dcd5e8958f299309d859ac081d0a64cc34a12d609185889ebbdda833b1319b5f

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

215057ac490b0c2564becb8482330d67_JaffaCakes118.exe
Size

2.5MB
MD5

215057ac490b0c2564becb8482330d67
SHA1

e2fa1ce5ad9e2ba104ae9a2403455b465e7b28c1
SHA256

dcd5e8958f299309d859ac081d0a64cc34a12d609185889ebbdda833b1319b5f
SHA512

4e73d36d6a2461943a324a591dfd3e9ee2c43972ec0e0eb6e6bd75becbecd0858a738e8a51dc6eef152accab31301991b1562929e5cd5b8c0288bf89a5be4c8b
SSDEEP

49152:nY9MWFHW4vzYvqM0VS0/C2FGthbTzErAbCS:sDF2OzYvyVt/4hbTzQAbt

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	acrotray.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	acrotray .exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	215057ac490b0c2564becb8482330d67_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
1752	acrotray.exe
2992	acrotray.exe
4108	acrotray .exe
4948	acrotray .exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "C:\\Program Files (x86)\\Adobe\\acrotray.exe"	215057ac490b0c2564becb8482330d67_JaffaCakes118.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\common files\java\java update\jusched.exe	215057ac490b0c2564becb8482330d67_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\acrotray .exe	215057ac490b0c2564becb8482330d67_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\acrotray.exe	215057ac490b0c2564becb8482330d67_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 401094b0b1a0da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3235937677"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 709252ccb1a0da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3235937677"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31105201"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{EC6D690E-0CA4-11EF-921E-FAC2362A65D4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80b815b0b1a0da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31105201"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004e3e9268a9459641b5a406732e1efc4700000000020000000000106600000001000020000000689c3859b7e47a26d8de20d7e124ae7bbda3e1559554f15820d18aaf8b738900000000000e80000000020000200000004c867e4648fb7beebaac88167264b2e258598af5168fd75b8e192944beb89c1e2000000095d12871037689c0c01f8230d18dcd8444265ec70b87b8e931223aacd78f807d4000000014b9270b445e53999ebd372eec02b91b37b7783f13ac22b8cb6572f320cb7a727f9497dab61a1183feb085de43394fffe2c21b657837a994cc5d694d8de11183	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0810cbdb1a0da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004e3e9268a9459641b5a406732e1efc4700000000020000000000106600000001000020000000b77f4c34373fb150de556aad95ff7f1d3c23226f7592a88e49f1af1633d1f411000000000e80000000020000200000002fe6f775a63e95329e3ebb54e60c1103567bfd8e8a672c6822cd90b0382ff6ee20000000514a92c68787504098096d0fe9b74cf66fcdf0004bf989c6c8e7ed5d3781994a40000000484476514d7980de91e6543901ec4033c572553ec4740ab11c62d671d0107f9546f7333245429df97de6fd6ee27e688a34772a5b19b9b65546b64cc9b33818c5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004e3e9268a9459641b5a406732e1efc47000000000200000000001066000000010000200000001196cd67989b9343d8d6a575f6fc08279672c7f6b18a118d91eef7e5742909ef000000000e8000000002000020000000daa613d81c37258ee416f45378a167de344dde367bde25b78bcb85193001a8f82000000095e4b86bcd14fd50c2aae0a13d495e704f9fe26eb07481f524c83ce209a2341740000000568850ab9da0623bf122b6200e88caf9b9839be72fe25b3471e73863107b900a8833674ea2ae662183854fceac24b1001978f77a6ab8bbaef3915b8d7d42117e	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004e3e9268a9459641b5a406732e1efc47000000000200000000001066000000010000200000000bf30755e9db130024c5ce67d4dd6b3af9e1a166cbd7cffa7537243b69c2551e000000000e8000000002000020000000d364f19648abc16f647cff248ca99721e6f07d6ea26f39e46506f561218dd45f20000000691036b95e8c35706a733f131b8ea2edd08f90bef5ae3bc1c293ac0d35603f4640000000f0d583557be509791d94dabdab1fa77b2335181a6a5fe3981b756c13cb0abcb697b032bfca7a189bbff3611ff8767f9bdbab66d5cdce920bf120468e39129836	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4816	215057ac490b0c2564becb8482330d67_JaffaCakes118.exe
4816	215057ac490b0c2564becb8482330d67_JaffaCakes118.exe
