d718ea92106894c1bfb2273ed7e71c9ad7cec01fa0ae4c2571e5a762e1f26e8d

Analysis

max time kernel
118s
max time network
151s
platform
windows10_x64
resource
win10-en-20211208
submitted
29-01-2022 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d718ea92106894c1bfb2273ed7e71c9ad7cec01fa0ae4c2571e5a762e1f26e8d.exe
Size

1.9MB
MD5

0136a8111fc94be154aea13dd4c78b53
SHA1

ad64b56532d990da2c4cf17e61232fdca8884f37
SHA256

d718ea92106894c1bfb2273ed7e71c9ad7cec01fa0ae4c2571e5a762e1f26e8d
SHA512

0ea71a818a16196873f9f526b647300563f1bb7cfbfa1507effdf0f790b76b5b14909aa60f1f0f97a7252d58be8816156912579faba9501a6a2fa8f09cbc3d77

Score

10^/10

evasion link pdf persistence upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
Executes dropped EXE 3 IoCs

Processes:

Free Sample copy Hustler-Dec2013.exeSAMPLE~1.EXEWINSYS~2.EXE

pid process

4172 Free Sample copy Hustler-Dec2013.exe
3964 SAMPLE~1.EXE
4440 WINSYS~2.EXE

pid	process
4172	Free Sample copy Hustler-Dec2013.exe
3964	SAMPLE~1.EXE
4440	WINSYS~2.EXE

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SAMPLE~1.EXE	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SAMPLE~1.EXE	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Free Sample copy Hustler-Dec2013.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Free Sample copy Hustler-Dec2013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Free Sample copy Hustler-Dec2013.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\C9D9.tmp\Sample copy Hustler-Dec2013.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings cmd.exe
Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

4004 reg.exe
4056 reg.exe
4080 reg.exe
4016 reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	cmd.exe

pid	process
4004	reg.exe
4056	reg.exe
4080	reg.exe
4016	reg.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

AcroRd32.exe

pid	process
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4404 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

4404 AcroRd32.exe
4404 AcroRd32.exe
4404 AcroRd32.exe
4404 AcroRd32.exe
4404 AcroRd32.exe
4404 AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d718ea92106894c1bfb2273ed7e71c9ad7cec01fa0ae4c2571e5a762e1f26e8d.execmd.exeFree Sample copy Hustler-Dec2013.exeSAMPLE~1.EXEcmd.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 3716 wrote to memory of 2140	3716	d718ea92106894c1bfb2273ed7e71c9ad7cec01fa0ae4c2571e5a762e1f26e8d.exe	cmd.exe
PID 3716 wrote to memory of 2140	3716	d718ea92106894c1bfb2273ed7e71c9ad7cec01fa0ae4c2571e5a762e1f26e8d.exe	cmd.exe
PID 3716 wrote to memory of 2140	3716	d718ea92106894c1bfb2273ed7e71c9ad7cec01fa0ae4c2571e5a762e1f26e8d.exe	cmd.exe
PID 2140 wrote to memory of 4172	2140	cmd.exe	Free Sample copy Hustler-Dec2013.exe
PID 2140 wrote to memory of 4172	2140	cmd.exe	Free Sample copy Hustler-Dec2013.exe
PID 2140 wrote to memory of 4172	2140	cmd.exe	Free Sample copy Hustler-Dec2013.exe
PID 2140 wrote to memory of 4016	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 4016	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 4016	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 4004	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 4004	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 4004	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 4056	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 4056	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 4056	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 4080	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 4080	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 4080	2140	cmd.exe	reg.exe
PID 4172 wrote to memory of 3964	4172	Free Sample copy Hustler-Dec2013.exe	SAMPLE~1.EXE
PID 4172 wrote to memory of 3964	4172	Free Sample copy Hustler-Dec2013.exe	SAMPLE~1.EXE
PID 4172 wrote to memory of 3964	4172	Free Sample copy Hustler-Dec2013.exe	SAMPLE~1.EXE
PID 3964 wrote to memory of 4328	3964	SAMPLE~1.EXE	cmd.exe
PID 3964 wrote to memory of 4328	3964	SAMPLE~1.EXE	cmd.exe
PID 3964 wrote to memory of 4328	3964	SAMPLE~1.EXE	cmd.exe
PID 4328 wrote to memory of 4404	4328	cmd.exe	AcroRd32.exe
PID 4328 wrote to memory of 4404	4328	cmd.exe	AcroRd32.exe
PID 4328 wrote to memory of 4404	4328	cmd.exe	AcroRd32.exe
PID 4172 wrote to memory of 4440	4172	Free Sample copy Hustler-Dec2013.exe	WINSYS~2.EXE
PID 4172 wrote to memory of 4440	4172	Free Sample copy Hustler-Dec2013.exe	WINSYS~2.EXE
PID 4172 wrote to memory of 4440	4172	Free Sample copy Hustler-Dec2013.exe	WINSYS~2.EXE
PID 4404 wrote to memory of 3216	4404	AcroRd32.exe	RdrCEF.exe
PID 4404 wrote to memory of 3216	4404	AcroRd32.exe	RdrCEF.exe
PID 4404 wrote to memory of 3216	4404	AcroRd32.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe
PID 3216 wrote to memory of 888	3216	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\d718ea92106894c1bfb2273ed7e71c9ad7cec01fa0ae4c2571e5a762e1f26e8d.exe
"C:\Users\Admin\AppData\Local\Temp\d718ea92106894c1bfb2273ed7e71c9ad7cec01fa0ae4c2571e5a762e1f26e8d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C351.tmp\4.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2140

