ef08e480f220301ad1dc1c46b790404b270d54ce0b6d397e497be74b03530f6c

Analysis

max time kernel
136s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2023, 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

76KB
MD5

2cc3b1d375b616a545a4368cbddea2cb
SHA1

2ada305f92f9a231ca853d1017ae81d833654e24
SHA256

ef08e480f220301ad1dc1c46b790404b270d54ce0b6d397e497be74b03530f6c
SHA512

13894d1fa0c2b34edfecd314551dc20705705a679598f21edcb5072a83d6335120879c1626cec280650be75471c3ca0513293c5c387fd2dd75a844198561a20c
SSDEEP

768:5xIwVMDsym6DaMsL5+Oq3CdVaIvRNv+f5AfpUxnHeob4f1u0eJwO0H+UJFIDgr0p:59v6nXw0G7Rw2Tgh

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 402aab7ba945d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b00000000020000000000106600000001000020000000df54b2fcd6d093ced0ea1b3f208d455ef2290c88af15555b92beb3f79fc686a9000000000e80000000020000200000008f80da05df879c495d6d8ba8cfa0cbe576146032674e0c0cc751304f7c873ac0200000001f7f2aaa06182bd7c0e65125e8eed4cba2021070f7de26c4f2fbf17af8158a024000000072f904b3fa960986b1b6f0090a0c5578033db1f6d0840ef22f6a85b642f5081068e9dc2cdfd4519c06000fc1523c1935dee5853aab2dab3d7be1943eb53d26b7	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30f5aa3c2a84d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1175984060"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "390589452"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{70E2C1DA-F01D-11ED-8FFF-6201C35E5273} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31032362"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1175984060"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31032362"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{2B47918A-2060-4EC7-A299-D99EDFFC6635}"	iexplore.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\rar_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\rar_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\.rar	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\rar_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\.rar\ = "rar_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\rar_auto_file\shell\Read	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\rar_auto_file\shell\Read\command	OpenWith.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1004	OpenWith.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4420	iexplore.exe
1644	IEXPLORE.EXE
1644	IEXPLORE.EXE
4420	iexplore.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1644	IEXPLORE.EXE
1644	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 49 IoCs

pid	Process
4420	iexplore.exe
4420	iexplore.exe
1644	IEXPLORE.EXE
1644	IEXPLORE.EXE
1644	IEXPLORE.EXE
1644	IEXPLORE.EXE
1644	IEXPLORE.EXE
1644	IEXPLORE.EXE
1644	IEXPLORE.EXE
1644	IEXPLORE.EXE
1644	IEXPLORE.EXE
1644	IEXPLORE.EXE
1644	IEXPLORE.EXE
1644	IEXPLORE.EXE
4532	IEXPLORE.EXE
4532	IEXPLORE.EXE
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1004	OpenWith.exe
1336	AcroRd32.exe
1336	AcroRd32.exe
1336	AcroRd32.exe
1336	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 1644	4420	iexplore.exe	84
PID 4420 wrote to memory of 1644	4420	iexplore.exe	84
PID 4420 wrote to memory of 1644	4420	iexplore.exe	84
PID 4420 wrote to memory of 4532	4420	iexplore.exe	92
PID 4420 wrote to memory of 4532	4420	iexplore.exe	92
PID 4420 wrote to memory of 4532	4420	iexplore.exe	92
PID 1004 wrote to memory of 1336	1004	OpenWith.exe	95
PID 1004 wrote to memory of 1336	1004	OpenWith.exe	95
PID 1004 wrote to memory of 1336	1004	OpenWith.exe	95
PID 1336 wrote to memory of 2200	1336	AcroRd32.exe	98
PID 1336 wrote to memory of 2200	1336	AcroRd32.exe	98
PID 1336 wrote to memory of 2200	1336	AcroRd32.exe	98
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3208	2200	RdrCEF.exe	99
PID 2200 wrote to memory of 3116	2200	RdrCEF.exe	100
PID 2200 wrote to memory of 3116	2200	RdrCEF.exe	100
PID 2200 wrote to memory of 3116	2200	RdrCEF.exe	100
PID 2200 wrote to memory of 3116	2200	RdrCEF.exe	100
PID 2200 wrote to memory of 3116	2200	RdrCEF.exe	100
PID 2200 wrote to memory of 3116	2200	RdrCEF.exe	100
PID 2200 wrote to memory of 3116	2200	RdrCEF.exe	100
PID 2200 wrote to memory of 3116	2200	RdrCEF.exe	100
PID 2200 wrote to memory of 3116	2200	RdrCEF.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4420 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1644
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4420 CREDAT:17414 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4532

