346c08fc3439a0619903ca25ed0b951e07096701eeb094bdab3770611328873e

Analysis

max time kernel
150s
max time network
171s
platform
windows10_x64
resource
win10-en-20211208
submitted
29-01-2022 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

346c08fc3439a0619903ca25ed0b951e07096701eeb094bdab3770611328873e.exe
Size

2.2MB
MD5

b1e5a284b0064758d65c5fc0e201db35
SHA1

6e9c2ac3fbf1bf2003595886f9e45f5d3f021c94
SHA256

346c08fc3439a0619903ca25ed0b951e07096701eeb094bdab3770611328873e
SHA512

dab91c35248016f3950feaffbe6e0d31c11d20cfa70711c6511fc54446540db09f2d68b9cb4102ecda6525dce446ad11e366ee26477c8f13ca5ea54ce9ebd973

Score

8^/10

link pdf persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Magazine.EXEBARELY~1.EXErstrui.exe

pid process

592 Magazine.EXE
680 BARELY~1.EXE
1272 rstrui.exe

pid	process
592	Magazine.EXE
680	BARELY~1.EXE
1272	rstrui.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BARELY~1.EXE	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BARELY~1.EXE	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Magazine.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	Magazine.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Magazine.EXE

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\F8C8.tmp\Barely Legal Sample.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

AcroRd32.exe

pid	process
2708	AcroRd32.exe
2708	AcroRd32.exe
2708	AcroRd32.exe
2708	AcroRd32.exe
2708	AcroRd32.exe
2708	AcroRd32.exe
2708	AcroRd32.exe
2708	AcroRd32.exe
2708	AcroRd32.exe
2708	AcroRd32.exe
2708	AcroRd32.exe
2708	AcroRd32.exe
2708	AcroRd32.exe
2708	AcroRd32.exe
2708	AcroRd32.exe
2708	AcroRd32.exe
2708	AcroRd32.exe
2708	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

2708 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

2708 AcroRd32.exe
2708 AcroRd32.exe
2708 AcroRd32.exe
2708 AcroRd32.exe
2708 AcroRd32.exe
2708 AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

346c08fc3439a0619903ca25ed0b951e07096701eeb094bdab3770611328873e.execmd.exeMagazine.EXEBARELY~1.EXEcmd.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2460 wrote to memory of 1580	2460	346c08fc3439a0619903ca25ed0b951e07096701eeb094bdab3770611328873e.exe	cmd.exe
PID 2460 wrote to memory of 1580	2460	346c08fc3439a0619903ca25ed0b951e07096701eeb094bdab3770611328873e.exe	cmd.exe
PID 2460 wrote to memory of 1580	2460	346c08fc3439a0619903ca25ed0b951e07096701eeb094bdab3770611328873e.exe	cmd.exe
PID 1580 wrote to memory of 592	1580	cmd.exe	Magazine.EXE
PID 1580 wrote to memory of 592	1580	cmd.exe	Magazine.EXE
PID 592 wrote to memory of 680	592	Magazine.EXE	BARELY~1.EXE
PID 592 wrote to memory of 680	592	Magazine.EXE	BARELY~1.EXE
PID 592 wrote to memory of 680	592	Magazine.EXE	BARELY~1.EXE
PID 680 wrote to memory of 3584	680	BARELY~1.EXE	cmd.exe
PID 680 wrote to memory of 3584	680	BARELY~1.EXE	cmd.exe
PID 680 wrote to memory of 3584	680	BARELY~1.EXE	cmd.exe
PID 3584 wrote to memory of 2708	3584	cmd.exe	AcroRd32.exe
PID 3584 wrote to memory of 2708	3584	cmd.exe	AcroRd32.exe
PID 3584 wrote to memory of 2708	3584	cmd.exe	AcroRd32.exe
PID 592 wrote to memory of 1272	592	Magazine.EXE	rstrui.exe
PID 592 wrote to memory of 1272	592	Magazine.EXE	rstrui.exe
PID 592 wrote to memory of 1272	592	Magazine.EXE	rstrui.exe
PID 2708 wrote to memory of 3188	2708	AcroRd32.exe	RdrCEF.exe
PID 2708 wrote to memory of 3188	2708	AcroRd32.exe	RdrCEF.exe
PID 2708 wrote to memory of 3188	2708	AcroRd32.exe	RdrCEF.exe
PID 2708 wrote to memory of 1044	2708	AcroRd32.exe	RdrCEF.exe
PID 2708 wrote to memory of 1044	2708	AcroRd32.exe	RdrCEF.exe
PID 2708 wrote to memory of 1044	2708	AcroRd32.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe
PID 3188 wrote to memory of 2376	3188	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\346c08fc3439a0619903ca25ed0b951e07096701eeb094bdab3770611328873e.exe
"C:\Users\Admin\AppData\Local\Temp\346c08fc3439a0619903ca25ed0b951e07096701eeb094bdab3770611328873e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E782.tmp\4.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Local\Temp\E782.tmp\Magazine.EXE
"Magazine.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:592