C:\Users\Admin\AppData\Local\Temp\C351.tmp\Free Sample copy Hustler-Dec2013.exe
"Free Sample copy Hustler-Dec2013.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4172

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SAMPLE~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SAMPLE~1.EXE
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C9D9.tmp\2.bat""
5⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4328

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\C9D9.tmp\Sample copy Hustler-Dec2013.pdf"
6⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4404

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
7⤵
- Suspicious use of WriteProcessMemory
PID:3216

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EC114A55B5E1A20420F16F4C8967CB53 --mojo-platform-channel-handle=1688 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
8⤵
PID:888

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7CF0C5FA33871FB0803A868FB1928690 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7CF0C5FA33871FB0803A868FB1928690 --renderer-client-id=2 --mojo-platform-channel-handle=1680 --allow-no-sandbox-job /prefetch:1
8⤵
PID:976

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=02ADA35AC4563D16C9F4FA65156DA7FC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=02ADA35AC4563D16C9F4FA65156DA7FC --renderer-client-id=4 --mojo-platform-channel-handle=2120 --allow-no-sandbox-job /prefetch:1
8⤵
PID:1604

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5147CCEC5BB160B078457BF278EBAEAF --mojo-platform-channel-handle=2488 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
8⤵
PID:2372

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C158D25485895C7636739AC9732617FB --mojo-platform-channel-handle=2648 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
8⤵
PID:3556

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=206ECEC1E326AFEEB30961D8D6065267 --mojo-platform-channel-handle=2576 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
8⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINSYS~2.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINSYS~2.EXE
4⤵
- Executes dropped EXE
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /t REG_DWORD /d 0x00000000 /f
3⤵
- Modifies registry key
PID:4016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 0x00000001 /f
3⤵
- Modifies registry key
PID:4004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0x00000000 /f
3⤵
- Modifies registry key
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 0x00000000 /f
3⤵
- Modifies registry key
PID:4080

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C351.tmp\4.bat
MD5
fc1274ee0036d5c09b1051a2b10d111b

SHA1
64510dc9595d00405309c1d1715783226716c7a6

SHA256
a3f22d7dea9177b4553a40ee77299ed11e8cda0d3d872e83cb8b8a30bdb75763

SHA512
53901ffd69019b342a43c3dcff3ec33d26295b2203cf8af1fa57a70302139d14b69d92b1d3e2a72fa4acb626123940b081ad32f617514f147cb2220966da8a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\C351.tmp\Free Sample copy Hustler-Dec2013.exe
MD5
2b38d321f6aa93f59d90d62b8a291311

SHA1
b792dea9b9b857fdb48b522464f8408435fa64f0

SHA256
f79120080946b1e446ed5e5f767fec387477b159447af86db54f28013eede421

SHA512
2f81d6fdd9c442cfb156239cd97c1bfb64d1896b2d7a38488fb0467e9e5fba1202c88ee27c693bd526e877e0d772808dec518276fbe2633fdaa15c0dbce0cceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\C351.tmp\Free Sample copy Hustler-Dec2013.exe
MD5
2b38d321f6aa93f59d90d62b8a291311

