ad89ce6fc686c6270a53af73d0b2e31b26dfc06cac41989850fb0da1a04a21a2

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe
Size

636KB
MD5

2b5dc3847c46d0fcb0926692ebc0b384
SHA1

eb2845377cec3de83eb98ea4c2d2bb1f999a034a
SHA256

ad89ce6fc686c6270a53af73d0b2e31b26dfc06cac41989850fb0da1a04a21a2
SHA512

10c24c08ebfb74094b5b4e002a990c2ff7011c613042c1ea35838c11618bbd30372aa21d32659a8d44bf3639d50474b1058b5deb43545f95a6f63ccbed51e4ce
SSDEEP

12288:waCfbqHNucxW0QuFg64Sr9T4UgQgO9lvBrg7rRw:wlf+twfn64Sr9T4UUO9J9Ei

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	acrotray.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	acrotray .exe

Executes dropped EXE 4 IoCs

pid	Process
3320	acrotray.exe
1528	acrotray.exe
1936	acrotray .exe
4436	acrotray .exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "C:\\Program Files (x86)\\Adobe\\acrotray.exe"	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\common files\java\java update\jusched.exe	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\acrotray .exe	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\acrotray.exe	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "276744702"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000006633b135c95c54191e4d28dd78c8374000000000200000000001066000000010000200000007e2f643cfe92ed92c9d10745bc3ecd88a542d5232ff0b32b9d12ce865ebddeb4000000000e800000000200002000000055bedddbc69daac7c2133f7662a68782e35d526a4ce84dec1bc22295d3545dfb2000000044e0814d512a5d0fff99cafbcfcc1360c8246cbb4b38717a8aa4ede46dee70f040000000e02dff130784978175cd1a94d6184e0cc15e807bee5b48472c979d273c337a6991020e49c56bdacee1e65168c567fb46a769393af000890b6ec4e6de2d25c43c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e074130041a2da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3C17A40A-0E34-11EF-A084-F2AC8AF4D319} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31105601"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f04da3ff40a2da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000006633b135c95c54191e4d28dd78c8374000000000200000000001066000000010000200000008ff05740a09c1a65fce7d783993a803a39abb18adb881341873568fa57cdf7b7000000000e80000000020000200000003c9f556e910c3ac2b518baf9008ef596dc051bcc8ef7fa5235d8f280e1d952dd20000000b60a684b8a1a033130d21c89c07ff239b558430208d09f1a952fb8efca770496400000007f05d8fa575ddf4b28c5b19725b4748f59be13dc861be44e4dbbc8de79f19fa555db2d6c75af81a922da59f276cb585ab8ed767b6fce99bb31aaa3360af5506e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4011d90b41a2da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000006633b135c95c54191e4d28dd78c8374000000000200000000001066000000010000200000006f60348cfa2f2429429971e3771a05037afeaa5fe428ae0466eedab8efa85068000000000e8000000002000020000000ae0a0c19acd4a809aae4d5d8f7d5b6641a44cc465f36ef509a864a183257842d200000005def3cd2465434bdc3b9c14fb30301dd0e3e3c17c1be0eef0d659ba4f9822cdc40000000109eabea56c1e89fcd6a14f45a52039f27647d8c69a6612202e94cb1642c8782f322c30ff6bf63efffcb20f296058d0c83084dfadc442757e057a47bbef84e0e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70ea0f1c41a2da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000006633b135c95c54191e4d28dd78c837400000000020000000000106600000001000020000000422d304a6a84222c4fcbc0b2b0da9974ca8b6387b17341708b757af91bca1fcb000000000e8000000002000020000000d9961863ae249817f4aed6de3444ace4d9c4bad1d965f4c5c0b164efdfa2018120000000c99eb76312d85bb7d5b9a52ab30acfc6a20f0213216f116ff727c5bf065f321f400000008dacb1ecb93c3f2de71d4157f6342023a4d78039bc44709855fda6ee8d984a772baece316f3cea5da209d3e9904542d1de33d4be5e395564e97cc65e502a57e5	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31105601"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "276744702"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1252	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe
1252	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe
1252	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe
1252	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe
1252	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe
1252	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe
3756	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
3756	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
3756	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
3756	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
3320	acrotray.exe
3320	acrotray.exe
3320	acrotray.exe
3320	acrotray.exe
3320	acrotray.exe
3320	acrotray.exe
1528	acrotray.exe
1528	acrotray.exe
1528	acrotray.exe
1528	acrotray.exe
1936	acrotray .exe
1936	acrotray .exe
1936	acrotray .exe
1936	acrotray .exe
1936	acrotray .exe
1936	acrotray .exe
4436	acrotray .exe
4436	acrotray .exe
4436	acrotray .exe
4436	acrotray .exe
3756	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
3756	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
1528	acrotray.exe
1528	acrotray.exe
4436	acrotray .exe
4436	acrotray .exe
3756	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
3756	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
1528	acrotray.exe
1528	acrotray.exe
4436	acrotray .exe
4436	acrotray .exe
3756	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
3756	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
1528	acrotray.exe
1528	acrotray.exe
4436	acrotray .exe
4436	acrotray .exe
3756	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
3756	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
1528	acrotray.exe
1528	acrotray.exe
4436	acrotray .exe
4436	acrotray .exe
3756	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
3756	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
1528	acrotray.exe
1528	acrotray.exe
4436	acrotray .exe
4436	acrotray .exe
3756	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
3756	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
1528	acrotray.exe
1528	acrotray.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1252	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe
Token: SeDebugPrivilege	3756	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
Token: SeDebugPrivilege	3320	acrotray.exe
Token: SeDebugPrivilege	1528	acrotray.exe
Token: SeDebugPrivilege	1936	acrotray .exe
Token: SeDebugPrivilege	4436	acrotray .exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4500	iexplore.exe
4500	iexplore.exe
4500	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4500	iexplore.exe
4500	iexplore.exe
3980	IEXPLORE.EXE
3980	IEXPLORE.EXE
4500	iexplore.exe
4500	iexplore.exe
4428	IEXPLORE.EXE
4428	IEXPLORE.EXE
4500	iexplore.exe
4500	iexplore.exe
3460	IEXPLORE.EXE
3460	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 3756	1252	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe	85
PID 1252 wrote to memory of 3756	1252	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe	85
PID 1252 wrote to memory of 3756	1252	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe	85
PID 1252 wrote to memory of 3320	1252	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe	87
PID 1252 wrote to memory of 3320	1252	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe	87
PID 1252 wrote to memory of 3320	1252	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe	87
PID 4500 wrote to memory of 3980	4500	iexplore.exe	90
PID 4500 wrote to memory of 3980	4500	iexplore.exe	90
PID 4500 wrote to memory of 3980	4500	iexplore.exe	90
PID 3320 wrote to memory of 1528	3320	acrotray.exe	91
PID 3320 wrote to memory of 1528	3320	acrotray.exe	91
PID 3320 wrote to memory of 1528	3320	acrotray.exe	91
PID 3320 wrote to memory of 1936	3320	acrotray.exe	92
PID 3320 wrote to memory of 1936	3320	acrotray.exe	92
PID 3320 wrote to memory of 1936	3320	acrotray.exe	92
PID 1936 wrote to memory of 4436	1936	acrotray .exe	93
PID 1936 wrote to memory of 4436	1936	acrotray .exe	93
PID 1936 wrote to memory of 4436	1936	acrotray .exe	93
PID 4500 wrote to memory of 4428	4500	iexplore.exe	97
PID 4500 wrote to memory of 4428	4500	iexplore.exe	97
PID 4500 wrote to memory of 4428	4500	iexplore.exe	97
PID 4500 wrote to memory of 3460	4500	iexplore.exe	98
PID 4500 wrote to memory of 3460	4500	iexplore.exe	98
PID 4500 wrote to memory of 3460	4500	iexplore.exe	98

C:\Users\Admin\AppData\Local\Temp\2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Users\Admin\AppData\Local\Temp\2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe" C:\Users\Admin\AppData\Local\Temp\2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- C:\Program Files (x86)\Adobe\acrotray.exe
  "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Program Files (x86)\Adobe\acrotray.exe
    "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
- - C:\Program Files (x86)\Adobe\acrotray .exe
    "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Program Files (x86)\Adobe\acrotray .exe
      "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4436

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:1172

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4500 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3980
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4500 CREDAT:17416 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4428
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4500 CREDAT:17420 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\acrotray .exe

Filesize
665KB

MD5
33eb1d7094302debc81e8c5732f37035

SHA1
86a9be377bda9c51ff6466b2d33eadc5988d332d

SHA256
58330cb4134d99691f313b1bee609d2e80ebe42fce800dda5688cd4667a5d65f

SHA512
9cac9c97d028d6f8326a3b5567b616159a05eea6b9945c437719412679f7bbad0548034e61b7283d765a8f636005a63c8c01395b6b3e5667a2da02d66dc169e9

Download Submit
C:\Program Files (x86)\Adobe\acrotray.exe

Filesize
649KB

MD5
2faaaf20f743f3a2e0a620e8cf44bce1

SHA1
c5c37401d1cea100ae8ddd57321d488d7263d970

SHA256
90e6b3935f18e7500b07a6b17ec4fef069f401ad7fd4c06f055bbe8de6556b4f

SHA512
0fae7256fba95107d68722f7f4a205ef55e181f7a0282a401db34e86257320a535c807b703809c5d456fc2bb362e02cfc55a399739951e0b6e44240a09e2ba47

Download Submit
memory/1252-0-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download