.tmp File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupEngine.dll 2710.tmp File created C:\Windows\winsxs\x86_netfx-fw_netfxperf_dll_31bf3856ad364e35_6.2.7601.17514_none_5ec9dfb2784680fc\netfxperf.dll 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-directx-dxgi_31bf3856ad364e35_6.1.7601.17514_none_3c85e23e7cced2d3\dxgi.dll 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-mystify_31bf3856ad364e35_6.1.7601.17514_none_f21904fdbd9f5e08\Mystify.scr 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-rundll32_31bf3856ad364e35_6.1.7600.16385_none_d7dba7b30c3e2855\rundll32.exe 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-taskkill_31bf3856ad364e35_6.1.7600.16385_none_25545528bd642170\taskkill.exe 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-cryptnet-dll_31bf3856ad364e35_6.1.7600.16385_none_16ef973d5d294eb5\cryptnet.dll 2710.tmp File created C:\Windows\winsxs\wow64_microsoft-windows-iis-legacysnapin_31bf3856ad364e35_6.1.7601.17514_none_e99b83c8fd064a06\uihelper.dll 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-directx-directplay8_31bf3856ad364e35_6.1.7601.17514_none_7addf2001d014646\dpnsvr.exe 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-msports_31bf3856ad364e35_6.1.7600.16385_none_8cf3709c50984f07\msports.dll 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-winlogon-sas_31bf3856ad364e35_6.1.7600.16385_none_794ca3c3dba3387a\sas.dll 2710.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13_wininit.exe_7a527f28 2710.tmp File created C:\Windows\winsxs\wow64_microsoft-windows-ie-feeds-platform_31bf3856ad364e35_8.0.7601.17514_none_e31b8144fc78a957\msfeeds.dll 2710.tmp File created C:\Windows\winsxs\wow64_microsoft-windows-iis-legacysnapin_31bf3856ad364e35_6.1.7601.17514_none_e99b83c8fd064a06\iisui.dll 2710.tmp File created C:\Windows\winsxs\wow64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_dbd4d2796675bc72\mssph.dll 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-com-oleui_31bf3856ad364e35_6.1.7600.16385_none_204a50230f150f07\oledlg.dll 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-m..replication-objects_31bf3856ad364e35_6.1.7601.17514_none_8246a49603d3db37\msjro.dll 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-wab-app_31bf3856ad364e35_6.1.7601.17514_none_44b0c76c35d4b76d\wabmig.exe 2710.tmp File created C:\Windows\winsxs\x86_netfx-_vc_assembly_linker_dll_b03f5f7f11d50a3a_6.1.7601.17514_none_0d584c7aa833ba19\alink.dll 2710.tmp File created C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.urlmon.dll.01daa163c6254b10.000c 2710.tmp File created C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll 2710.tmp File created C:\Windows\winsxs\wow64_microsoft-windows-wmpnss-api_31bf3856ad364e35_6.1.7600.16385_none_48332061386e6c89\wmpnssci.dll 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_04801f69e1dbd8e6\drmmgrtn.dll 2710.tmp File created C:\Windows\winsxs\wow64_microsoft-windows-tapisetup_31bf3856ad364e35_6.1.7600.16385_none_d03cc6bce93bce83\TapiMigPlugin.dll 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-ie-htmlconverter_31bf3856ad364e35_8.0.7601.17514_none_87da61075c9f17a8\html.iec 2710.tmp File created C:\Windows\winsxs\wow64_microsoft-windows-s..ing-shell-extension_31bf3856ad364e35_6.1.7600.16385_none_70cb731d72554e78\wshext.dll 2710.tmp File created C:\Windows\winsxs\Backup\wow64_microsoft-windows-uiribbon_31bf3856ad364e35_6.1.7601.17514_none_db578bdb5e3559c6_uiribbon.dll_8a707982 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7600.16385_none_0935b76c289e0fd5\locdrv.dll 