4816	215057ac490b0c2564becb8482330d67_JaffaCakes118.exe
4816	215057ac490b0c2564becb8482330d67_JaffaCakes118.exe
4816	215057ac490b0c2564becb8482330d67_JaffaCakes118.exe
4816	215057ac490b0c2564becb8482330d67_JaffaCakes118.exe
3184	215057ac490b0c2564becb8482330d67_jaffacakes118.exe
3184	215057ac490b0c2564becb8482330d67_jaffacakes118.exe
3184	215057ac490b0c2564becb8482330d67_jaffacakes118.exe
3184	215057ac490b0c2564becb8482330d67_jaffacakes118.exe
1752	acrotray.exe
1752	acrotray.exe
1752	acrotray.exe
1752	acrotray.exe
1752	acrotray.exe
1752	acrotray.exe
2992	acrotray.exe
2992	acrotray.exe
2992	acrotray.exe
2992	acrotray.exe
4108	acrotray .exe
4108	acrotray .exe
4108	acrotray .exe
4108	acrotray .exe
4108	acrotray .exe
4108	acrotray .exe
4948	acrotray .exe
4948	acrotray .exe
4948	acrotray .exe
4948	acrotray .exe
3184	215057ac490b0c2564becb8482330d67_jaffacakes118.exe
3184	215057ac490b0c2564becb8482330d67_jaffacakes118.exe
2992	acrotray.exe
2992	acrotray.exe
4948	acrotray .exe
4948	acrotray .exe
3184	215057ac490b0c2564becb8482330d67_jaffacakes118.exe
3184	215057ac490b0c2564becb8482330d67_jaffacakes118.exe
2992	acrotray.exe
2992	acrotray.exe
4948	acrotray .exe
4948	acrotray .exe
3184	215057ac490b0c2564becb8482330d67_jaffacakes118.exe
3184	215057ac490b0c2564becb8482330d67_jaffacakes118.exe
2992	acrotray.exe
2992	acrotray.exe
4948	acrotray .exe
4948	acrotray .exe
3184	215057ac490b0c2564becb8482330d67_jaffacakes118.exe
3184	215057ac490b0c2564becb8482330d67_jaffacakes118.exe
2992	acrotray.exe
2992	acrotray.exe
4948	acrotray .exe
4948	acrotray .exe
3184	215057ac490b0c2564becb8482330d67_jaffacakes118.exe
3184	215057ac490b0c2564becb8482330d67_jaffacakes118.exe
2992	acrotray.exe
2992	acrotray.exe
4948	acrotray .exe
4948	acrotray .exe
3184	215057ac490b0c2564becb8482330d67_jaffacakes118.exe
3184	215057ac490b0c2564becb8482330d67_jaffacakes118.exe
2992	acrotray.exe
2992	acrotray.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4816	215057ac490b0c2564becb8482330d67_JaffaCakes118.exe
Token: SeDebugPrivilege	3184	215057ac490b0c2564becb8482330d67_jaffacakes118.exe
Token: SeDebugPrivilege	1752	acrotray.exe
Token: SeDebugPrivilege	2992	acrotray.exe
Token: SeDebugPrivilege	4108	acrotray .exe
Token: SeDebugPrivilege	4948	acrotray .exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1684	iexplore.exe
1684	iexplore.exe
1684	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1684	iexplore.exe
1684	iexplore.exe
1576	IEXPLORE.EXE
1576	IEXPLORE.EXE
1684	iexplore.exe
1684	iexplore.exe
4344	IEXPLORE.EXE
4344	IEXPLORE.EXE
1684	iexplore.exe
1684	iexplore.exe
1800	IEXPLORE.EXE
1800	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 3184	4816	215057ac490b0c2564becb8482330d67_JaffaCakes118.exe	83
PID 4816 wrote to memory of 3184	4816	215057ac490b0c2564becb8482330d67_JaffaCakes118.exe	83
PID 4816 wrote to memory of 3184	4816	215057ac490b0c2564becb8482330d67_JaffaCakes118.exe	83
PID 4816 wrote to memory of 1752	4816	215057ac490b0c2564becb8482330d67_JaffaCakes118.exe	96
PID 4816 wrote to memory of 1752	4816	215057ac490b0c2564becb8482330d67_JaffaCakes118.exe	96
PID 4816 wrote to memory of 1752	4816	215057ac490b0c2564becb8482330d67_JaffaCakes118.exe	96
PID 1752 wrote to memory of 2992	1752	acrotray.exe	99
PID 1752 wrote to memory of 2992	1752	acrotray.exe	99
PID 1752 wrote to memory of 2992	1752	acrotray.exe	99
PID 1752 wrote to memory of 4108	1752	acrotray.exe	100
PID 1752 wrote to memory of 4108	1752	acrotray.exe	100
PID 1752 wrote to memory of 4108	1752	acrotray.exe	100
PID 1684 wrote to memory of 1576	1684	iexplore.exe	101
PID 1684 wrote to memory of 1576	1684	iexplore.exe	101
PID 1684 wrote to memory of 1576	1684	iexplore.exe	101
PID 4108 wrote to memory of 4948	4108	acrotray .exe	102
PID 4108 wrote to memory of 4948	4108	acrotray .exe	102
PID 4108 wrote to memory of 4948	4108	acrotray .exe	102
PID 1684 wrote to memory of 4344	1684	iexplore.exe	105
PID 1684 wrote to memory of 4344	1684	iexplore.exe	105
PID 1684 wrote to memory of 4344	1684	iexplore.exe	105
PID 1684 wrote to memory of 1800	1684	iexplore.exe	106
PID 1684 wrote to memory of 1800	1684	iexplore.exe	106
PID 1684 wrote to memory of 1800	1684	iexplore.exe	106

