28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 09:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_NeikiAnalytics.exe
Size

998KB
MD5

7739aa302d25cfc6ade4359c6502b620
SHA1

2a341c3cceec12097fdeb77f4f718283f14878fa
SHA256

28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd
SHA512

730c2eb4c0535ca8489ee859885e45778e963956c0a25a5fbe347f477f9270ebace235717f783a61f413d56e9d9cf5692ef6ac4a0123febadd32642b4e585d1a
SSDEEP

12288:rVCk33HF6MVLsaQkNzwYkNWoaiiy4Ammme3zvGgQTyVhosftZkd/go:rVCAkMVlNznPyYe3zvGtGLosOgo

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	acrotray.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	acrotray .exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_NeikiAnalytics.exe

Executes dropped EXE 4 IoCs

pid	Process
4388	acrotray.exe
3976	acrotray.exe
2028	acrotray .exe
4500	acrotray .exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "C:\\Program Files (x86)\\Adobe\\acrotray.exe"	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_NeikiAnalytics.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\common files\java\java update\jusched.exe	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\acrotray .exe	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\acrotray.exe	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2904735204"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31107934"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80bc49ac5eabda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1049cfb45eabda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef86260000000002000000000010660000000100002000000086dbd1b382d1250e2ca35bc550bd22b363a884e021f1075aa13d4bdd62048b8e000000000e80000000020000200000009719088a36595a6aa1bc3557f5e7ea0d8ca56965177cea4ba8589a0f59aada712000000091a38235800beaedc85e1597d15094f31e9acf9b724988527a6d606232a157f5400000000154492090a96c8e75a01d1f9844ad3350b0eff843079f70bbbe5b038576eea48961b43cfc93d720fd754755f2e7c8bef06ad84752f264bf1601d698d0abb071	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2904735204"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31107934"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D8D10A7E-1751-11EF-9519-CEC6030110C3} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef86260000000002000000000010660000000100002000000054fc38f0cb253cfd33b0c194c0540037a838c0f5b8d4143469cfbc929eca92bb000000000e8000000002000020000000d3fcc3af25ece681bb21bada99fa57c2e566c423eb6376a482636300beafe932200000007904cd6511076cae19c4ae1bdb780711ba3b0a0088a25e65c1a88da46691564640000000e4cd1db9f5123fbc75d86fb500c80f95ca7cbc226d4d63be02b6ad089fed14f2a2e2ace44773cc75902c579323e9e89dca1196e22ab704c21b0f207e5224440a	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3560	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_NeikiAnalytics.exe
3560	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_NeikiAnalytics.exe
3560	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_NeikiAnalytics.exe
3560	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_NeikiAnalytics.exe
3560	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_NeikiAnalytics.exe
3560	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_NeikiAnalytics.exe
3296	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_neikianalytics.exe
3296	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_neikianalytics.exe
3296	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_neikianalytics.exe
3296	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_neikianalytics.exe
4388	acrotray.exe
4388	acrotray.exe
4388	acrotray.exe
4388	acrotray.exe
4388	acrotray.exe
4388	acrotray.exe
3976	acrotray.exe
3976	acrotray.exe
3976	acrotray.exe
3976	acrotray.exe
2028	acrotray .exe
2028	acrotray .exe
2028	acrotray .exe
2028	acrotray .exe
2028	acrotray .exe
2028	acrotray .exe
4500	acrotray .exe
4500	acrotray .exe
4500	acrotray .exe
4500	acrotray .exe
3296	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_neikianalytics.exe
3296	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_neikianalytics.exe
3976	acrotray.exe
3976	acrotray.exe
4500	acrotray .exe
4500	acrotray .exe
3296	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_neikianalytics.exe
3296	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_neikianalytics.exe
3976	acrotray.exe
3976	acrotray.exe
4500	acrotray .exe
4500	acrotray .exe
3296	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_neikianalytics.exe
3296	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_neikianalytics.exe
3976	acrotray.exe
3976	acrotray.exe
4500	acrotray .exe
4500	acrotray .exe
3296	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_neikianalytics.exe
3296	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_neikianalytics.exe
3976	acrotray.exe
3976	acrotray.exe
4500	acrotray .exe
4500	acrotray .exe
3296	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_neikianalytics.exe
3296	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_neikianalytics.exe
3976	acrotray.exe
3976	acrotray.exe
4500	acrotray .exe
4500	acrotray .exe
3296	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_neikianalytics.exe
3296	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_neikianalytics.exe
3976	acrotray.exe
3976	acrotray.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3560	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_NeikiAnalytics.exe
Token: SeDebugPrivilege	3296	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_neikianalytics.exe
Token: SeDebugPrivilege	4388	acrotray.exe
Token: SeDebugPrivilege	3976	acrotray.exe
Token: SeDebugPrivilege	2028	acrotray .exe
Token: SeDebugPrivilege	4500	acrotray .exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4656	iexplore.exe
4656	iexplore.exe
4656	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4656	iexplore.exe
4656	iexplore.exe
2888	IEXPLORE.EXE
2888	IEXPLORE.EXE
4656	iexplore.exe
4656	iexplore.exe
4912	IEXPLORE.EXE
4912	IEXPLORE.EXE
4656	iexplore.exe
4656	iexplore.exe
3928	IEXPLORE.EXE
3928	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3560 wrote to memory of 3296	3560	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_NeikiAnalytics.exe	82
PID 3560 wrote to memory of 3296	3560	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_NeikiAnalytics.exe	82
PID 3560 wrote to memory of 3296	3560	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_NeikiAnalytics.exe	82
PID 3560 wrote to memory of 4388	3560	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_NeikiAnalytics.exe	96
PID 3560 wrote to memory of 4388	3560	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_NeikiAnalytics.exe	96
PID 3560 wrote to memory of 4388	3560	28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_NeikiAnalytics.exe	96
PID 4388 wrote to memory of 3976	4388	acrotray.exe	99
PID 4388 wrote to memory of 3976	4388	acrotray.exe	99
PID 4388 wrote to memory of 3976	4388	acrotray.exe	99
PID 4656 wrote to memory of 2888	4656	iexplore.exe	100
PID 4656 wrote to memory of 2888	4656	iexplore.exe	100
PID 4656 wrote to memory of 2888	4656	iexplore.exe	100
PID 4388 wrote to memory of 2028	4388	acrotray.exe	101
PID 4388 wrote to memory of 2028	4388	acrotray.exe	101
PID 4388 wrote to memory of 2028	4388	acrotray.exe	101
PID 2028 wrote to memory of 4500	2028	acrotray .exe	102
PID 2028 wrote to memory of 4500	2028	acrotray .exe	102
PID 2028 wrote to memory of 4500	2028	acrotray .exe	102
PID 4656 wrote to memory of 4912	4656	iexplore.exe	105
PID 4656 wrote to memory of 4912	4656	iexplore.exe	105
PID 4656 wrote to memory of 4912	4656	iexplore.exe	105
PID 4656 wrote to memory of 3928	4656	iexplore.exe	106
PID 4656 wrote to memory of 3928	4656	iexplore.exe	106
PID 4656 wrote to memory of 3928	4656	iexplore.exe	106

C:\Users\Admin\AppData\Local\Temp\28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Users\Admin\AppData\Local\Temp\28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_neikianalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_neikianalytics.exe" C:\Users\Admin\AppData\Local\Temp\28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_NeikiAnalytics.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3296
- C:\Program Files (x86)\Adobe\acrotray.exe
  "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_NeikiAnalytics.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Program Files (x86)\Adobe\acrotray.exe
    "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_NeikiAnalytics.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3976
- - C:\Program Files (x86)\Adobe\acrotray .exe
    "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_NeikiAnalytics.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Program Files (x86)\Adobe\acrotray .exe
      "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\28d955851af99c90ea23d9dff336810959b7ca7be149667a8988b7beeb438dbd_NeikiAnalytics.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4500

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:3712

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4656 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2888
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4656 CREDAT:17416 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4912
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4656 CREDAT:17424 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\acrotray .exe

Filesize
1.0MB

MD5
4a68dbb43459a9c53b00ff8d04906b30

SHA1
c8a6e250addaf788744d8a12aed781f744883283

SHA256
31168891182302398fc2eb0996042fbe59deabe326c9c98cd6ea9b1d8a6b57dd

SHA512
cbc0468510a3ab53fb4c4b9984ad82490a95f2942c8d87b9c965fb909dfd741b9e01a7261c3090d537008d10ed981fd98775f8cf96e18b06088b07e7ed98ac58

Download Submit
C:\Program Files (x86)\Adobe\acrotray.exe

Filesize
1.0MB

MD5
ead8d8f0f4e5523b84fa9c542b8524db

SHA1
f0623bfd263c243e29db870ef471d7644fe45b41

SHA256
9a28ea3e1ded04a73df395be51038f680d8fc18fedd41619584e389429088b1e

SHA512
784eb2f78d190a01c9ab2c930fc907a03747bb34d32fd75c04d979aac0972be2c0284b7c1fd68fe87b98a2185dd0989510c21773f7bdda30bbc54c2d6d5caeb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\D5DFSS0T\bzWoVnJvn[1].js

Filesize
32KB

MD5
f48baec69cc4dc0852d118259eff2d56

SHA1
e64c6e4423421da5b35700154810cb67160bc32b

SHA256
463d99ca5448f815a05b2d946ddae9eed3e21c335c0f4cfe7a16944e3512f76c

SHA512
06fdccb5d9536ab7c68355dbf49ac02ebccad5a4ea01cb62200fd67728a6d05c276403e588a5bdceacf5e671913fc65b63e8b92456ca5493dae5b5a70e4a8b37

Download Submit
memory/3560-0-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download