832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d

General

Target

832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe
Size

1.3MB
MD5

3c9aa6dc8c4501ffa2798f044df53438
SHA1

0076a7342908f675c1d7bf630ec6912cd75060dd
SHA256

832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d
SHA512

0406541e3a89abfefaca7834a3d5cae07d2ce876ef0fa47a51915e464cb80fcad2cd4bb45b81ba026cf15616eafcb6cd97fac73037a1c0635835f376ae398fca

Score

8^/10

link pdf persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

winword.exe

pid process

2072 winword.exe

pid	process
2072	winword.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\McUpdate = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\winword.exe\""	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\九州の温泉紹介-九州観光旅館連絡会-平成25年.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

AcroRd32.exe

pid	process
1988	AcroRd32.exe
1988	AcroRd32.exe
1988	AcroRd32.exe
1988	AcroRd32.exe
1988	AcroRd32.exe
1988	AcroRd32.exe
1988	AcroRd32.exe
1988	AcroRd32.exe
1988	AcroRd32.exe
1988	AcroRd32.exe
1988	AcroRd32.exe
1988	AcroRd32.exe
1988	AcroRd32.exe
1988	AcroRd32.exe
1988	AcroRd32.exe
1988	AcroRd32.exe
1988	AcroRd32.exe
1988	AcroRd32.exe
1988	AcroRd32.exe
1988	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe

description pid process

Token: SeIncBasePriorityPrivilege 3080 832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

1988 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

1988 AcroRd32.exe
1988 AcroRd32.exe
1988 AcroRd32.exe
1988 AcroRd32.exe
1988 AcroRd32.exe
1988 AcroRd32.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3080	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 3080 wrote to memory of 1988	3080	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe	AcroRd32.exe
PID 3080 wrote to memory of 1988	3080	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe	AcroRd32.exe
PID 3080 wrote to memory of 1988	3080	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe	AcroRd32.exe
PID 3080 wrote to memory of 2072	3080	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe	winword.exe
PID 3080 wrote to memory of 2072	3080	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe	winword.exe
PID 3080 wrote to memory of 2072	3080	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe	winword.exe
PID 3080 wrote to memory of 2160	3080	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe	cmd.exe
PID 3080 wrote to memory of 2160	3080	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe	cmd.exe
PID 3080 wrote to memory of 2160	3080	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe	cmd.exe
PID 1988 wrote to memory of 520	1988	AcroRd32.exe	RdrCEF.exe
PID 1988 wrote to memory of 520	1988	AcroRd32.exe	RdrCEF.exe
PID 1988 wrote to memory of 520	1988	AcroRd32.exe	RdrCEF.exe
PID 1988 wrote to memory of 1072	1988	AcroRd32.exe	RdrCEF.exe
PID 1988 wrote to memory of 1072	1988	AcroRd32.exe	RdrCEF.exe
PID 1988 wrote to memory of 1072	1988	AcroRd32.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 960	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 3776	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 3776	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 3776	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 3776	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 3776	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 3776	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 3776	520	RdrCEF.exe	RdrCEF.exe
PID 520 wrote to memory of 3776	520	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe
"C:\Users\Admin\AppData\Local\Temp\832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\九州の温泉紹介-九州観光旅館連絡会-平成25年.pdf"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B9F25DC054DAA3511A24D90753AEAE6F --mojo-platform-channel-handle=1636 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:960

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=06814A0F5CE861288C239063EA4C5959 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=06814A0F5CE861288C239063EA4C5959 --renderer-client-id=2 --mojo-platform-channel-handle=1644 --allow-no-sandbox-job /prefetch:1
4⤵
PID:3776

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=283BF8B020C88F3E3AE92074CF45F08E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=283BF8B020C88F3E3AE92074CF45F08E --renderer-client-id=4 --mojo-platform-channel-handle=2076 --allow-no-sandbox-job /prefetch:1
4⤵
PID:3444

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=96CCABF634F4FCD29765D4002AF19D17 --mojo-platform-channel-handle=2468 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3032

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CBCB912C89EC579E8C8C0FD8068657FA --mojo-platform-channel-handle=2016 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:1520

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9161A03085795C56402387D30AA796EA --mojo-platform-channel-handle=2556 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3976

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\winword.exe
"C:\Users\Admin\AppData\Local\Temp\winword.exe"
2⤵
- Executes dropped EXE
PID:2072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\832CAF~1.EXE > nul
2⤵
PID:2160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\winword.exe
MD5
6dc5d006eafa5e135ec89fa456060b58

SHA1
e7cd3a1e6a1017401ade9bf55456553313e3a8c1

SHA256
ff13f9b00580f19e389d8852144ecb6ae7876e1091861aad796ab619fea33398

SHA512
a7f40c7226134d811c8d8035fbbe47220a480356be83d86b28518402c04156f4f905f81d00f2e342001c788209e26e7a6f4b7e74798b17d176a4a23800b6c66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\winword.exe
MD5
6dc5d006eafa5e135ec89fa456060b58

SHA1
e7cd3a1e6a1017401ade9bf55456553313e3a8c1

SHA256
ff13f9b00580f19e389d8852144ecb6ae7876e1091861aad796ab619fea33398

SHA512
a7f40c7226134d811c8d8035fbbe47220a480356be83d86b28518402c04156f4f905f81d00f2e342001c788209e26e7a6f4b7e74798b17d176a4a23800b6c66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\九州の温泉紹介-九州観光旅館連絡会-平成25年.pdf
MD5
8778792f2917620f454f8e1d13670f60

SHA1
8c6a3802df06d89b5d325491d9720e3f2ee67e04

SHA256
44aacc0bf620886c1ed51f6b19f0c63229b10114db4ee322daede67dc7953bf6

SHA512
5f01867193f58149565c6d4f14f34c0f1e8ff2872e33f5a09c28ed0165200c3383943f76cbe2c8f30a5ee8cafb92b24fbb4b2709835e0b03a08bd80d96042829

Download Submit
memory/960-121-0x0000000076F02000-0x0000000076F03000-memory.dmp

Filesize
4KB

Download
memory/1520-137-0x0000000076F02000-0x0000000076F03000-memory.dmp

Filesize
4KB

Download
memory/3032-134-0x0000000076F02000-0x0000000076F03000-memory.dmp

Filesize
4KB

Download
memory/3444-129-0x0000000076F02000-0x0000000076F03000-memory.dmp

Filesize
4KB

Download
memory/3776-124-0x0000000076F02000-0x0000000076F03000-memory.dmp

Filesize
4KB

Download
memory/3976-140-0x0000000076F02000-0x0000000076F03000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads