14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8

Analysis

max time kernel
142s
max time network
156s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17-10-2024 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe
Size

622KB
MD5

4b025c5ceb5fca6da9bc97826731662e
SHA1

0007aee151ee1c121ae495cb1a748b0cbdc12bd7
SHA256

14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8
SHA512

438517b2fd026079385958fdf477f5bf85b8290253c47c876e99810805d2b05bf37eef9f9ca7e5a6c7dd6f540a56d4c4d258c36c1b58c6cdd097c0adc4d1b0e3
SSDEEP

12288:6Sq7BGgknkKQ/+AgEwDO4EwF2eNQ7m1C1+u88:6SWBhknJQ/+kMNh1w+O

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1476	acrotray.exe
3028	acrotray.exe
2892	acrotray .exe
436	acrotray .exe

Loads dropped DLL 4 IoCs

pid	Process
2396	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe
2396	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe
1476	acrotray.exe
1476	acrotray.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "C:\\Program Files (x86)\\Adobe\\acrotray.exe"	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe
File created	C:\Program Files (x86)\Adobe\acrotray .exe	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe
File created	C:\Program Files (x86)\Adobe\acrotray.exe	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acrotray .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acrotray.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 800e0ebec520db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E7DBDE41-8CB8-11EF-8121-F6D98E36DBEF} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000a3a357b463014d769a471ac171e84bd8d5b206bd82f1cbc41bb6866bea7b74a1000000000e80000000020000200000007caffc6b64fb7e8d1545fe460bfddec779a42afe6c5f936444855afa0d4e15cc9000000061374233a54006ed4d5279839a0b71640f2a2fae4b8351478d288ef57f610b31eb6e8741ad42cf8b1b48c9fc1a447798be9d80fdb3d43426a75bc143e311cc684198fc7da1212024d60df8acf4c83707b6d297610371594d9a48cad01436883fe149bc0c67dbe6dbe1692ed46c8a7ebfd2fc770e30071179bb457c76be3f565ce3ffbb6c765cb8e9d2724d7d7d756c55400000001caa2b029c73708c3c79574e481469487dec68a6e20ef099855e59f5059e1a4cb29f9fd65402428ffdb6f65ed36702434322c4bbfdf9e5c71c644240f6c4ac74	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435352995"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000001a72752415639a3da2c88337a481e6316cb1aca4d162e00974dbf3b313d53187000000000e80000000020000200000006eefbfb1fefe84fdbd7f4f7c9ecbe76798db5989405c04c4e5dc2579198a8638200000002ef0ce14a41dbd016c9d0f29e8597c8f351aee956485c296f6c99d6d5372fdee40000000621f3dd82dd8faa980393e675f3cf70f1bdec8ae997b9ff30d4000e26e9edc913f38928501f8fa8086c4656ede67d74edac75f2fbd535c0ab1406d703bfac3bf	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2396	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe
2396	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe
2396	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe
2240	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe
2240	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe
1476	acrotray.exe
1476	acrotray.exe
1476	acrotray.exe
3028	acrotray.exe
3028	acrotray.exe
2240	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe
2892	acrotray .exe
2892	acrotray .exe
2892	acrotray .exe
436	acrotray .exe
436	acrotray .exe
3028	acrotray.exe
2240	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe
436	acrotray .exe
3028	acrotray.exe
2240	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe
436	acrotray .exe
3028	acrotray.exe
2240	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe
436	acrotray .exe
3028	acrotray.exe
2240	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe
436	acrotray .exe
3028	acrotray.exe
2240	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe
436	acrotray .exe
3028	acrotray.exe
2240	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe
436	acrotray .exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe
Token: SeDebugPrivilege	2240	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe
Token: SeDebugPrivilege	1476	acrotray.exe
Token: SeDebugPrivilege	3028	acrotray.exe
Token: SeDebugPrivilege	2892	acrotray .exe
Token: SeDebugPrivilege	436	acrotray .exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2868	iexplore.exe
2868	iexplore.exe
2868	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2868	iexplore.exe
2868	iexplore.exe
2888	IEXPLORE.EXE
2888	IEXPLORE.EXE
2868	iexplore.exe
2868	iexplore.exe
1936	IEXPLORE.EXE
1936	IEXPLORE.EXE
2868	iexplore.exe
2868	iexplore.exe
2888	IEXPLORE.EXE
2888	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2240	2396	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe	29
PID 2396 wrote to memory of 2240	2396	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe	29
PID 2396 wrote to memory of 2240	2396	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe	29
PID 2396 wrote to memory of 2240	2396	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe	29
PID 2396 wrote to memory of 1476	2396	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe	30
PID 2396 wrote to memory of 1476	2396	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe	30
PID 2396 wrote to memory of 1476	2396	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe	30
PID 2396 wrote to memory of 1476	2396	14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe	30
PID 1476 wrote to memory of 3028	1476	acrotray.exe	32
PID 1476 wrote to memory of 3028	1476	acrotray.exe	32
PID 1476 wrote to memory of 3028	1476	acrotray.exe	32
PID 1476 wrote to memory of 3028	1476	acrotray.exe	32
PID 1476 wrote to memory of 2892	1476	acrotray.exe	33
PID 1476 wrote to memory of 2892	1476	acrotray.exe	33
PID 1476 wrote to memory of 2892	1476	acrotray.exe	33
PID 1476 wrote to memory of 2892	1476	acrotray.exe	33
PID 2868 wrote to memory of 2888	2868	iexplore.exe	34
PID 2868 wrote to memory of 2888	2868	iexplore.exe	34
PID 2868 wrote to memory of 2888	2868	iexplore.exe	34
PID 2868 wrote to memory of 2888	2868	iexplore.exe	34
PID 2892 wrote to memory of 436	2892	acrotray .exe	35
PID 2892 wrote to memory of 436	2892	acrotray .exe	35
PID 2892 wrote to memory of 436	2892	acrotray .exe	35
PID 2892 wrote to memory of 436	2892	acrotray .exe	35
PID 2868 wrote to memory of 1936	2868	iexplore.exe	37
PID 2868 wrote to memory of 1936	2868	iexplore.exe	37
PID 2868 wrote to memory of 1936	2868	iexplore.exe	37
PID 2868 wrote to memory of 1936	2868	iexplore.exe	37