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BARELY~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BARELY~1.EXE
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F8C8.tmp\2.bat" "
5⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3584

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\F8C8.tmp\Barely Legal Sample.pdf"
6⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
7⤵
- Suspicious use of WriteProcessMemory
PID:3188

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3F811C9A117008194F99D9B8DEF04F97 --mojo-platform-channel-handle=1628 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
8⤵
PID:2376

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=19CFB894B74FD523A311C88B9FFC25F5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=19CFB894B74FD523A311C88B9FFC25F5 --renderer-client-id=2 --mojo-platform-channel-handle=1640 --allow-no-sandbox-job /prefetch:1
8⤵
PID:2056

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3493F96852680B4ABD4AC956C7C87292 --mojo-platform-channel-handle=2240 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
8⤵
PID:3572

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C511C8358AE92427416C62A3E3819AF5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C511C8358AE92427416C62A3E3819AF5 --renderer-client-id=5 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job /prefetch:1
8⤵
PID:3292

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A7A9E19E8DFE708C6BE1B2CA5D2E90B5 --mojo-platform-channel-handle=1868 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
8⤵
PID:3660

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2B898BF88B410FE1549BF2C77C5F944F --mojo-platform-channel-handle=2556 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
8⤵
PID:1032

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
7⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rstrui.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rstrui.exe
4⤵
- Executes dropped EXE
PID:1272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E782.tmp\4.bat
MD5
3db7b3df2bd2b4a5570de1f8dbf4be12

SHA1
5e941e1a0c5a0e11853be3d7b136596a96d00f2b

SHA256
963a69f6e43f32c1ab47361e2af4b3b179143116984ecf504d21daba2f54a0be

SHA512
be6429b4fdb909c40cfe2a06d41edc087a12c652fe246f7b42709ca686fc43b943420f9cea94ace5cfec18166e3b206287dba10debd6e0546ab6158374f0e93b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E782.tmp\Magazine.EXE
MD5
f6b04f81185283f88c92db7af0ed6ffc

SHA1
4787f668a898fa9bc3b5fb5d0d5667622d243146

SHA256
92e2832b54dda6a7336a7a5846bb257952e6820bde7fc13a1ce662dddc3fbcbe

SHA512
f4f320587374f8350d663b437611f44b340d648b2c2ae0d40c3851f66d079cbd6f89fd0dba46e8d4e13ce84d99b767dc2ba8ee304a2d51d727b43dd645e6a7ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\E782.tmp\Magazine.EXE
MD5
f6b04f81185283f88c92db7af0ed6ffc

SHA1
4787f668a898fa9bc3b5fb5d0d5667622d243146

SHA256
92e2832b54dda6a7336a7a5846bb257952e6820bde7fc13a1ce662dddc3fbcbe

SHA512
f4f320587374f8350d663b437611f44b340d648b2c2ae0d40c3851f66d079cbd6f89fd0dba46e8d4e13ce84d99b767dc2ba8ee304a2d51d727b43dd645e6a7ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8C8.tmp\2.bat
MD5
490975d7671c7459b9911b7f48cf4a4a