SHA1
b792dea9b9b857fdb48b522464f8408435fa64f0

SHA256
f79120080946b1e446ed5e5f767fec387477b159447af86db54f28013eede421

SHA512
2f81d6fdd9c442cfb156239cd97c1bfb64d1896b2d7a38488fb0467e9e5fba1202c88ee27c693bd526e877e0d772808dec518276fbe2633fdaa15c0dbce0cceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9D9.tmp\2.bat
MD5
44a3ae6f081c483a190b785405611b9d

SHA1
787b9eaa90839620f7985366b21111a487d5adfc

SHA256
7fcf62370cf7810dd973d0bd99382952a5272b84208399dfba6fcf3675d44f33

SHA512
5bf52a4f53c20e8dce216f389c28c3c8b982ae2802c4e8526d2dc6efb942517e6de963f8b6f75c54278a2695a847afa37ba03b18f06c3a5bb4176a3f2c56f173

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9D9.tmp\Sample copy Hustler-Dec2013.pdf
MD5
0c52f2ad1f466c526d7b4f11a8ae6cd1

SHA1
b2cd0c4173075d309e4b9c25336edefe9170547e

SHA256
5dab2342a2f4e182c692a4377af384e60f477852fe9b652ea74b6c3052f152f1

SHA512
4336da0b4abb767d6270c2d3f777c1eba6261ca9d82027ee75a80ac47e860c5d1d2766afab62c5b86c0743b1f20f2452bca87a8c8de94f52e2d7520789792300

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SAMPLE~1.EXE
MD5
95fd6d4ddafc34b1710aff9e3634f0f4

SHA1
6266fd1bde76e856a423e35024c98ddda3667d09

SHA256
010c913b20cd285b0271e4a2752dee5332dd79be498dd0ab81b92bb1489fff98

SHA512
1d36e48681cad003ca3df4c5e0691d9f71732206a85b181eb28726da7b07fd1f7ed728ad04d6ce87b4add36c87a25ff0da3819ba99fd44e5e260a3805f24aba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SAMPLE~1.EXE
MD5
95fd6d4ddafc34b1710aff9e3634f0f4

SHA1
6266fd1bde76e856a423e35024c98ddda3667d09

SHA256
010c913b20cd285b0271e4a2752dee5332dd79be498dd0ab81b92bb1489fff98

SHA512
1d36e48681cad003ca3df4c5e0691d9f71732206a85b181eb28726da7b07fd1f7ed728ad04d6ce87b4add36c87a25ff0da3819ba99fd44e5e260a3805f24aba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINSYS~2.EXE
MD5
f91e37e17cd0f735fcc62e9faf0e9d81

SHA1
8c3b657764dd72877680b7e09379e87f459b0ed6

SHA256
992dcc340019861e125bea3a5293da60f79d934f48c2b5bd89d0981ab76783cb

SHA512
59173a41b84b566200da2b0859dcfa90b84a18a448e595cb45c2568f845194c3cf625cdc952d17d4e487d6b641c6cfe20aa4ae6890902ed2df968e4efbba46f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINSYS~2.EXE
MD5
f91e37e17cd0f735fcc62e9faf0e9d81

SHA1
8c3b657764dd72877680b7e09379e87f459b0ed6

SHA256
992dcc340019861e125bea3a5293da60f79d934f48c2b5bd89d0981ab76783cb

SHA512
59173a41b84b566200da2b0859dcfa90b84a18a448e595cb45c2568f845194c3cf625cdc952d17d4e487d6b641c6cfe20aa4ae6890902ed2df968e4efbba46f8

Download Submit
memory/888-124-0x0000000077942000-0x0000000077943000-memory.dmp

Filesize
4KB

Download
memory/976-127-0x0000000077942000-0x0000000077943000-memory.dmp

Filesize
4KB

Download
memory/1284-143-0x0000000077942000-0x0000000077943000-memory.dmp

Filesize
4KB

Download
memory/1604-132-0x0000000077942000-0x0000000077943000-memory.dmp

Filesize
4KB

Download
memory/2372-137-0x0000000077942000-0x0000000077943000-memory.dmp

Filesize
4KB

Download
memory/3556-140-0x0000000077942000-0x0000000077943000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads