3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe
Size

1.0MB
MD5

303773d37e2eb56b9698d9088093c52e
SHA1

a8d5071c34a1f9c4047d47f7301dc7069e2bc4fd
SHA256

3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca
SHA512

929f93996ef76647d2af90c6a5bd4a9c469c8211cd471d939203485ef4e4b11b3f87d11f53b4cbc17d744d6920e5d2f72549c8e02d72b0b52791306ee7f42a25
SSDEEP

12288:Wh3ZukLF5fRY5a/6GX4D1DwhHd1zrwLof5e3glqu9s4uEpVTbKUMHyE2s0M:WhMkxlRSaiPDi3+kfxpOg/MHT2sl

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

acrotray.exeacrotray.exeacrotray .exeacrotray .exe

pid process

2576 acrotray.exe
2496 acrotray.exe
2980 acrotray .exe
2804 acrotray .exe

pid	process
2576	acrotray.exe
2496	acrotray.exe
2980	acrotray .exe
2804	acrotray .exe

Loads dropped DLL 4 IoCs

Processes:

3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exeacrotray.exe

pid	process
2256	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe
2256	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe
2576	acrotray.exe
2576	acrotray.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "C:\\Program Files (x86)\\Adobe\\acrotray.exe"	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe

Drops file in Program Files directory 3 IoCs

Processes:

3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe

description	ioc	process
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe
File created	C:\Program Files (x86)\Adobe\acrotray .exe	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe
File created	C:\Program Files (x86)\Adobe\acrotray.exe	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000009984cfecc68b499673c88ac828c8061c08f2523d7c51d9cf9132f554765fa333000000000e8000000002000020000000e0a87dd4ef068d4f3ce760dd8a4d58298e87b9500b2cb28d93f45cd9647825a620000000aa919661ed981fc2a3f99c26c6add5ab53b0356d8847a9721a683df6d6b294e040000000d896c8514e97ef3883a212d72286607ab9f828850c93c5138b3379fbda2dfe99f325204a19c2b4e4ec6d03301f63e58355c6c10e9633117fe313526d145438f7	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000004582255f941861df4bf2fa70e48d030064cfe839f61cd84ba45f75839cd1594a000000000e800000000200002000000041eb35c61917a3bbd7a86f164f049cd87f342e75545eecb122b417adf361e63b900000009c54798d5ad120ae2832745f206373a836c81b8925a47cfd5ed17033cc6f310c8282ad296e7719de774160be8e89a49d5062f75ad5f340a0a485dd831e4e842a3a782edf54a77a59c8145c8c20a138a8ba080595cc6c0aff384d2e85ab6831add957e39fd7cba149b6b0226c44f89beb26bf16b5153a377edded2aa92c2ea87337789f89cb8e0a4043168958a574b97540000000356d286f61716628fc22edcf448fb1a25d5ff9d5f244c5c037e0f3135a70c41b657f8d732d13478c7ae20f2617d7df68904d1dc5d236404d4ee16ebf4178ecad	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422572806"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6016e68b89acda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B631EFC1-187C-11EF-88AC-F2AB90EC9A26} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exeacrotray.exeacrotray .exeacrotray.exeacrotray .exe

pid	process
2256	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe
2256	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe
2256	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe
2644	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe
2644	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe
2576	acrotray.exe
2576	acrotray.exe
2576	acrotray.exe
2980	acrotray .exe
2980	acrotray .exe
2980	acrotray .exe
2496	acrotray.exe
2496	acrotray.exe
2804	acrotray .exe
2804	acrotray .exe
2644	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe
2496	acrotray.exe
2804	acrotray .exe
2644	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe
2496	acrotray.exe
2804	acrotray .exe
2644	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe
2496	acrotray.exe
2804	acrotray .exe
2644	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe
2496	acrotray.exe
2804	acrotray .exe
2644	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe
2496	acrotray.exe
2804	acrotray .exe
2644	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe
2496	acrotray.exe
2804	acrotray .exe
2644	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exeacrotray.exeacrotray .exeacrotray.exeacrotray .exe

description	pid	process
Token: SeDebugPrivilege	2256	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe
Token: SeDebugPrivilege	2644	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe
Token: SeDebugPrivilege	2576	acrotray.exe
Token: SeDebugPrivilege	2980	acrotray .exe
Token: SeDebugPrivilege	2496	acrotray.exe
Token: SeDebugPrivilege	2804	acrotray .exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exe

