b2f12373ff1c472bc85fa522d4a791ded7472af0a9493dd7859cd9408b5412c5

Analysis

max time kernel
117s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbbc6b889139695429b718d2df58eca0N.exe
Size

1.9MB
MD5

cbbc6b889139695429b718d2df58eca0
SHA1

07910a4bc346a740409046227c7110619a0bc937
SHA256

b2f12373ff1c472bc85fa522d4a791ded7472af0a9493dd7859cd9408b5412c5
SHA512

666facd0adfc47ad1889ff42b66622ba0a7a2af85302d9a6d3a175b9fb2c497440d69df9d9aaf2811fb6a7083d2b909992a3d5a7f4c5c597f0eff63801a98ec9
SSDEEP

24576:eTCwOJFNEy558fDlu4hKWBAjho5i9cBM9vyXsxDjQ0CIY6EDle0qji:0OzN2cTBw6ge8

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cbbc6b889139695429b718d2df58eca0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	acrotray.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	acrotray .exe

Executes dropped EXE 4 IoCs

pid	Process
1612	acrotray.exe
3152	acrotray.exe
4280	acrotray .exe
2448	acrotray .exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "C:\\Program Files (x86)\\Adobe\\acrotray.exe"	cbbc6b889139695429b718d2df58eca0N.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\acrotray .exe	cbbc6b889139695429b718d2df58eca0N.exe
File created	C:\Program Files (x86)\Adobe\acrotray.exe	cbbc6b889139695429b718d2df58eca0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbbc6b889139695429b718d2df58eca0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acrotray.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acrotray .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3020621253"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31131321"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f02739a3b906db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d027a9a3b906db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3020621253"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039570b57fe416e4dbccca910bc3eabbd0000000002000000000010660000000100002000000099e0fed1aebb04aa01ffae23c91ed44fb378de7a73f0f5452fcb30c21651b0ee000000000e8000000002000020000000cd4bc4f1f59e3c02083875313923d8bc47f7ee70b448cfd1cbb3f62c29f49e4420000000de2346f23e0055626291563c6ab851e4a07c185f37e797f2a5854b4be3e468154000000059c02bc6fef203b6bb783f84dc6d0cd96fc43aabc5d55be2d3c34f057f42bd02fa2f25db825848aec5a1014e8a6c6b3be162ec626ba5396b39e57f3e6d34fe5e	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039570b57fe416e4dbccca910bc3eabbd000000000200000000001066000000010000200000005cb210439a906e50b554f8ff9726fc9a94a751408744a88c294a2237bc57a359000000000e800000000200002000000041329de752a08323d73c02dbd9fb5075b13993428d4e72454b0bbf36e55af60520000000b813fc4402b7598d3fb114e906e5a664444d66e5bc1a957c24c605102904f7ce400000009d21e13b13060248fb70ea157108008d226013e317469e161ec2d25e585270278d3310a966c7cce05ef1453e2af28666bcddf747f53ff17b6b3c92ffa8778c6f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DFAD658B-72AC-11EF-98CC-DE20CD0D11AA} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70f656afb906db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039570b57fe416e4dbccca910bc3eabbd00000000020000000000106600000001000020000000daef345bd05bbd59d2f07735795d65fad8695d5d660d94b0cc6699487d83a15e000000000e80000000020000200000008c4cc51274a2bbab8cfa07978b9c41c598049b548c8a27dd96a68f83a83f400c2000000021e390c6d3d3cce245c59f70f508eecbd985fb1b6ca86cc46f7887aba708852b4000000094f698b2d916afb6527c19f8c395441457a472692d9cf4fa73616d00aad184d52b822634659c14c67d5a23c5cbbaca9e4844c9dea7f2237c4c83f4a0d43d2f2c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039570b57fe416e4dbccca910bc3eabbd00000000020000000000106600000001000020000000295ed11ea1c7f4ee0add36636c493f44a6620f7d01fe7ac013dbe38ccdb4facf000000000e8000000002000020000000bb5b9c0fcfa54a34991b3a375f1e57b6a5b69a95ae098358f18517d9ed44b9d920000000cb7a740cd984c33458e1d2a0ecb65cfbc38017169c268d6659c5ade72e13fa6c40000000997bd5f8f0016569a941d0eb2396110ba28dd22ef627966b70db57e8586befbc15591720287db4c813c56a547065c06868d14c70b38e12a978cfc4125764cee9	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0bc7abfb906db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31131321"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2848	cbbc6b889139695429b718d2df58eca0N.exe
2848	cbbc6b889139695429b718d2df58eca0N.exe
2848	cbbc6b889139695429b718d2df58eca0N.exe
2848	cbbc6b889139695429b718d2df58eca0N.exe
2848	cbbc6b889139695429b718d2df58eca0N.exe
2848	cbbc6b889139695429b718d2df58eca0N.exe
2180	cbbc6b889139695429b718d2df58eca0n.exe
2180	cbbc6b889139695429b718d2df58eca0n.exe
2180	cbbc6b889139695429b718d2df58eca0n.exe
2180	cbbc6b889139695429b718d2df58eca0n.exe
1612	acrotray.exe
1612	acrotray.exe
1612	acrotray.exe
1612	acrotray.exe
1612	acrotray.exe
1612	acrotray.exe
3152	acrotray.exe
3152	acrotray.exe
3152	acrotray.exe
3152	acrotray.exe
4280	acrotray .exe
4280	acrotray .exe
4280	acrotray .exe
4280	acrotray .exe
4280	acrotray .exe
4280	acrotray .exe
2448	acrotray .exe
2448	acrotray .exe
2448	acrotray .exe
2448	acrotray .exe
2180	cbbc6b889139695429b718d2df58eca0n.exe
2180	cbbc6b889139695429b718d2df58eca0n.exe
3152	acrotray.exe
3152	acrotray.exe
2448	acrotray .exe
2448	acrotray .exe
2180	cbbc6b889139695429b718d2df58eca0n.exe
2180	cbbc6b889139695429b718d2df58eca0n.exe
3152	acrotray.exe
3152	acrotray.exe
2448	acrotray .exe
2448	acrotray .exe
2180	cbbc6b889139695429b718d2df58eca0n.exe
2180	cbbc6b889139695429b718d2df58eca0n.exe
3152	acrotray.exe
3152	acrotray.exe
2448	acrotray .exe
2448	acrotray .exe
2180	cbbc6b889139695429b718d2df58eca0n.exe
2180	cbbc6b889139695429b718d2df58eca0n.exe
3152	acrotray.exe
3152	acrotray.exe
2448	acrotray .exe
2448	acrotray .exe
2180	cbbc6b889139695429b718d2df58eca0n.exe
2180	cbbc6b889139695429b718d2df58eca0n.exe
3152	acrotray.exe
3152	acrotray.exe
2448	acrotray .exe
2448	acrotray .exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	cbbc6b889139695429b718d2df58eca0N.exe
Token: SeDebugPrivilege	2180	cbbc6b889139695429b718d2df58eca0n.exe
Token: SeDebugPrivilege	1612	acrotray.exe
Token: SeDebugPrivilege	3152	acrotray.exe
Token: SeDebugPrivilege	4280	acrotray .exe
Token: SeDebugPrivilege	2448	acrotray .exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4796	iexplore.exe
4796	iexplore.exe
4796	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4796	iexplore.exe
4796	iexplore.exe
1684	IEXPLORE.EXE
1684	IEXPLORE.EXE
4796	iexplore.exe
4796	iexplore.exe
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE
4796	iexplore.exe
4796	iexplore.exe
2364	IEXPLORE.EXE
2364	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2180	2848	cbbc6b889139695429b718d2df58eca0N.exe	86
PID 2848 wrote to memory of 2180	2848	cbbc6b889139695429b718d2df58eca0N.exe	86
PID 2848 wrote to memory of 2180	2848	cbbc6b889139695429b718d2df58eca0N.exe	86
PID 2848 wrote to memory of 1612	2848	cbbc6b889139695429b718d2df58eca0N.exe	94
PID 2848 wrote to memory of 1612	2848	cbbc6b889139695429b718d2df58eca0N.exe	94
PID 2848 wrote to memory of 1612	2848	cbbc6b889139695429b718d2df58eca0N.exe	94
PID 1612 wrote to memory of 3152	1612	acrotray.exe	97
PID 1612 wrote to memory of 3152	1612	acrotray.exe	97
PID 1612 wrote to memory of 3152	1612	acrotray.exe	97
PID 1612 wrote to memory of 4280	1612	acrotray.exe	98
PID 1612 wrote to memory of 4280	1612	acrotray.exe	98
PID 1612 wrote to memory of 4280	1612	acrotray.exe	98
PID 4796 wrote to memory of 1684	4796	iexplore.exe	99
PID 4796 wrote to memory of 1684	4796	iexplore.exe	99
PID 4796 wrote to memory of 1684	4796	iexplore.exe	99
PID 4280 wrote to memory of 2448	4280	acrotray .exe	100
PID 4280 wrote to memory of 2448	4280	acrotray .exe	100
PID 4280 wrote to memory of 2448	4280	acrotray .exe	100
PID 4796 wrote to memory of 2112	4796	iexplore.exe	102
PID 4796 wrote to memory of 2112	4796	iexplore.exe	102
PID 4796 wrote to memory of 2112	4796	iexplore.exe	102
PID 4796 wrote to memory of 2364	4796	iexplore.exe	104
PID 4796 wrote to memory of 2364	4796	iexplore.exe	104
PID 4796 wrote to memory of 2364	4796	iexplore.exe	104

C:\Users\Admin\AppData\Local\Temp\cbbc6b889139695429b718d2df58eca0N.exe
"C:\Users\Admin\AppData\Local\Temp\cbbc6b889139695429b718d2df58eca0N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\cbbc6b889139695429b718d2df58eca0n.exe
  "C:\Users\Admin\AppData\Local\Temp\cbbc6b889139695429b718d2df58eca0n.exe" C:\Users\Admin\AppData\Local\Temp\cbbc6b889139695429b718d2df58eca0N.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Program Files (x86)\Adobe\acrotray.exe
  "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\cbbc6b889139695429b718d2df58eca0N.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Program Files (x86)\Adobe\acrotray.exe
    "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\cbbc6b889139695429b718d2df58eca0N.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3152
- - C:\Program Files (x86)\Adobe\acrotray .exe
    "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\cbbc6b889139695429b718d2df58eca0N.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Program Files (x86)\Adobe\acrotray .exe
      "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\cbbc6b889139695429b718d2df58eca0N.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2448

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2280

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4796 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1684
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4796 CREDAT:17416 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2112
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4796 CREDAT:17420 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\acrotray .exe

Filesize
1.9MB

MD5
71e753b6436ecb7ea3c416b89eab16b9

SHA1
184d5523fcaaf39df6a9920a6c75c6238104e66b

SHA256
b00112b1926f7b696c01e0765815b936fdebf4f3b74724b6396bcf867f79b09f

SHA512
ba871da0560958515311bd0caa4a19c471083cb16031ff509d59062bd7d231769cc95b1fedd79f73dfe4b4dafec761f027799f279d444de5d3f40c82b9d1da21

Download Submit
C:\Program Files (x86)\Adobe\acrotray.exe

Filesize
1.9MB

MD5
38aad3f2a5e036f9ded551e3ac677afe

SHA1
fe3b5da8972e430853c142c8ece7c9aa9b1d6035

SHA256
0943d999764f0effa1f8a729f037077ca04eb4244f178740fbe1a57fe737fec2

SHA512
3e37280ba866e453107acf6ac778a86a1879a9a9f84634c3a0ec973b968ef77cd2a97229ba061b4f0bd29612177d64b856813b10234fe78d5a5cce836792575c

Download Submit
memory/1612-76-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2180-8-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2448-33-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2448-79-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2848-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2848-1-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2848-7-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3152-77-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4280-78-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download