c29ef1dda157482458bf2b7a936234c4815bea0eeb9278e86e40af127df34806

Analysis

max time kernel
119s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92a044fac23c7aaa3a71a201018f5a10N.exe
Size

3.1MB
MD5

92a044fac23c7aaa3a71a201018f5a10
SHA1

786de65efb3cd91e751d21ded7eca24108c6da44
SHA256

c29ef1dda157482458bf2b7a936234c4815bea0eeb9278e86e40af127df34806
SHA512

ad37adf80469dd66b0a49939f3529fa2d87c8ead7f619496c91b4ab188cc369588c44534f60a22557990fcf8459e99f280ee4cf568af7129d9c7ace5b84e0184
SSDEEP

49152:bV/oAVs1ibOg1YXAmpkcshoFG9s5ao1RoWTRAA8x5zWmlNb4Stz+c:J/oAV/VmpnnMsfqWCxhWmlF4Stz+c

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	acrotray.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	acrotray .exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	92a044fac23c7aaa3a71a201018f5a10N.exe

Executes dropped EXE 4 IoCs

pid	Process
2124	acrotray.exe
2972	acrotray.exe
4536	acrotray .exe
4268	acrotray .exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "C:\\Program Files (x86)\\Adobe\\acrotray.exe"	92a044fac23c7aaa3a71a201018f5a10N.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
4176	92a044fac23c7aaa3a71a201018f5a10N.exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
4176	92a044fac23c7aaa3a71a201018f5a10N.exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
4176	92a044fac23c7aaa3a71a201018f5a10N.exe
2124	acrotray.exe
2972	acrotray.exe
4536	acrotray .exe
4268	acrotray .exe
4268	acrotray .exe
2124	acrotray.exe
2972	acrotray.exe
4536	acrotray .exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
4176	92a044fac23c7aaa3a71a201018f5a10N.exe
4268	acrotray .exe
2124	acrotray.exe
2972	acrotray.exe
4536	acrotray .exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
4176	92a044fac23c7aaa3a71a201018f5a10N.exe
4268	acrotray .exe
2124	acrotray.exe
2972	acrotray.exe
4536	acrotray .exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
4176	92a044fac23c7aaa3a71a201018f5a10N.exe
4268	acrotray .exe
2124	acrotray.exe
2972	acrotray.exe
4536	acrotray .exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
4176	92a044fac23c7aaa3a71a201018f5a10N.exe
4268	acrotray .exe
2972	acrotray.exe
2124	acrotray.exe
4536	acrotray .exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
4176	92a044fac23c7aaa3a71a201018f5a10N.exe
4268	acrotray .exe
2972	acrotray.exe
2124	acrotray.exe
4536	acrotray .exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
4176	92a044fac23c7aaa3a71a201018f5a10N.exe
4268	acrotray .exe
2124	acrotray.exe
2972	acrotray.exe
4536	acrotray .exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
4176	92a044fac23c7aaa3a71a201018f5a10N.exe
4268	acrotray .exe
2124	acrotray.exe
2972	acrotray.exe
4536	acrotray .exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
4176	92a044fac23c7aaa3a71a201018f5a10N.exe
4268	acrotray .exe
2124	acrotray.exe
2972	acrotray.exe
4536	acrotray .exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
4176	92a044fac23c7aaa3a71a201018f5a10N.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\acrotray .exe	92a044fac23c7aaa3a71a201018f5a10N.exe
File created	C:\Program Files (x86)\Adobe\acrotray.exe	92a044fac23c7aaa3a71a201018f5a10N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92a044fac23c7aaa3a71a201018f5a10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92a044fac23c7aaa3a71a201018f5a10n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acrotray.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acrotray.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acrotray .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acrotray .exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{ACEC84F5-7333-11EF-98CC-EE6C637598CE} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31131456"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c08bb1884007db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039570b57fe416e4dbccca910bc3eabbd00000000020000000000106600000001000020000000d440a91cf5ef8f95821aaac0cd0a542ad9e9bba3ddf7a663b7180e1e684ef05e000000000e8000000002000020000000e9ed80c8262019c5fe7ecad331c1b1c0afccc4c4c104521afc6544d26528b95d2000000093b13b98a5cd02e2d25814f93ac55a32f62eb1a8ab7dddb061462d972b757fda40000000190dd36af37454674c3eebcf70ededd8e030b5807daadf4d1fa97d3b0beaa4ffc7b06ce3762476d9e871b9dc0d95e72854c11eafe8ff3fd105e82fe41e23722d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10573a804007db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