f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
Size

988KB
MD5

6e1b1929f6df01c4db6cc3c7232f1ba9
SHA1

5fed3cc39a5b5e51f7e4f3f1cdc77b2b4462b63f
SHA256

f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479
SHA512

f8c6d8c5af5a6f4ebc19817c2356d959ac95933747c85844429a6e7c0599e3f554ac70d115dc9da0a14875822791ab87fa7d49e1491e24bf64d8b78851c065c5
SSDEEP

12288:Wh3ZukLF5fRY5a/6GX4D1DwhHd1zre/9CL7zf0RhQ2K2cgicWPTMTH:WhMkxlRSaiPDi3qs3m/rIcWrQ

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	acrotray.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	acrotray .exe

Executes dropped EXE 4 IoCs

pid	Process
3384	acrotray.exe
2648	acrotray.exe
4228	acrotray .exe
4568	acrotray .exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "C:\\Program Files (x86)\\Adobe\\acrotray.exe"	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\acrotray.exe	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
File created	\??\c:\program files (x86)\common files\java\java update\jusched.exe	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
File created	C:\Program Files (x86)\Adobe\acrotray .exe	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c2bd61ee0af3bb438d93a4958c93786e00000000020000000000106600000001000020000000913e400a1fbfcb43d566016c47da2df1ce6f811194311b57450270d79ad66a6f000000000e8000000002000020000000ae33e1c3e3ee4bcc23706bc383ad924b63e173188055b850f43817811224e9f720000000e87cb5fa8b53fbffa3956792c50ebecb8f7d7ccf78d704ef452c5d9d8be4b4df4000000088c2f60a1a56302ad1e423ee18fa7ba6fc877b4ef9bb3bf29e254e37acfee5e467104439053b352c9505fd50aca1e616c3f4ef4ca20e0ecdd82ade9d7b2cbdaf	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 904a35661a9dda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0a4bb5d1a9dda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1586174980"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1586174980"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31104282"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31104282"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c2bd61ee0af3bb438d93a4958c93786e000000000200000000001066000000010000200000008d06e41516c96a1f22e1eac4ddd3d97b1d33a1afd5b9557ac6fc576eae103f5e000000000e8000000002000020000000b0ecdedef02208b01f502816d960d3a60aeb31a593e5bee7e8fffd61157b8e0f200000008cb18e7b22ec4313abd8375ca6e8c6708e0fa87ed3546415471accf08535a67f40000000a2d3c471f9a0688801ef47a461207c3f1b2c9a4c4ae46d97ea17fd1ed9a06669ad35d3374a916195f8f3c6f0a39dfff3c93b92464ab779510b578c2e491018f5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8A37056E-090D-11EF-BBCF-E6761A777171} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
240	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
240	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
240	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
240	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
240	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
240	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
4540	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
4540	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
4540	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
4540	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
3384	acrotray.exe
3384	acrotray.exe
3384	acrotray.exe
3384	acrotray.exe
3384	acrotray.exe
3384	acrotray.exe
2648	acrotray.exe
2648	acrotray.exe
2648	acrotray.exe
2648	acrotray.exe
4228	acrotray .exe
4228	acrotray .exe
4228	acrotray .exe
4228	acrotray .exe
4228	acrotray .exe
4228	acrotray .exe
4568	acrotray .exe
4568	acrotray .exe
4568	acrotray .exe
4568	acrotray .exe
4540	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
4540	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
2648	acrotray.exe
2648	acrotray.exe
4568	acrotray .exe
4568	acrotray .exe
4540	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
4540	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
2648	acrotray.exe
2648	acrotray.exe
4568	acrotray .exe
4568	acrotray .exe
4540	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
4540	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
2648	acrotray.exe
2648	acrotray.exe
4568	acrotray .exe
4568	acrotray .exe
4540	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
4540	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
2648	acrotray.exe
2648	acrotray.exe
4568	acrotray .exe
4568	acrotray .exe
4540	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
4540	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
2648	acrotray.exe
2648	acrotray.exe
4568	acrotray .exe
4568	acrotray .exe
4540	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
4540	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
2648	acrotray.exe
2648	acrotray.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	240	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
Token: SeDebugPrivilege	4540	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
Token: SeDebugPrivilege	3384	acrotray.exe
Token: SeDebugPrivilege	2648	acrotray.exe
Token: SeDebugPrivilege	4228	acrotray .exe
Token: SeDebugPrivilege	4568	acrotray .exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2956	iexplore.exe
2956	iexplore.exe
2956	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2956	iexplore.exe
2956	iexplore.exe
4292	IEXPLORE.EXE
4292	IEXPLORE.EXE
2956	iexplore.exe
2956	iexplore.exe
3088	IEXPLORE.EXE
3088	IEXPLORE.EXE
2956	iexplore.exe
2956	iexplore.exe
3100	IEXPLORE.EXE
3100	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 240 wrote to memory of 4540	240	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe	85
PID 240 wrote to memory of 4540	240	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe	85
PID 240 wrote to memory of 4540	240	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe	85
PID 240 wrote to memory of 3384	240	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe	99
PID 240 wrote to memory of 3384	240	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe	99
PID 240 wrote to memory of 3384	240	f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe	99
PID 2956 wrote to memory of 4292	2956	iexplore.exe	102
PID 2956 wrote to memory of 4292	2956	iexplore.exe	102
PID 2956 wrote to memory of 4292	2956	iexplore.exe	102
PID 3384 wrote to memory of 2648	3384	acrotray.exe	103
PID 3384 wrote to memory of 2648	3384	acrotray.exe	103
PID 3384 wrote to memory of 2648	3384	acrotray.exe	103
PID 3384 wrote to memory of 4228	3384	acrotray.exe	104
PID 3384 wrote to memory of 4228	3384	acrotray.exe	104
PID 3384 wrote to memory of 4228	3384	acrotray.exe	104
PID 4228 wrote to memory of 4568	4228	acrotray .exe	105
PID 4228 wrote to memory of 4568	4228	acrotray .exe	105
PID 4228 wrote to memory of 4568	4228	acrotray .exe	105
PID 2956 wrote to memory of 3088	2956	iexplore.exe	108
PID 2956 wrote to memory of 3088	2956	iexplore.exe	108
PID 2956 wrote to memory of 3088	2956	iexplore.exe	108
PID 2956 wrote to memory of 3100	2956	iexplore.exe	109
PID 2956 wrote to memory of 3100	2956	iexplore.exe	109
PID 2956 wrote to memory of 3100	2956	iexplore.exe	109

