Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15-05-2021 18:30
Static task
static1
Behavioral task
behavioral1
Sample
44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe
Resource
win10v20210410
General
-
Target
44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe
-
Size
1.6MB
-
MD5
49ad81fde492c509161ed75c94e61633
-
SHA1
0c494c7a110022d19808f6e4dbc9e3e103c912c6
-
SHA256
44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6
-
SHA512
08a795ebed9cf08b913f781b866b3e8e0e6cb854e5d224981cb821f2afaea8b9013a1412a266b321f32fcbadd6a12d2018a8cd9f7b9a5843ff7421ec76e97520
Malware Config
Extracted
darkcomet
0006285155275
wsws.myftp.org:2222
DC_MUTEX-HB8VFRH
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
GixsKsK0q5Nb
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MSDCSC\\msdcsc.exe" 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 2732 msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MSDCSC\\msdcsc.exe" 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
AcroRd32.exepid process 1900 AcroRd32.exe 1900 AcroRd32.exe 1900 AcroRd32.exe 1900 AcroRd32.exe 1900 AcroRd32.exe 1900 AcroRd32.exe 1900 AcroRd32.exe 1900 AcroRd32.exe 1900 AcroRd32.exe 1900 AcroRd32.exe 1900 AcroRd32.exe 1900 AcroRd32.exe 1900 AcroRd32.exe 1900 AcroRd32.exe 1900 AcroRd32.exe 1900 AcroRd32.exe 1900 AcroRd32.exe 1900 AcroRd32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 2732 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe Token: SeSecurityPrivilege 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe Token: SeTakeOwnershipPrivilege 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe Token: SeLoadDriverPrivilege 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe Token: SeSystemProfilePrivilege 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe Token: SeSystemtimePrivilege 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe Token: SeProfSingleProcessPrivilege 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe Token: SeIncBasePriorityPrivilege 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe Token: SeCreatePagefilePrivilege 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe Token: SeBackupPrivilege 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe Token: SeRestorePrivilege 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe Token: SeShutdownPrivilege 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe Token: SeDebugPrivilege 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe Token: SeSystemEnvironmentPrivilege 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe Token: SeChangeNotifyPrivilege 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe Token: SeRemoteShutdownPrivilege 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe Token: SeUndockPrivilege 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe Token: SeManageVolumePrivilege 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe Token: SeImpersonatePrivilege 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe Token: SeCreateGlobalPrivilege 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe Token: 33 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe Token: 34 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe Token: 35 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe Token: 36 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe Token: SeIncreaseQuotaPrivilege 2732 msdcsc.exe Token: SeSecurityPrivilege 2732 msdcsc.exe Token: SeTakeOwnershipPrivilege 2732 msdcsc.exe Token: SeLoadDriverPrivilege 2732 msdcsc.exe Token: SeSystemProfilePrivilege 2732 msdcsc.exe Token: SeSystemtimePrivilege 2732 msdcsc.exe Token: SeProfSingleProcessPrivilege 2732 msdcsc.exe Token: SeIncBasePriorityPrivilege 2732 msdcsc.exe Token: SeCreatePagefilePrivilege 2732 msdcsc.exe Token: SeBackupPrivilege 2732 msdcsc.exe Token: SeRestorePrivilege 2732 msdcsc.exe Token: SeShutdownPrivilege 2732 msdcsc.exe Token: SeDebugPrivilege 2732 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2732 msdcsc.exe Token: SeChangeNotifyPrivilege 2732 msdcsc.exe Token: SeRemoteShutdownPrivilege 2732 msdcsc.exe Token: SeUndockPrivilege 2732 msdcsc.exe Token: SeManageVolumePrivilege 2732 msdcsc.exe Token: SeImpersonatePrivilege 2732 msdcsc.exe Token: SeCreateGlobalPrivilege 2732 msdcsc.exe Token: 33 2732 msdcsc.exe Token: 34 2732 msdcsc.exe Token: 35 2732 msdcsc.exe Token: 36 2732 msdcsc.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
AcroRd32.exemsdcsc.exepid process 1900 AcroRd32.exe 1900 AcroRd32.exe 2732 msdcsc.exe 1900 AcroRd32.exe 1900 AcroRd32.exe 1900 AcroRd32.exe 1900 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exemsdcsc.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 3984 wrote to memory of 1900 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe AcroRd32.exe PID 3984 wrote to memory of 1900 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe AcroRd32.exe PID 3984 wrote to memory of 1900 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe AcroRd32.exe PID 3984 wrote to memory of 2732 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe msdcsc.exe PID 3984 wrote to memory of 2732 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe msdcsc.exe PID 3984 wrote to memory of 2732 3984 44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe msdcsc.exe PID 2732 wrote to memory of 3996 2732 msdcsc.exe notepad.exe PID 2732 wrote to memory of 3996 2732 msdcsc.exe notepad.exe PID 2732 wrote to memory of 3996 2732 msdcsc.exe notepad.exe PID 2732 wrote to memory of 3996 2732 msdcsc.exe notepad.exe PID 2732 wrote to memory of 3996 2732 msdcsc.exe notepad.exe PID 2732 wrote to memory of 3996 2732 msdcsc.exe notepad.exe PID 2732 wrote to memory of 3996 2732 msdcsc.exe notepad.exe PID 2732 wrote to memory of 3996 2732 msdcsc.exe notepad.exe PID 2732 wrote to memory of 3996 2732 msdcsc.exe notepad.exe PID 2732 wrote to memory of 3996 2732 msdcsc.exe notepad.exe PID 2732 wrote to memory of 3996 2732 msdcsc.exe notepad.exe PID 2732 wrote to memory of 3996 2732 msdcsc.exe notepad.exe PID 2732 wrote to memory of 3996 2732 msdcsc.exe notepad.exe PID 2732 wrote to memory of 3996 2732 msdcsc.exe notepad.exe PID 2732 wrote to memory of 3996 2732 msdcsc.exe notepad.exe PID 2732 wrote to memory of 3996 2732 msdcsc.exe notepad.exe PID 2732 wrote to memory of 3996 2732 msdcsc.exe notepad.exe PID 2732 wrote to memory of 3996 2732 msdcsc.exe notepad.exe PID 2732 wrote to memory of 3996 2732 msdcsc.exe notepad.exe PID 2732 wrote to memory of 3996 2732 msdcsc.exe notepad.exe PID 2732 wrote to memory of 3996 2732 msdcsc.exe notepad.exe PID 2732 wrote to memory of 3996 2732 msdcsc.exe notepad.exe PID 1900 wrote to memory of 2132 1900 AcroRd32.exe RdrCEF.exe PID 1900 wrote to memory of 2132 1900 AcroRd32.exe RdrCEF.exe PID 1900 wrote to memory of 2132 1900 AcroRd32.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe PID 2132 wrote to memory of 736 2132 RdrCEF.exe RdrCEF.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe"C:\Users\Admin\AppData\Local\Temp\44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\2019__INÖNÜ_YÖS_SiNAV_SORULARi.PDF"2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=14566F153A18BC811684586CAE5504DA --mojo-platform-channel-handle=1628 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:736
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3EAC4E8E366572778A61C75208871F9B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3EAC4E8E366572778A61C75208871F9B --renderer-client-id=2 --mojo-platform-channel-handle=1620 --allow-no-sandbox-job /prefetch:14⤵PID:3340
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6754EF5867A208C8F0AE59B9F1F7012B --mojo-platform-channel-handle=2188 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:4132
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5EB0D522A90C483ECC5FD7A8606F5F1D --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:4236
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B81B5E4F6BB22F5C2B2957D2C36ED5D4 --mojo-platform-channel-handle=1816 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:4336
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2732 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:3996
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exeMD5
49ad81fde492c509161ed75c94e61633
SHA10c494c7a110022d19808f6e4dbc9e3e103c912c6
SHA25644e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6
SHA51208a795ebed9cf08b913f781b866b3e8e0e6cb854e5d224981cb821f2afaea8b9013a1412a266b321f32fcbadd6a12d2018a8cd9f7b9a5843ff7421ec76e97520
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exeMD5
49ad81fde492c509161ed75c94e61633
SHA10c494c7a110022d19808f6e4dbc9e3e103c912c6
SHA25644e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6
SHA51208a795ebed9cf08b913f781b866b3e8e0e6cb854e5d224981cb821f2afaea8b9013a1412a266b321f32fcbadd6a12d2018a8cd9f7b9a5843ff7421ec76e97520
-
C:\Users\Admin\AppData\Local\Temp\2019__INÖNÜ_YÖS_SiNAV_SORULARi.PDFMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/736-126-0x0000000000000000-mapping.dmp
-
memory/736-124-0x0000000077542000-0x000000007754200C-memory.dmpFilesize
12B
-
memory/1900-115-0x0000000000000000-mapping.dmp
-
memory/2132-123-0x0000000000000000-mapping.dmp
-
memory/2732-121-0x0000000002190000-0x0000000002191000-memory.dmpFilesize
4KB
-
memory/2732-116-0x0000000000000000-mapping.dmp
-
memory/3340-127-0x0000000077542000-0x000000007754200C-memory.dmpFilesize
12B
-
memory/3340-130-0x0000000000000000-mapping.dmp
-
memory/3984-114-0x0000000000870000-0x0000000000871000-memory.dmpFilesize
4KB
-
memory/3996-122-0x00000000007C0000-0x00000000007C1000-memory.dmpFilesize
4KB
-
memory/3996-120-0x0000000000000000-mapping.dmp
-
memory/4132-134-0x0000000077542000-0x000000007754200C-memory.dmpFilesize
12B
-
memory/4132-136-0x0000000000000000-mapping.dmp
-
memory/4236-140-0x0000000000000000-mapping.dmp
-
memory/4236-138-0x0000000077542000-0x000000007754200C-memory.dmpFilesize
12B
-
memory/4336-142-0x0000000077542000-0x000000007754200C-memory.dmpFilesize
12B
-
memory/4336-144-0x0000000000000000-mapping.dmp