2169275898"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2169275898"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31131456"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039570b57fe416e4dbccca910bc3eabbd000000000200000000001066000000010000200000000f7c992ea380b4eca0ebbbc2452343b035500f13c0c122ca26c9486818abf76a000000000e8000000002000020000000738579722dd6e5518be0034bdaf046af9f46d803c8e1e5812380226d0b78506620000000ea93f189fcb527e65a524a589620330d497ac72d6a9678ca06b307dcf371612d4000000008515127e7eec4a235dd78ba1edc8c836edfe27f3fddade38017afbb9cd4ed81e5434fcc56fac925eb04332c6af603b9468593675aa2bd79f56830f4fa3fac6c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
4176	92a044fac23c7aaa3a71a201018f5a10N.exe
4176	92a044fac23c7aaa3a71a201018f5a10N.exe
4176	92a044fac23c7aaa3a71a201018f5a10N.exe
4176	92a044fac23c7aaa3a71a201018f5a10N.exe
4176	92a044fac23c7aaa3a71a201018f5a10N.exe
4176	92a044fac23c7aaa3a71a201018f5a10N.exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
2124	acrotray.exe
2124	acrotray.exe
2124	acrotray.exe
2124	acrotray.exe
2124	acrotray.exe
2124	acrotray.exe
4536	acrotray .exe
4536	acrotray .exe
2972	acrotray.exe
2972	acrotray.exe
4536	acrotray .exe
4536	acrotray .exe
2972	acrotray.exe
2972	acrotray.exe
4536	acrotray .exe
4536	acrotray .exe
4268	acrotray .exe
4268	acrotray .exe
4268	acrotray .exe
4268	acrotray .exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
2972	acrotray.exe
2972	acrotray.exe
4268	acrotray .exe
4268	acrotray .exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
2972	acrotray.exe
2972	acrotray.exe
4268	acrotray .exe
4268	acrotray .exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
2972	acrotray.exe
2972	acrotray.exe
4268	acrotray .exe
4268	acrotray .exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
2972	acrotray.exe
2972	acrotray.exe
4268	acrotray .exe
4268	acrotray .exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
2972	acrotray.exe
2972	acrotray.exe
4268	acrotray .exe
4268	acrotray .exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4176	92a044fac23c7aaa3a71a201018f5a10N.exe
Token: SeDebugPrivilege	944	92a044fac23c7aaa3a71a201018f5a10n.exe
Token: SeDebugPrivilege	2124	acrotray.exe
Token: SeDebugPrivilege	4536	acrotray .exe
Token: SeDebugPrivilege	2972	acrotray.exe
Token: SeDebugPrivilege	4268	acrotray .exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5084	iexplore.exe
5084	iexplore.exe
5084	iexplore.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
4176	92a044fac23c7aaa3a71a201018f5a10N.exe
944	92a044fac23c7aaa3a71a201018f5a10n.exe
2124	acrotray.exe
5084	iexplore.exe
5084	iexplore.exe
2972	acrotray.exe
3408	IEXPLORE.EXE
3408	IEXPLORE.EXE
4536	acrotray .exe
4268	acrotray .exe
5084	iexplore.exe
5084	iexplore.exe
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE
5084	iexplore.exe
5084	iexplore.exe
116	IEXPLORE.EXE
116	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 944	4176	92a044fac23c7aaa3a71a201018f5a10N.exe	86
PID 4176 wrote to memory of 944	4176	92a044fac23c7aaa3a71a201018f5a10N.exe	86
PID 4176 wrote to memory of 944	4176	92a044fac23c7aaa3a71a201018f5a10N.exe	86
PID 4176 wrote to memory of 2124	4176	92a044fac23c7aaa3a71a201018f5a10N.exe	95
PID 4176 wrote to memory of 2124	4176	92a044fac23c7aaa3a71a201018f5a10N.exe	95
PID 4176 wrote to memory of 2124	4176	92a044fac23c7aaa3a71a201018f5a10N.exe	95
PID 5084 wrote to memory of 3408	5084	iexplore.exe	98
PID 5084 wrote to memory of 3408	5084	iexplore.exe	98
PID 5084 wrote to memory of 3408	5084	iexplore.exe	98
PID 2124 wrote to memory of 2972	2124	acrotray.exe	99
PID 2124 wrote to memory of 2972	2124	acrotray.exe	99
PID 2124 wrote to memory of 2972	2124	acrotray.exe	99
PID 2124 wrote to memory of 4536	2124	acrotray.exe	100
PID 2124 wrote to memory of 4536	2124	acrotray.exe	100
PID 2124 wrote to memory of 4536	2124	acrotray.exe	100
PID 4536 wrote to memory of 4268	4536	acrotray .exe	101
PID 4536 wrote to memory of 4268	4536	acrotray .exe	101
PID 4536 wrote to memory of 4268	4536	acrotray .exe	101
PID 5084 wrote to memory of 2840	5084	iexplore.exe	104
PID 5084 wrote to memory of 2840	5084	iexplore.exe	104
PID 5084 wrote to memory of 2840	5084	iexplore.exe	104
PID 5084 wrote to memory of 116	5084	iexplore.exe	105
PID 5084 wrote to memory of 116	5084	iexplore.exe	105
PID 5084 wrote to memory of 116	5084	iexplore.exe	105