C:\Users\Admin\AppData\Local\Temp\14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe
"C:\Users\Admin\AppData\Local\Temp\14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe
  "C:\Users\Admin\AppData\Local\Temp\14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe" C:\Users\Admin\AppData\Local\Temp\14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Program Files (x86)\Adobe\acrotray.exe
  "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Program Files (x86)\Adobe\acrotray.exe
    "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3028
- - C:\Program Files (x86)\Adobe\acrotray .exe
    "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Program Files (x86)\Adobe\acrotray .exe
      "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:436

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2888
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:275470 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\acrotray.exe

Filesize
631KB

MD5
10a9f5eb93ac56331ce1d662eef02338

SHA1
d48d141bab883b693e2e2fdeec0c0f8bfcb0da83

SHA256
e3ab166919e6efc389b8889ac8d58ade0725e14298f109e8c0cda8fa0943be35

SHA512
a6705d246cb3130474bbf79b649d1eeb0c6ab02e8b5d258361ce08b331946eafdaef779d3610ea5b87f958a4a495caf8fc1b28f8b876df46ace3838188d7d3c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e0660ff0a0b92e64a74d6f71927abfd

SHA1
344c40993b0bdac51da21bfc9715f0e43dbf9664

SHA256
2c3bee976711a75ae8ee87bb00e341d349e898ef96dcb6e1c68e45ed12b05fa2

SHA512
83c3fb88ac038c17d7dde7d23b687ddae7d3238a2ed3d65b472a7412734cf14bf2f825f00f8396f64b0b70632d820ca8f6457935d1eee7d51c1f6bad5d36d0b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39f75ae4fc87d50f6dce2f4243e747de

SHA1
4b50035663758a2b25dc814e4d8c02faf4e879fd

SHA256
a1f168c1f933cef72ba79cf0f8e75845238bb12edf2c71bf510dff45596befd0

SHA512
7a32b90f7a8350ea37265be6d0309b6316c94451f6e79fb9829184b61b060f516a07e0b7b6f4bb35a1659a9dc5e947fd95fe10d408b305e43d0f10b0c58cd020

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0884d0e45ad70cce856b613c328d9d2

SHA1
db18e37fc947de6040aad58a1ebb1bb2eeb6c061

SHA256
e4e7c1a57cabba47388669bd439d683c5a7e48a1e611f273d7e0954007a8d10b

SHA512
4dad4ce66cba1191994f2d6d48bf0da451bb1a5f18497c4e8a85442bf58261f4a6e2276cf4fbc7a41074411cca9c6025661085038afe419240a1067c0404d6b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e52827f25441cecd2c4b207cb58a375b