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4VT6R2QM\Setup.rar"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5331B14C68F1E683F395C44AE1B2AB06 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5331B14C68F1E683F395C44AE1B2AB06 --renderer-client-id=2 --mojo-platform-channel-handle=1720 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:3208
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2608C47DF861DBD3046EF88E7BAC6828 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:3116
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B74815B3B34A2515A645146BCF0825AD --mojo-platform-channel-handle=2276 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4644
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8BB784B6CCC81CE654989E8332C89BF0 --mojo-platform-channel-handle=2380 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:5068
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=725DE2A152BD4C580ADD5B281C951E02 --mojo-platform-channel-handle=1976 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4604

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
a72eb5312a688e936a1ba102fe95e742

SHA1
fed24907e7671806c7efbcbd4820bb012f8955ff

SHA256
e64d2134217b8833de9b3dd9171c48951888e6422aca48f512ce9d75f6c8c66c

SHA512
09910ce6ff52edd939db143a4a5b247bdafdb79b1fd3e1555787244f59481222e6853338f0cd2b72c8b87caee4888e1c22aed23b179bf32c62541f4c2f2719d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
7d7b667ff40a39d800c293803b44e6cd

SHA1
ae06cddaa08e59ea0c22528a139a818372160f02

SHA256
070aeb0092612529397e466a820fbc2d6f13b21635391f20cfd51fa5b6f64828

SHA512
53b3e43b8a71af1eb0784428f1a820f0de4dd57c31378cd58e9ddc447793dc8112ba7021fd8d7c7c579493a0dafd56e83d6d3c122b270e8cd2bec7137744b3e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
438B

MD5
7ccadca2429baf0ffa1f5040ac99e831

SHA1
6832f1111885d2e399f76b1d53212b58e40a1032

SHA256
a1bcc7214947d04b41b24a64fa854d1b087bb923f1bf337484fc5bf673d9bbc4

SHA512
cdf2d32afa5e3c66ae973ea3ef0661b898c839cb11069afa0b9f965fb19f1ee1ab6e5673bdbee20be5aca3e1e31897bb78071b9b171cccb5b20b1d4c3b9ba45c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
8522cdfcf8504620edbf8da66b24769c

SHA1
a400185e2b4f885aa7a872343800d07f27072cef

SHA256
2c0e4e61e298b2213c859a8727c6a219336e4cb663a88a2550eaa8ca1cc2f16c

SHA512
f81a069a4aac5205bf649c47cb0879c9bc8f2af9f27ef5b9dbb2a11f29e3560994fed758b13d33742deadcbed5209e4f9233d00e56f91f667d950afa0c9d2b28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver2887.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\phzg4yt\imagestore.dat

Filesize
3KB

MD5
2471d3df662ef485d82fd35924aea87a

SHA1
95bb2435c3bec147df7564f68bb3ea0c74c46bee

SHA256
211343ede5764900605e11e50711983c3cc6e7f2fb7aa27fe088143c64c08c4c

SHA512
24bf1a37668f411925fe6151d35034b97e1a3514f58f4028ad9fa9cfdd4bb95c8a7a22a32e3a6464c821bc535b42d5024826aec3b91b39813e91c84af4d0cb1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\favicon[1].ico