pid process

2584 iexplore.exe
2584 iexplore.exe
2584 iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
2584	iexplore.exe
2584	iexplore.exe
2340	IEXPLORE.EXE
2340	IEXPLORE.EXE
2584	iexplore.exe
2584	iexplore.exe
752	IEXPLORE.EXE
752	IEXPLORE.EXE
2584	iexplore.exe
2584	iexplore.exe
2340	IEXPLORE.EXE
2340	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exeacrotray.exeiexplore.exeacrotray .exe

description	pid	process	target process
PID 2256 wrote to memory of 2644	2256	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe
PID 2256 wrote to memory of 2644	2256	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe
PID 2256 wrote to memory of 2644	2256	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe
PID 2256 wrote to memory of 2644	2256	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe
PID 2256 wrote to memory of 2576	2256	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe	acrotray.exe
PID 2256 wrote to memory of 2576	2256	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe	acrotray.exe
PID 2256 wrote to memory of 2576	2256	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe	acrotray.exe
PID 2256 wrote to memory of 2576	2256	3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe	acrotray.exe
PID 2576 wrote to memory of 2496	2576	acrotray.exe	acrotray.exe
PID 2576 wrote to memory of 2496	2576	acrotray.exe	acrotray.exe
PID 2576 wrote to memory of 2496	2576	acrotray.exe	acrotray.exe
PID 2576 wrote to memory of 2496	2576	acrotray.exe	acrotray.exe
PID 2576 wrote to memory of 2980	2576	acrotray.exe	acrotray .exe
PID 2576 wrote to memory of 2980	2576	acrotray.exe	acrotray .exe
PID 2576 wrote to memory of 2980	2576	acrotray.exe	acrotray .exe
PID 2576 wrote to memory of 2980	2576	acrotray.exe	acrotray .exe
PID 2584 wrote to memory of 2340	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 2340	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 2340	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 2340	2584	iexplore.exe	IEXPLORE.EXE
PID 2980 wrote to memory of 2804	2980	acrotray .exe	acrotray .exe
PID 2980 wrote to memory of 2804	2980	acrotray .exe	acrotray .exe
PID 2980 wrote to memory of 2804	2980	acrotray .exe	acrotray .exe
PID 2980 wrote to memory of 2804	2980	acrotray .exe	acrotray .exe
PID 2584 wrote to memory of 752	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 752	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 752	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 752	2584	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe
"C:\Users\Admin\AppData\Local\Temp\3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256

C:\Users\Admin\AppData\Local\Temp\3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe
"C:\Users\Admin\AppData\Local\Temp\3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe" C:\Users\Admin\AppData\Local\Temp\3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Program Files (x86)\Adobe\acrotray.exe
"C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576

C:\Program Files (x86)\Adobe\acrotray.exe
"C:\Program Files (x86)\Adobe\acrotray.exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Program Files (x86)\Adobe\acrotray .exe
"C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980

C:\Program Files (x86)\Adobe\acrotray .exe
"C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\3de504d3dd9e6f5d64785525dd2dc5b222765fad1b79635e049af431a184e5ca.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2584

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2340

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:799749 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\acrotray .exe

Filesize
1.1MB

MD5
8442bbdab76e7f9a93df4bfed4d4be9c

SHA1
935081575488b2e00c397730e25af4322543f7bd

SHA256
694bd4c4511cedb39999701ace79e9f2585f7f7d4bdcd05e50315748454a40c1

SHA512
15429af612476cc72a6b9bd00a457c64d07c17b06ab0119e9274ce5de2f83972b016f4d76d16ba363a7e12eb6ed4001ff038f20088032d1f8b4aa4cde8b8927e

Download Submit
C:\Program Files (x86)\Adobe\acrotray.exe

Filesize
1.1MB

MD5
d5509c5d3b77759241f380b375e949e9

SHA1
5d07abbec6a371e368ab44341df4e469c7caef71

SHA256
69274e1ce673bb09ef1480a1af64481eef579497359206011d90e49203cfa757

SHA512
f7afdad4c004d5fd28c560059d28732dcdf370c1630e4a15db5a364249919c12737a5ae7188c38b20b950155aa79c6c8fada22244071f59629e61d4d696e3184

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
599e23bab279abe4cb5ef29706fd72c2

SHA1
8c2ee058937ff77692c115a87da4f15f95736631

SHA256
c2e6106149dce69ef7938dc3ce788498cbcef38af5ad5b5a980d0cde932331c4

SHA512
cdce4be671ab0d147c4247e72022127fd9bea40d2e4b2110ed8acad1a4757aaf7d234f67988027d046bf24c4accb3ff644c6744be10bd0a65cf867c09869fe17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5053ce13abed05bdb861f31bfb7f7448

SHA1
7b9f75b553c4fa382777841e96b7008020dc45d7

SHA256
5c07cb494920b956c28db54870c8ad70338152ff04b63515958d736f3e4d9d06

SHA512
d5f19167b1d6b42f08caa2d7bb3b002cf06e256f1c5e921b176c18211865cc34223fac939525fea7704e5eb6e7a23ec4e24a03dac388f4d6f044a1e8ef5328c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b856f9070e91fe76b3d6985a705929d5

SHA1
e8cc978db377d9369a5c2a3a032e24a4655859d7

SHA256
5be68f276c4bba5822dc6e7d52dac56a99bb13bad858b0a1dcf38982b867a489

SHA512
3714d5153b7fb1ef183d264e22172b50cea402763a7158c79ad0a0052788a66bad777a1fdff10218d3b701a69553dc1e7fee8bbca384893b7d927e3b23d37dcb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6347d69c9086d77875b0b4af010c03d6

SHA1
24b0abeb4485c57fe34fc7b6738cc5e3f5516f5b

SHA256
4ef75efe91389e21dec178432745e08307dc469bf01339b1411520e0b200af96

SHA512
855e3c74b43ec19dcb37b3554ee57e5e5feb2b2daca5f2126162917a52610285427f6b90c3ad3547f54bec73b398975588ba6e99c9d626bfff539ca1941f691a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8287242b9c5420cf540533ad19916785

SHA1
25064b442c78c5961c39baf9d67df3b3cfe5c097

SHA256
d100ed3d19a8f86439dae3a26cebb05c83803f8e7ad3ed7f0fb4df719bad8b5e

SHA512
de23fcbc9b5ca9f6bf03a31c67f56e928c50a2fa7393c34d2dd72f90e6e8e990361c267d226e5b5d3a6d8ee46cdd5180d51ccf522de6c53f09e6ceb56afd7e59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cf22c7bfa0ce80a55827f02e866ecabb

SHA1
aecab138eb165c732e23000ddac55ddbd8b553f7

SHA256
9fb22f7b021559a05f7c161b4ea320b77982d1bdab7d82d640bcb62ffbfb60b6

SHA512
9b7f6a025f54d1d2c0ecffbb1eb969c1f211c4a7c5ad3b366fc05b299d650c5908f8117735ef757a2cbf525a4d05ca24d7cba2546844ffa4b2d507624da9cfb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f11f073d9843b3693699822ebe33c14e

SHA1
94d7ef6dbc56a529a64eb5968db11597b14d8bc7

SHA256
b83b1323f2fa22746427b2e706fe48715f84588e2ff85df2501799a63e935f94

SHA512
8fd6cdac1ed8ab7d6052eb807e8edf174996c67e11be7bb52fb9ab8fcd43652c83f3753d5ba6460ce80bfb625b723bb1ad151f78a46ce3ae2aa6360cd068e285

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
da63842da90d9b1074ec1de411035175

SHA1
10b6976a4eab5e731608fa381ae7c1390738192e

SHA256
7e376d2f58c298908ccfce9fc01a5522efd1128ab6006b98f3ee4d83e4e3e08c

SHA512
3f70e6ccc72e24cdc251700771f792f9ac9104e16c49ff2f8dc2a44c61713f8f28a7500c27936da3a2de054444f512f9f9412b5119bdc9c2b9fd2e5bc0644379

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b7500271efa16fa25e783a9d719baa44

SHA1
a0b19239faecf7f8c43c294366b0be135ae19d86

SHA256
14cf0fa681c5fac89ca2323c7af192946b0ffa6a317cf6e056edc8e5f0e83a7e

SHA512
4c9bdb2c78cf85f8373bdd1ce79f4b6b4e13d12b8acbfaf80f64a1f1962ae3a19a70c21bc79ab2f8a986c9c9bfd313369adef9d9ac4337f63ca2c65a6944c5c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e2a0c4be0aed93af051fa4e5d0a0b68d

SHA1
dc30b3f54967d952f8a8bcea79163783f27c6692

SHA256
0cbbc9c53f367b4480beb51fbcf72fccdddcffbb5ab585c962ab2d7cd31fb176

SHA512
3fb174a4630a194844144431dc4766f94dde9e71b1466f71119d6e8d7bc354f7cbf0970ae647a004a803039ede3521f5a8c0eb27a3c587bf5f2dc82f702238b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
20dd15064e1139bfafb176ced98fcba3

SHA1
8bd5e342624714e14dca321eb8e40d53d3e817a0

SHA256
6c3d982dc4cdc57064591d02efa28e3a34741890cf8c48cda3ab2449c622d77a

SHA512
e04930aa2eb73a74cab8db7fa504e5a683a027b525eea37f57d33c26bf080210c09ad4644225caf11ebf9c02eced3521d5c9ffddbba28c8ddb486a8c2571e006