SHA1
6b8dcb112e477ce41d97343af08e1ec65327597c

SHA256
b44a0910ea8b862cb269c8bc23d5e88327a4a633dea94cedb5e82a36971bf2a9

SHA512
3e7a92c9daf29e19c3aee5ea994477e2918c3765a22cfe252bf4cc42025c1d3b4e2e5e6bf9b7a490512ef81dcf9ad02078acb58de631e2e09e0b21d92b114305

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ce57cab1742fe6b2c0d364d8ebc046e

SHA1
b4028953ea851b95620fc441f9c310b6e8d0a4fe

SHA256
c9122352cab7cc26d4d800a7a072f481ee8ea8e049f0a2ea0c773c30dbe80964

SHA512
7bcce5b0fdfc2831fdf582264fc4060338c30dd60b4dd75db6b325cf28c182c99229a709d67bd50032927ea044587976d716d48b8867eb09b7ce5f48ed6cb41c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f667a08eecdf822493fbe64dbeb910f

SHA1
35c8ae13f4aba74db4d27401f525ad4d19e0a55d

SHA256
50059bc501b9b32e82e8fc08712a349058e541edd7d93cfd6c0e3fbcdb3db689

SHA512
752b7a58c0e0d44935bdeadd7b31ff4aa64bbab600468dea156345684e96381769c3644ea1278475722dd6621ef2e59653b44b55923ce8934746c64d019c01e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e6c5b1c5a735000ed040f3c7e5b8f2c

SHA1
6b0c506cd34e418b3e6839cd3f8113a51108a5a5

SHA256
6921cf92883716063cf9b218331315d1b1efd0bb694f5b48037ee8f98f334f0b

SHA512
d5d92becf031808c31b3a5410e31e74bde7277bdc5b7fb4f1903032856f4e4ff39e60530ceee027500c589730561d4bdab92c8aea595df90749bebe250533048

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe4fd69ea095c9ea68e5f82138bc53d0

SHA1
9d3cdecb869a7a14997298ab3f4d4c6eda216c8a

SHA256
117365fa20e184f38e1dd306f8ee962ee98f3eb01bfb2834dd3739751bd42f1b

SHA512
1ec3b6a95412db0896ac9a7e71ad186782d8dfd0fa9dc64c3c0b6b98722573659a8283c3c0c1c3004a04bdd019dc27284914f29b609ee3e469c1bbd2af0dae3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2397a7ccfa775c6614af2aba764f8569

SHA1
66a445edbea474a3687aae50fecba5252a45c6b7

SHA256
f9a813373e537e02d7bf7a4576622cd0fd8d91818088dbf711383b1b371652c8

SHA512
327dd5fc068908a72b930328e2eb3dce65b4e6b3bb89148e5f1e7b2f9641c786133ce8d016458a493363ff647db4fb4dc7790521d5a3d6415e7802d70506b371

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c79d0b61f097a3e575b6bc620b1beeb7

SHA1
f46988f2e678dcb65af3b41113c18ef9cdf32401

SHA256
e719ab1ee67cbd25e5d25969f76ba861d8c53c4481338d27f7e2e887300696e5

SHA512
fe154c7222c64bb270d378cdaa1cea8d754e23f70c2ad5b68e965aba339421a408fae8a51b4037248bd1f179dbf62ffa75528a65b9b47ddbec5f85d38decfbd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89ca1d3d3a9cace4f59ede8467034589

SHA1
dc5e9c800624dc321fd7c871b2a6ade1229eb67b

SHA256
c67c3fc8605ab4aeebbfdce633fce142d7c3c667d2be7a4f1328ff2407c6f212

SHA512
1e28d26da0a384a70ef8dba64bfb56960da9d789c6d76152f99a7d1629994aea771c12efccb57ba7997757c7e6774d7277804ee6f7ba7f6d1f1f72f881d8ea5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2550649b86d4ba4619f397dc604cece1

SHA1
a266d4f809265209b368e0ac193827918ea5aaa4

SHA256
59a91daf16a2cf7935bc1b0a73b1b670aceacd911abb8c09b594aa8bbd12aaf0

SHA512
13e0de9eb84ff94806433b9ca71569cdf79a2fedf93dd7664875d61ff4e646e1227a5cc42c2700d58423e8eab3d3ce7dd464cad805a34b17f1828db27609161d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea79be1d8dbde13500fb66acb8478029

SHA1
914bbf90ad61fd827e78124dbcce302bc2414308

SHA256
d02b4b81c71533ef27e25a48ea7d6db55775816aeadc2ef253258add8471928d

SHA512
f44d038c029276aff037feb373b04b087bcd4c1e4d39eec6618d370dd6f0e03ffdc868d4cb10a90468c8f8f0781a23c6770af74e2d3340333fe4e7648e389a1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
697065dbf662574dd7772bd88ceb4322

SHA1
50f6578402dbbda77f5e2e83420e1debfa398e9f

SHA256
d2edd075be048aa83cc4a488f7929d247b7e267a3d0a1099f349a4a8640e9014

SHA512
21ff2a274d516da2fce2cb55f5adb3ee88273d4725528156382ba8d84de161fa55f3893fd47579751aba86d8a573558e7b9c1607ad9fde6e04cb7a00b9690efd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb5759a5ba3d5865d8a200097d2d0519

SHA1
1a7e4084b7569c47069e47276449df5a830380f9

SHA256
dfeaf6b90149802ff0c4ceb5fcba19d32b44fd027ddfffc3dc8fb3655a066c60

SHA512
c1924a4dd404df56447b7ba93175beeeb550cb13428c9436cd3bdf6515549173851cb89031a0a742592308de8c2f75facea2f24ca65a79742b5b1a1a67dedfc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2748e38dbc0f6d7f41892830bee9d08

SHA1
1ee9fd661dc4a76850f778bda72c3c4dfd474252

SHA256
f1b27e6cd651e2896f8a8da76fdb67f04dad7456fad7308c43c81749100370ef

SHA512
3adc396d932f196cdd75c2aa04ea641d201f1e9f581c4300b7a692e1ac9040d3553bfacf0438b76863b8a5ab289a058225b226f0ca2b44d2500cc6c9b38fc113

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75da61d7d3f26ad515d7f495551667ec

SHA1
c8a688761236894bb71650570d84987d1e0a54c1

SHA256
ba84d66209cff716298154edd710164b9f2de37544bebaf82b7089b8d6988801

SHA512
7bfb6930198526f2219e758312806f6b150b22993ef4abc0a1506f079df33afb11391825888a69ee8dd61b7dd4476def492e1e302eed27aa9bf053c8d2948673

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
948a915641b081681d097644e1842302

SHA1
6a2537bf68e248ad0828786b988a877914eaaf91

SHA256
c705a8c593ab0d84ee0352ef140633b74cac2de0776be45ef106de527e24efde

SHA512
b4ad29f4dee1a8290eb0b20503d87829990fdcb4334ac0121aa5f9cfaec026ad7bae26e07daa87699914e097e954c7b8b87078a328bcd00a631dcec85e2a5eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7935c7c7fab62d0b3033e00ce12d873f

SHA1
3372f8c674211bdfaaf9fa535ac26a567a3104bb

SHA256
715567de0bde2a6f7d76802f1328aee6d49441372e5ff06e01c92d861b031e82

SHA512
bc755f93e205e5cd90416d27240f8744ae82a34843fda3f035ea72ffa48c80192983a9cbe53b4f0f82d5433b72dc1a7b3d8d589197c763354a5669a1912ecd53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BCOPU31\bwwqJZcAb[1].js

Filesize
33KB

MD5
285520bc859a840449187cc43864a1cb

SHA1
3d85ac9801d3cc9a3577bc6f6ef3c754d2677dff

SHA256
ac8e37a73437f2c13789726ea053c21fcdfd485896aabd6498702064968e34da

SHA512
7d99e9b95ed4fdc8a510b3830e7948be99d55edfac91ec71c4c7e534176a25ebe48c1955dc39a950f1a3322ef7d18910048c16492ebb9ff54d517a294602d6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEB9A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEC58.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files (x86)\Adobe\acrotray .exe

Filesize
631KB

MD5
4bc489269ca39b353ae2d07ede7cfb1c

SHA1
d0385820a9b90fd0bbd77c55871e2553486815c8

SHA256
97619447c9dc0947fdb2f66058a597aed4808edb2a33bfcf156320cbc2287429

SHA512
89de2e55e83c8fdb7fae77a61088febaa73607993d6e0e2b89696ed4c15b0f123cb2397f1c84e8abd138a982993719bf6123f3ba6e86a0f5ad46a9c12f0eda25

Download Submit
memory/2396-0-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2396-35-0x0000000000540000-0x0000000000542000-memory.dmp

Filesize
8KB

Download