6c46fe5c992989e43a781c7449354c7869bba06b4e15d66962b59f306117893a

General

Target

6c46fe5c992989e43a781c7449354c7869bba06b4e15d66962b59f306117893a.exe
Size

716KB
MD5

218bbd007898e6b6fc754fe5c76668fc
SHA1

81ac434b84905b8746ea61ebb479135bbd3a3c4d
SHA256

6c46fe5c992989e43a781c7449354c7869bba06b4e15d66962b59f306117893a
SHA512

ec5b325a2d53067e62a358433364d0123506398e6e1972a72ca41bd26428cc49049b16067dd0066676f176bac97068a6aed521ded0fa408b74f1c40627a72105

Score

8^/10

link pdf persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ABODE32.exe

pid process

1188 ABODE32.exe

pid	process
1188	ABODE32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6c46fe5c992989e43a781c7449354c7869bba06b4e15d66962b59f306117893a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run	6c46fe5c992989e43a781c7449354c7869bba06b4e15d66962b59f306117893a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\McUpdate = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ABODE32.exe\""	6c46fe5c992989e43a781c7449354c7869bba06b4e15d66962b59f306117893a.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\U.S Army Test and Evaluation Command Event.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

6c46fe5c992989e43a781c7449354c7869bba06b4e15d66962b59f306117893a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	6c46fe5c992989e43a781c7449354c7869bba06b4e15d66962b59f306117893a.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

AcroRd32.exe

pid	process
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6c46fe5c992989e43a781c7449354c7869bba06b4e15d66962b59f306117893a.exe

description pid process

Token: SeIncBasePriorityPrivilege 2572 6c46fe5c992989e43a781c7449354c7869bba06b4e15d66962b59f306117893a.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

1304 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

1304 AcroRd32.exe
1304 AcroRd32.exe
1304 AcroRd32.exe
1304 AcroRd32.exe
1304 AcroRd32.exe
1304 AcroRd32.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2572	6c46fe5c992989e43a781c7449354c7869bba06b4e15d66962b59f306117893a.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6c46fe5c992989e43a781c7449354c7869bba06b4e15d66962b59f306117893a.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2572 wrote to memory of 1304	2572	6c46fe5c992989e43a781c7449354c7869bba06b4e15d66962b59f306117893a.exe	AcroRd32.exe
PID 2572 wrote to memory of 1304	2572	6c46fe5c992989e43a781c7449354c7869bba06b4e15d66962b59f306117893a.exe	AcroRd32.exe
PID 2572 wrote to memory of 1304	2572	6c46fe5c992989e43a781c7449354c7869bba06b4e15d66962b59f306117893a.exe	AcroRd32.exe
PID 2572 wrote to memory of 1188	2572	6c46fe5c992989e43a781c7449354c7869bba06b4e15d66962b59f306117893a.exe	ABODE32.exe
PID 2572 wrote to memory of 1188	2572	6c46fe5c992989e43a781c7449354c7869bba06b4e15d66962b59f306117893a.exe	ABODE32.exe
PID 2572 wrote to memory of 1188	2572	6c46fe5c992989e43a781c7449354c7869bba06b4e15d66962b59f306117893a.exe	ABODE32.exe
PID 2572 wrote to memory of 596	2572	6c46fe5c992989e43a781c7449354c7869bba06b4e15d66962b59f306117893a.exe	cmd.exe
PID 2572 wrote to memory of 596	2572	6c46fe5c992989e43a781c7449354c7869bba06b4e15d66962b59f306117893a.exe	cmd.exe
PID 2572 wrote to memory of 596	2572	6c46fe5c992989e43a781c7449354c7869bba06b4e15d66962b59f306117893a.exe	cmd.exe
PID 1304 wrote to memory of 3008	1304	AcroRd32.exe	RdrCEF.exe
PID 1304 wrote to memory of 3008	1304	AcroRd32.exe	RdrCEF.exe
PID 1304 wrote to memory of 3008	1304	AcroRd32.exe	RdrCEF.exe
PID 1304 wrote to memory of 1232	1304	AcroRd32.exe	RdrCEF.exe
PID 1304 wrote to memory of 1232	1304	AcroRd32.exe	RdrCEF.exe
PID 1304 wrote to memory of 1232	1304	AcroRd32.exe	RdrCEF.exe
PID 1304 wrote to memory of 3944	1304	AcroRd32.exe	RdrCEF.exe
PID 1304 wrote to memory of 3944	1304	AcroRd32.exe	RdrCEF.exe
PID 1304 wrote to memory of 3944	1304	AcroRd32.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2352	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2320	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2320	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2320	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2320	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 2320	3944	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\6c46fe5c992989e43a781c7449354c7869bba06b4e15d66962b59f306117893a.exe
"C:\Users\Admin\AppData\Local\Temp\6c46fe5c992989e43a781c7449354c7869bba06b4e15d66962b59f306117893a.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\U.S Army Test and Evaluation Command Event.pdf"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1304