C:\Users\Admin\AppData\Local\Temp\92a044fac23c7aaa3a71a201018f5a10N.exe
"C:\Users\Admin\AppData\Local\Temp\92a044fac23c7aaa3a71a201018f5a10N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Users\Admin\AppData\Local\Temp\92a044fac23c7aaa3a71a201018f5a10n.exe
  "C:\Users\Admin\AppData\Local\Temp\92a044fac23c7aaa3a71a201018f5a10n.exe" C:\Users\Admin\AppData\Local\Temp\92a044fac23c7aaa3a71a201018f5a10N.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:944
- C:\Program Files (x86)\Adobe\acrotray.exe
  "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\92a044fac23c7aaa3a71a201018f5a10N.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Program Files (x86)\Adobe\acrotray.exe
    "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\92a044fac23c7aaa3a71a201018f5a10N.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2972
- - C:\Program Files (x86)\Adobe\acrotray .exe
    "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\92a044fac23c7aaa3a71a201018f5a10N.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Program Files (x86)\Adobe\acrotray .exe
      "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\92a044fac23c7aaa3a71a201018f5a10N.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4268

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:4716

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5084 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3408
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5084 CREDAT:17414 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2840
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5084 CREDAT:17422 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\acrotray .exe

Filesize
3.1MB

MD5
86b0c35fbcd589b3c5da400f25b43ba4

SHA1
a9f920922fd887c45cbcde8a6437a32836f423db

SHA256
d6b50cde3041746b6d8c3fac2741597df93668f53d100b89b9f15b4936310eea

SHA512
336555bb5c54a050a977eb72039fc30002d99b912ca9f7e7782938b4db18851a1f1ec00a5a6f779b9d7a150f0a6551080cb79b6b284f34896ba9bd9712cdb229

Download Submit
C:\Program Files (x86)\Adobe\acrotray.exe

Filesize
3.1MB

MD5
4dae9721f114e5c9e8d4e2fabb5c2623

SHA1
750ea350bcb7ef57b2e88bd2b23188a15ca96435

SHA256
bb80c1d12b84c1aa65fbf00de7bcb4d65355f04e9c66bdf38088711133a5d745

SHA512
7bc3689de6c5fdcf67bc44f171a1f8f5f9497e2ad2d52d5e49bb6efd9a6d16512b304936777a17b2378aa049b8031a59747417663cbf925206e32106e426128e

Download Submit
memory/944-122-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/944-5-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/944-6-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/944-62-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/944-107-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/944-12-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/944-70-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/944-15-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/944-14-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/944-90-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/944-128-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/944-101-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/944-52-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/2124-91-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/2124-63-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/2124-53-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/2124-85-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/2124-55-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/2124-102-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/2124-108-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/2124-123-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/2972-32-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/2972-109-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/2972-92-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/2972-57-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/2972-64-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/2972-103-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/2972-124-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/2972-54-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/2972-86-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4176-51-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4176-100-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4176-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4176-121-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4176-13-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4176-89-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4176-127-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4176-61-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4176-69-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4176-11-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4176-0-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4176-106-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4176-10-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4176-2-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4268-126-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4268-60-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4268-105-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4268-111-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4268-94-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4268-59-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4268-88-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4268-68-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4536-93-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4536-110-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4536-34-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4536-56-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4536-125-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4536-104-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4536-58-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4536-65-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download
memory/4536-87-0x0000000000400000-0x0000000000DBE000-memory.dmp

Filesize
9.7MB

Download