C:\Users\Admin\AppData\Local\Temp\f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
"C:\Users\Admin\AppData\Local\Temp\f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:240
- C:\Users\Admin\AppData\Local\Temp\f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe
  "C:\Users\Admin\AppData\Local\Temp\f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe" C:\Users\Admin\AppData\Local\Temp\f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4540
- C:\Program Files (x86)\Adobe\acrotray.exe
  "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Program Files (x86)\Adobe\acrotray.exe
    "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2648
- - C:\Program Files (x86)\Adobe\acrotray .exe
    "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4228
  - - C:\Program Files (x86)\Adobe\acrotray .exe
      "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\f5d9b4476d57fde9b99e7e27d7341abc3c194c5af6ff19dfac9b6cf213ff3479.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4568

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:4552

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2956 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4292
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2956 CREDAT:17416 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3088
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2956 CREDAT:17424 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\acrotray .exe

Filesize
998KB

MD5
71ee0286da09bd7435613bae8a6ba1f8

SHA1
3067eb664f0d7ddc1087b4cb664ec0a1af6ba665

SHA256
a21aef7e3819d137cd75cae0342b5cb1675a4e5460502e2599c94d1cf8fbd4be

SHA512
9a6ab5bee3693f9627289ce9c140eccb6ae8391050189d3486a7642b4f7429b9716be1083e768dd6d83a9f38fa791da25aa91c6d5902cad4f9d0c734e15d487d

Download Submit
C:\Program Files (x86)\Adobe\acrotray.exe

Filesize
1008KB

MD5
d2891013b0c2d8f9a6ae58bf40bdd281

SHA1
176a57ee06d34866a2d7019b7e9d621f326db4d2

SHA256
607b32896d2d3b69098eb075c2468c178d350e5d1aa370ba99eb8c376fff11cf

SHA512
f4e22276bb9385acb899faaa25519478bc773f593fa59ac0acd354ec623206d28f43992ea24e703f25a2ebf2e818bda820225cc69a4f8bef4c144a9c4e634df8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VQ4FFWVS\bKXTngvqg[1].js

Filesize
32KB

MD5
f48baec69cc4dc0852d118259eff2d56

SHA1
e64c6e4423421da5b35700154810cb67160bc32b

SHA256
463d99ca5448f815a05b2d946ddae9eed3e21c335c0f4cfe7a16944e3512f76c

SHA512
06fdccb5d9536ab7c68355dbf49ac02ebccad5a4ea01cb62200fd67728a6d05c276403e588a5bdceacf5e671913fc65b63e8b92456ca5493dae5b5a70e4a8b37

Download Submit
memory/240-0-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download