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b761c39be3479339c4db625b8ff833dc

SHA1
e828999d89d767d37ff0a74f484b2e312f3b14bc

SHA256
8e105d9590be7330a824d8b7f0cdcabe490644909ee26088f0ed7b241cd38740

SHA512
2ac4f66ab13b0b84d927c233c29863629811baec0c92da56efb1fc0bca0a99e64cffd2d5b7539c05dc3cdf6ae3bbdd1f1067009935ea7548adfaa09e9d67d80e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
57112cdfc8e7cbd00e7ea6a4fe24a403

SHA1
c4fff9b1f5f3f8f6600039b464266c78bd86a0d0

SHA256
327ad26635c810bd717b540c8d13dfdf98bd939bdbf776c656a592cfe0a9b180

SHA512
b4694e4874cd2326fbb20725c8a3bcf34ed5baef13d1612db9baa7a107a1bd0d92e61e8c62113c178eca45fa6a80ef02cab757d4f384b13e2fbe2d6b4bc0fd98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
afbeabac313c0904b5cf2d17c9d99630

SHA1
cb1794bac2060038c2576f120af9a182f3fe0240

SHA256
da105af33537a7e56a4adc47a706e93229429f26ef5d67b41d9aca53dbbb7b22

SHA512
5d3c81d3396354c7b9956b955e6f6b2f95ee412f024ec8b65c41d738c3eeb4fce7664a7732ba338c0ad6fba57f7158abf2e8858eb888d50c829a62a8cdb2ed71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7e9d17e5263565c0207a84fbc76fc1de

SHA1
b9cd63fcebf6544e56919f10d11eb9b044b2dc04

SHA256
a3a7b963f6507b6804ede6a2c8a0d29f84ca1db342d9e9867a7e37afb4796a1c

SHA512
f9a7699687808d2cbd873d9ae3c1914361f082adaf644d4f2ad36defdac36d076e2001a2c9fab0c1c04f24a6654ab066bd82e3abdc22a4169f331999b1798df1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5f537b460fbee4aaa577745569900913

SHA1
0d0e8a0a71d779cacfd1e3888f6eec7209073de5

SHA256
00a2af7751269cfa03a025b3c590616c914cb54ee4170fd0488624473b4adde8

SHA512
4f37bdccde340cabc5e540b0ca50be2b05e6663b9a4b146e4bc1cca41371991c09a746e26308a094198313884d614d229f45ae32b3b8b3fcb45682647cc27e70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
069015dade4269ffa183ff3cfa1fa644

SHA1
b6524534f09b5112eddf096b5ec63c79f8923555

SHA256
37856c10f3eecb1a084bd19870deabbdf13833727f19c2f16562fb9b4cf4204b

SHA512
3e9302024b439fb993b7bfe97bdd6d3dc99b547df9e28060c66ebdc9e4479a1d9a3badbd7fbd1a77fb98ec920dbe7f083f536a64ecdef9d79346c59609792aae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
95a34c7e22887783505e5c51f7bb84e0

SHA1
d9bc4efd20a4bc744d568d96cca7bb84be55b8b1

SHA256
e18eb1ac36a5ae4e507f8e113bdd089e8d0489ec9f74fc25cae362edec60b2ee

SHA512
f1f0b734faaadf81595aee70232ab44977dd555efa033c51aaf9caafbde9206f78aabb071da75f537db85d6961fb3d72db86c8ac4919dcdc9ad0523f7b6001f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2f7ccfa3c53fb4e46b82d0d41c5a4acd

SHA1
cc0f5a44ae8a634862072f1ad903e584ec95fcba

SHA256
f82c7c26c905c06a41924f8404dadedce8cd980432d2500a1cb65a7f27814919

SHA512
d1dd78003dfa4f4159fbd20d8652162f63b60b9adcb7920fa8f3a6a8b28f45d842b2eeaed2c59a5a624c822bb39946d211c6e652c3d699e6bfc731c8042048cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
be39243e82e13c155abc66d5002248e2

SHA1
2c8c40af526059a4c30cd101cb2b6a6b8ed94304

SHA256
f17859682f1159c328088685becbc80cd8f5e38991863812a771176ac737dacf

SHA512
94ca860b669da8d34f3ab1028ac338927691aec12062af8966461680ae4b37ec894404e6413e1f9d6d7edb7c8e788724a23e49bb206adcd49963acc73e14121e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6604.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6686.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/2256-28-0x0000000002F10000-0x0000000002F12000-memory.dmp

Filesize
8KB

Download
memory/2256-0-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download