C:\Users\Admin\AppData\Local\Temp\215057ac490b0c2564becb8482330d67_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\215057ac490b0c2564becb8482330d67_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Users\Admin\AppData\Local\Temp\215057ac490b0c2564becb8482330d67_jaffacakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\215057ac490b0c2564becb8482330d67_jaffacakes118.exe" C:\Users\Admin\AppData\Local\Temp\215057ac490b0c2564becb8482330d67_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3184
- C:\Program Files (x86)\Adobe\acrotray.exe
  "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\215057ac490b0c2564becb8482330d67_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Program Files (x86)\Adobe\acrotray.exe
    "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\215057ac490b0c2564becb8482330d67_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2992
- - C:\Program Files (x86)\Adobe\acrotray .exe
    "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\215057ac490b0c2564becb8482330d67_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Program Files (x86)\Adobe\acrotray .exe
      "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\215057ac490b0c2564becb8482330d67_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4948

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:2736

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1684 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1576
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1684 CREDAT:17416 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4344
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1684 CREDAT:17420 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\acrotray .exe

Filesize
2.5MB

MD5
8544a62a66329c3824ad0a154af2f673

SHA1
6d4ad069cf08af2680e304890832c3e1b608bff5

SHA256
98833fdac9f4fcf49e14d41ca4c8c374e097d14826e38d48eceb1d50f56a6544

SHA512
5835e82d00368be23deead0e7e24c863ccc1d995fa3a88faa72a66d03438d69b1e1bf792d9b45f989fee16c4e7077555eafc0ab733b66927b5cd36417742d09b

Download Submit
C:\Program Files (x86)\Adobe\acrotray.exe

Filesize
2.5MB

MD5
01e8095ba25a6376084590abaf8b9cf1

SHA1
91fb6bb5344f78714c7c046b2412aa7974586370

SHA256
acd1c3875b6107330a67653968e8cbc5778a4e27fefa856da0bc2fdf557e4b30

SHA512
a067e5d816ce278bb2673a20b4762ce993dd71d2b17ee34df6a1ed66f5e260f184e33bd2b839b82b71bfc9e3292e4c69ee975c53e8bb7a49cc559f97383e6838

Download Submit
memory/4816-0-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download