SHA1
7406154e8783aa4c5448640d843d9a3846de50bd

SHA256
41fe0e51b894b49e5592e71f5f16823cc25d54d50f7d7c97138ae9911e7418dd

SHA512
1d7d27dc78a71f9c19aa232e2be3e3c170f272d3323751ee9e6e3e8659568e9a804c07cf7e2dfa293eede478a4b54fb8f37b782e6a57b0a69215454fb917ac65

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8C8.tmp\Barely Legal Sample.pdf
MD5
f4ed943c3a8013f676f3560b4cb9d44d

SHA1
2a2ed758195dba388354ad829ceb86a42dabc0e3

SHA256
6973a2d7c113f70fb1be23e44773a52b409bf07b47b814353c7552078d0b02a8

SHA512
342a2df86dd1a022da657e027da672c92eb156d2065b449741a2b184e57743d40587f52d4e63e329bb7851637001edced77830445cc80ed8f13260f6ebb4cc0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BARELY~1.EXE
MD5
acc3d069c09972c713271355c175fb23

SHA1
4dc330bcd778a9bc5044dba05186eaa46e7ae440

SHA256
3443a47515ffb703ced7baaccee445addb904f17b3cd1815a4754821709e3561

SHA512
d9906aee8aa0a329293e7dee5b6be86f0c8e538dd1e56dd1d335f977b0b9b15d8cd780d5d14a60fafd0e437cc8973041bc37f7acc51f993cb6a5004090983d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BARELY~1.EXE
MD5
acc3d069c09972c713271355c175fb23

SHA1
4dc330bcd778a9bc5044dba05186eaa46e7ae440

SHA256
3443a47515ffb703ced7baaccee445addb904f17b3cd1815a4754821709e3561

SHA512
d9906aee8aa0a329293e7dee5b6be86f0c8e538dd1e56dd1d335f977b0b9b15d8cd780d5d14a60fafd0e437cc8973041bc37f7acc51f993cb6a5004090983d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rstrui.exe
MD5
b8df0a467b74b4e882b5733a431f4706

SHA1
29ce7c6f7faa5315073b9f7717746107f7233638

SHA256
52ee2549c62892522ac4a6c52e695f6e227e7425e94167710b69a0fe20c50f90

SHA512
b3c8d070031414e346f1d0722931dbb11cf25d58f5a992706aeae39526152d4d1197d1b41a2b4a8e82491c97206e0c0c5cde91c55e4ac05d4b5131d1a76f6ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rstrui.exe
MD5
b8df0a467b74b4e882b5733a431f4706

SHA1
29ce7c6f7faa5315073b9f7717746107f7233638

SHA256
52ee2549c62892522ac4a6c52e695f6e227e7425e94167710b69a0fe20c50f90

SHA512
b3c8d070031414e346f1d0722931dbb11cf25d58f5a992706aeae39526152d4d1197d1b41a2b4a8e82491c97206e0c0c5cde91c55e4ac05d4b5131d1a76f6ff6

Download Submit
memory/1032-146-0x0000000077BF2000-0x0000000077BF3000-memory.dmp

Filesize
4KB

Download
memory/2056-130-0x0000000077BF2000-0x0000000077BF3000-memory.dmp

Filesize
4KB

Download
memory/2376-127-0x0000000077BF2000-0x0000000077BF3000-memory.dmp

Filesize
4KB

Download
memory/3292-137-0x0000000077BF2000-0x0000000077BF3000-memory.dmp

Filesize
4KB

Download
memory/3572-135-0x0000000077BF2000-0x0000000077BF3000-memory.dmp

Filesize
4KB

Download
memory/3660-143-0x0000000077BF2000-0x0000000077BF3000-memory.dmp

Filesize
4KB

Download