Filesize
3KB

MD5
59a0c7b6e4848ccdabcea0636efda02b

SHA1
30ef5c54b8bbc3487ea2b4c45cd11ea2932e4340

SHA256
a1495da3cf3db37bf105a12658636ff628fee7b73975b9200049af7747e60b1f

SHA512
bcfebb2ca5af53031c636d5485125a1405ca8414d0bc8a5d34dd3b3feb4c7425be02cf4848867d91cf6d021d08630294f47bdc69d6cd04a1051972735b0f04d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\favicon[1].ico

Filesize
3KB

MD5
59a0c7b6e4848ccdabcea0636efda02b

SHA1
30ef5c54b8bbc3487ea2b4c45cd11ea2932e4340

SHA256
a1495da3cf3db37bf105a12658636ff628fee7b73975b9200049af7747e60b1f

SHA512
bcfebb2ca5af53031c636d5485125a1405ca8414d0bc8a5d34dd3b3feb4c7425be02cf4848867d91cf6d021d08630294f47bdc69d6cd04a1051972735b0f04d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4VT6R2QM\902337161-widgets[1].js

Filesize
153KB

MD5
ff4fd2e32ac0ebfbb03045a3f6b04b43

SHA1
e73028731776575811e72e7693d0e2e81983ff3c

SHA256
591d19c500e9a5c1de63a4f9664fdb186ab3cc1dd6cd8e83961a61390eb679cf

SHA512
7eb5ad5e4080d3268c228a41b759214a343ab162651881599b4e7a85898cd2bae14b2c92168817552b232687e26d3698700344056780a3c4bc1d9f0c953e5fb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4VT6R2QM\Setup.rar.m4i0gt0.partial

Filesize
64.0MB

MD5
93bb2376a7cda698f726128d407f92b3

SHA1
4d1068bc5fda97cd543b5ccf3680a69e491d9785

SHA256
b2d89083bdfbdeb879f54cb05c978455bca036e1a4178b9a736f89017f6c5348

SHA512
da3217081bda86b71a7e76e509164214570983aeb3b3303a267f0a6e8c66381c6fe92d7b21159356465e94f85cf56150e2dc033e11263d5979c8a9d1d91dd2e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4VT6R2QM\clipboard.min[1].js

Filesize
11KB

MD5
158013acb7e269a3dbe18de855656c97

SHA1
08fa355584fc849539b3f04589ae6f61eb4a7d98

SHA256
92e40dc4bbb485a182b796c58e6da7974cb8a6a84fdb4548ace3b85c991f0f94

SHA512
e0add5af170acfb48d51e011eef87de444cbacd48d601e66db140f216392c481a47fec5dd9034e0cf48f1c3f3754c39d143c64bda536297d72dc287b679c5d01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EY3KXMB3\Setup[1].rar

Filesize
64.0MB

MD5
93bb2376a7cda698f726128d407f92b3

SHA1
4d1068bc5fda97cd543b5ccf3680a69e491d9785

SHA256
b2d89083bdfbdeb879f54cb05c978455bca036e1a4178b9a736f89017f6c5348

SHA512
da3217081bda86b71a7e76e509164214570983aeb3b3303a267f0a6e8c66381c6fe92d7b21159356465e94f85cf56150e2dc033e11263d5979c8a9d1d91dd2e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EY3KXMB3\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IULL1L\analytics[1].js

Filesize
50KB

MD5
4507839525a19180914799b08fb5fa5b

SHA1
738d7e47e47a102e67d09efa63408d21aaf02245

SHA256
e7b90d32907f89c49e9e2a2ccca95133277f756f13a14187936d9b948ff67b44

SHA512
124bb24b26ede426ac7ef14db40ff894ddea6eb9c7a5bf408fd83b116bd55ec86b51b6839d5eec7ec0f481aab940795006005b4534dff6cc0f3a6560f7cf9bea

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads