0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 18:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
Size

1.0MB
MD5

128c81bbb304a3161d1230d9ba0e42d9
SHA1

92111ee4933325782937fa078f8fb9f11f4ad0af
SHA256

0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853
SHA512

bf8f506a54a80a893ad9e23b2fe20ddd6d12c22486c12c7eea264e75c164276a26e715e966d12fcf9e1a8e57934bf2c68b8412c8d337fab9cea6b963ad09c558
SSDEEP

12288:rVCk33HF6MVLsaQkNzwYkNWoaiiy4Ammme3zvGgQTyVhosftZkb2T6P3:rVCAkMVlNznPyYe3zvGtGLos03

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	acrotray.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	acrotray .exe

Executes dropped EXE 4 IoCs

pid	Process
3020	acrotray.exe
1924	acrotray.exe
1564	acrotray .exe
3136	acrotray .exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "C:\\Program Files (x86)\\Adobe\\acrotray.exe"	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\common files\java\java update\jusched.exe	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
File created	C:\Program Files (x86)\Adobe\acrotray .exe	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
File created	C:\Program Files (x86)\Adobe\acrotray.exe	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 601ed39653bfda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e387b9b7780e241bd4d2d5013251a2f00000000020000000000106600000001000020000000ddcd9882338b8345a3ee13007548850406830320d2a4d2712a4e218749134bee000000000e8000000002000020000000ddc5da924967f47acc9abd9dd4220e6ac0e12d3362ed8da03f419c792a8c266320000000ccb93a2d625577cc33f8acd3b971eca1feb9c42565139782b2e337d94c0f88cf400000007daec9ddf183d724fffbf04fa0408140487cbe53c345e5adde150675fc0fa68fb98b4ac6953de23d6d5102dcb00db4dbd606181d9105aafd05591f2c413f91bc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424638670"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e387b9b7780e241bd4d2d5013251a2f00000000020000000000106600000001000020000000db219b9fa8b2fb855814dc1ddd3213240e5e8933606cb0a515de861feb2e71dd000000000e80000000020000200000002942396baec5d838272753c0187ec36d7d00049161b1edd6fc43290e80fc2222200000003098be6a8a59e2d3d052b318ac0d2c428b158c09cee29527b73d2e3ec3028a544000000096b5fa2d97f6640a8b3d287b818a5e819eae40550d49ec3adeae3507ef80dad01f9a8af17f9fdaf521c7186d5bafb0ff8042c8973bd12a63498f5f3bc50455ee	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AE06A380-2B46-11EF-92F1-F6D93F980912} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d09c8a8753bfda01	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1204	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
1204	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
1204	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
1204	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
1204	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
1204	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
1552	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
1552	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
1552	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
1552	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
3020	acrotray.exe
3020	acrotray.exe
3020	acrotray.exe
3020	acrotray.exe
3020	acrotray.exe
3020	acrotray.exe
1924	acrotray.exe
1924	acrotray.exe
1924	acrotray.exe
1924	acrotray.exe
1564	acrotray .exe
1564	acrotray .exe
1564	acrotray .exe
1564	acrotray .exe
1564	acrotray .exe
1564	acrotray .exe
3136	acrotray .exe
3136	acrotray .exe
3136	acrotray .exe
3136	acrotray .exe
1552	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
1552	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
1924	acrotray.exe
1924	acrotray.exe
3136	acrotray .exe
3136	acrotray .exe
1552	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
1552	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
1924	acrotray.exe
1924	acrotray.exe
3136	acrotray .exe
3136	acrotray .exe
1552	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
1552	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
1924	acrotray.exe
1924	acrotray.exe
3136	acrotray .exe
3136	acrotray .exe
1552	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
1552	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
1924	acrotray.exe
1924	acrotray.exe
3136	acrotray .exe
3136	acrotray .exe
1552	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
1552	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
1924	acrotray.exe
1924	acrotray.exe
3136	acrotray .exe
3136	acrotray .exe
1552	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
1552	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
1924	acrotray.exe
1924	acrotray.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1204	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
Token: SeDebugPrivilege	1552	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
Token: SeDebugPrivilege	3020	acrotray.exe
Token: SeDebugPrivilege	1924	acrotray.exe
Token: SeDebugPrivilege	1564	acrotray .exe
Token: SeDebugPrivilege	3136	acrotray .exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1292	iexplore.exe
1292	iexplore.exe
1292	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1292	iexplore.exe
1292	iexplore.exe
3076	IEXPLORE.EXE
3076	IEXPLORE.EXE
1292	iexplore.exe
1292	iexplore.exe
3968	IEXPLORE.EXE
3968	IEXPLORE.EXE
1292	iexplore.exe
1292	iexplore.exe
968	IEXPLORE.EXE
968	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 1552	1204	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe	83
PID 1204 wrote to memory of 1552	1204	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe	83
PID 1204 wrote to memory of 1552	1204	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe	83
PID 1204 wrote to memory of 3020	1204	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe	86
PID 1204 wrote to memory of 3020	1204	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe	86
PID 1204 wrote to memory of 3020	1204	0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe	86
PID 3020 wrote to memory of 1924	3020	acrotray.exe	89
PID 3020 wrote to memory of 1924	3020	acrotray.exe	89
PID 3020 wrote to memory of 1924	3020	acrotray.exe	89
PID 3020 wrote to memory of 1564	3020	acrotray.exe	90
PID 3020 wrote to memory of 1564	3020	acrotray.exe	90
PID 3020 wrote to memory of 1564	3020	acrotray.exe	90
PID 1292 wrote to memory of 3076	1292	iexplore.exe	91
PID 1292 wrote to memory of 3076	1292	iexplore.exe	91
PID 1292 wrote to memory of 3076	1292	iexplore.exe	91
PID 1564 wrote to memory of 3136	1564	acrotray .exe	92
PID 1564 wrote to memory of 3136	1564	acrotray .exe	92
PID 1564 wrote to memory of 3136	1564	acrotray .exe	92
PID 1292 wrote to memory of 3968	1292	iexplore.exe	101
PID 1292 wrote to memory of 3968	1292	iexplore.exe	101
PID 1292 wrote to memory of 3968	1292	iexplore.exe	101
PID 1292 wrote to memory of 968	1292	iexplore.exe	102
PID 1292 wrote to memory of 968	1292	iexplore.exe	102
PID 1292 wrote to memory of 968	1292	iexplore.exe	102

C:\Users\Admin\AppData\Local\Temp\0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
"C:\Users\Admin\AppData\Local\Temp\0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe
  "C:\Users\Admin\AppData\Local\Temp\0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe" C:\Users\Admin\AppData\Local\Temp\0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Program Files (x86)\Adobe\acrotray.exe
  "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Program Files (x86)\Adobe\acrotray.exe
    "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- - C:\Program Files (x86)\Adobe\acrotray .exe
    "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Program Files (x86)\Adobe\acrotray .exe
      "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\0ca0ec9f55ed50e31c7b7f13a6fe152224915a0c4df5f8bb0f84314ec2799853.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3136

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:1000

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1292 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3076
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1292 CREDAT:17418 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3968
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1292 CREDAT:17426 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\acrotray .exe

Filesize
1.1MB

MD5
9595f8fa74be40556662d50ab10127e9

SHA1
62db7bfcf085681e486ca13e9775626035db77a7

SHA256
e3cf0efb8fe8e16b7215f335057e6f9bc997b41005c2b4ccec7eedc5376d0ae7

SHA512
4ebd3f878cf71ef0c59dad72938f69ae4b022490d97d0a3836cf6a6d15a9a6645b496030e48b8c48382706dfb3c858840bf6582436dc1ffb29f74903626c26fc

Download Submit
C:\Program Files (x86)\Adobe\acrotray.exe

Filesize
1.0MB

MD5
737fa45ad31c081ac29c34b95c917461

SHA1
36f7ebcde19572f730d33d2f739db70fe387b4c2

SHA256
091c2490f819d99d71e9648b8ed10fd549bbe9a9443a243cf4872f6d763d58d5

SHA512
39eb4b44e61d4c38e2a5f62591150a97a301508adec5d1331d46d6817ac260562c1bed5b908c594047c7126c765f0e06d3399aadc7fac92bde06f28e97bd67ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
3KB

MD5
896c36321adb0c8d430eebe4237dd3cd

SHA1
425f7ed14ddf8264f2482b24b7ea357600c2f955

SHA256
ff5976643dded2ac215d644b3c5d68d239f9c0139abbb5c6fba8569a7d4394da

SHA512
98dc35f12b5fa28fccd2fbcda2e97b534ba01703ee67c41be71b9f243315bcd9adae02432740896654774a0936e76602649472fe0b39e2e84bb06551df7afa98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
3KB

MD5
9d2e869649c7109f1a601274875f4eb8

SHA1
06f88e9e3a6fc889254c047eea6927f81dd5c6bd

SHA256
b6e931a7ebe3cddad3e6ac265f36a33d3f702259033764e032e06d5a4b1eda98

SHA512
7aa39c96601f2514338408b95115200df6bb43413e799aac78012f79e8dd9cd97bc73bdc7a13fc6d98121f6e41cc9befe1c2c33fa91d769c1ebe81f1030653c9

Download Submit
memory/1204-0-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download