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-vcm-core-codecs_31bf3856ad364e35_6.1.7601.17514_none_6eaa2afd36b1e303\ir32_32.dll 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-winrsplugins_31bf3856ad364e35_6.1.7600.16385_none_160ccc8a92fae520\winrshost.exe 2710.tmp File created C:\Windows\winsxs\Backup\wow64_microsoft-windows-oleacc_31bf3856ad364e35_6.1.7600.16385_none_d0ce59c770758425_oleacc.dll_2f3fa5bf 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-ie-iexpress_31bf3856ad364e35_8.0.7600.16385_none_7f0c7a3c17077fce\wextract.exe 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.7601.17514_none_e292664733bd5af6\iernonce.dll 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-wmvsdecd_31bf3856ad364e35_6.1.7601.17514_none_6880e489030d43b0\WMVSDECD.DLL 2710.tmp File created C:\Windows\winsxs\wow64_microsoft-windows-mfplay_31bf3856ad364e35_6.1.7601.17514_none_5f24d6869e761d83\MFPlay.dll 2710.tmp File created C:\Windows\winsxs\wow64_microsoft-windows-mediaplayer-drm_31bf3856ad364e35_6.1.7601.17514_none_d6a8cb040fcd3a85\drmv2clt.dll 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-dims-autoenroll_31bf3856ad364e35_6.1.7600.16385_none_f3e60ce29c29c7d8\pautoenr.dll 2710.tmp File created C:\Windows\winsxs\x86_netfx-mscordacwks_b03f5f7f11d50a3a_6.1.7601.17514_none_ff7dd323c3873b50\mscordacwks.dll 2710.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_114ca177b1fcad24_ndadmin.exe_8e57269f 2710.tmp File created C:\Windows\winsxs\wow64_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_8.0.7600.16385_none_18ca324046b7d386\dxtrans.dll 2710.tmp File created C:\Windows\winsxs\wow64_microsoft-windows-ieframe_31bf3856ad364e35_8.0.7601.17514_none_e7d7639870214e02\ieframe.dll 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-m..-management-console_31bf3856ad364e35_6.1.7600.16385_none_0f49a133d6f5d42b\mmc.exe 2710.tmp File created C:\Windows\winsxs\x86_netfx-ado_net_diag_b03f5f7f11d50a3a_6.1.7600.16385_none_41e26933a436d37d\AdoNetDiag.dll 2710.tmp File created C:\Windows\winsxs\wow64_microsoft-windows-d..s-ime-japanese-core_31bf3856ad364e35_6.1.7600.16385_none_d5b4f96cdbb9a8b1\IMJPMGR.EXE 2710.tmp File created C:\Windows\winsxs\x86_microsoft-windows-azman_31bf3856ad364e35_6.1.7601.17514_none_585e832110fb75a4\AzSqlExt.dll 2710.tmp -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
eaedc41931e153e65ca1e0c8f7ae299464cf40ce8b80d6666c341f4785ca0689.exedescription pid process target process PID 2400 wrote to memory of 2796 2400 eaedc41931e153e65ca1e0c8f7ae299464cf40ce8b80d6666c341f4785ca0689.exe 2710.tmp PID 2400 wrote to memory of 2796 2400 eaedc41931e153e65ca1e0c8f7ae299464cf40ce8b80d6666c341f4785ca0689.exe 2710.tmp PID 2400 wrote to memory of 2796 2400 eaedc41931e153e65ca1e0c8f7ae299464cf40ce8b80d6666c341f4785ca0689.exe 2710.tmp PID 2400 wrote to memory of 2796 2400 eaedc41931e153e65ca1e0c8f7ae299464cf40ce8b80d6666c341f4785ca0689.exe 2710.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\eaedc41931e153e65ca1e0c8f7ae299464cf40ce8b80d6666c341f4785ca0689.exe"C:\Users\Admin\AppData\Local\Temp\eaedc41931e153e65ca1e0c8f7ae299464cf40ce8b80d6666c341f4785ca0689.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2710.tmpC:\Users\Admin\AppData\Local\Temp\2710.tmp2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\2710.tmpFilesize
145KB
MD5c610e7ccd6859872c585b2a85d7dc992
SHA1362b3d4b72e3add687c209c79b500b7c6a246d46
SHA25614063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041
SHA5128570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666
-
memory/2400-0-0x00000000003F0000-0x000000000042D000-memory.dmpFilesize
244KB