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
PID:3008

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
PID:1232

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- Suspicious use of WriteProcessMemory
PID:3944

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8AD7F6B787DD6416E4DCDC10F4A1A35A --mojo-platform-channel-handle=1636 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2352

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=05F3C2023D78AB51984A5E4192A222B4 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=05F3C2023D78AB51984A5E4192A222B4 --renderer-client-id=2 --mojo-platform-channel-handle=1628 --allow-no-sandbox-job /prefetch:1
4⤵
PID:2320

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DD789C27041F5720ABB9B9E63D561E0B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DD789C27041F5720ABB9B9E63D561E0B --renderer-client-id=4 --mojo-platform-channel-handle=2072 --allow-no-sandbox-job /prefetch:1
4⤵
PID:2176

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C8AC8C9EED238DAF2FDCC6F662477C03 --mojo-platform-channel-handle=2456 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3252

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=439BD4110804BA7D0384664AEEBEDEF6 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:832

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F3DF58F99CDA3F09BF99CD04E00129B5 --mojo-platform-channel-handle=1832 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\ABODE32.exe
"C:\Users\Admin\AppData\Local\Temp\ABODE32.exe"
2⤵
- Executes dropped EXE
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6C46FE~1.EXE > nul
2⤵
PID:596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ABODE32.exe
MD5
5f652d20c5979d3af1c78e053530c247

SHA1
377799de0a00b25874d9b3a85f71981b7a7d4bb6

SHA256
1873d3f665acfacdf34bbae4e0a0c24989678600b09b0aa7a41148b2af306cde

SHA512
004bf2642791941ec8659920802f8f1f1fdb53e0ccdf5d9cb129d218cef47f5ecbba1d4889a59f942c3f4c99fe7ffc84c99f363428d92b070433d2e83c4c0734

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABODE32.exe
MD5
5f652d20c5979d3af1c78e053530c247

SHA1
377799de0a00b25874d9b3a85f71981b7a7d4bb6

SHA256
1873d3f665acfacdf34bbae4e0a0c24989678600b09b0aa7a41148b2af306cde

SHA512
004bf2642791941ec8659920802f8f1f1fdb53e0ccdf5d9cb129d218cef47f5ecbba1d4889a59f942c3f4c99fe7ffc84c99f363428d92b070433d2e83c4c0734

Download Submit
C:\Users\Admin\AppData\Local\Temp\U.S Army Test and Evaluation Command Event.pdf
MD5
5ca51c264208297a72cc18a4365c870a

SHA1
f7a80c850c2d4fd2df5cc7fc43f5f9fa80255bac

SHA256
c5e640c87bdba5212a0f669c82975d5266fcf4d77fe988dbb6edaef83f91c4aa

SHA512
8b3ab46bb8c6bcb7b8575a97a458c17230d7dd7566728610d526a95e756886e97ab4d82b1ea2c3081edc1ff184ee9bd4cbb004ac705ffd59354af1f4676bdd91

Download Submit
memory/832-137-0x0000000077EB2000-0x0000000077EB3000-memory.dmp

Filesize
4KB

Download
memory/2176-129-0x0000000077EB2000-0x0000000077EB3000-memory.dmp

Filesize
4KB

Download
memory/2320-123-0x0000000077EB2000-0x0000000077EB3000-memory.dmp

Filesize
4KB

Download
memory/2352-121-0x0000000077EB2000-0x0000000077EB3000-memory.dmp

Filesize
4KB

Download
memory/3252-134-0x0000000077EB2000-0x0000000077EB3000-memory.dmp

Filesize
4KB

Download
memory/3600-140-0x0000000077EB2000-0x0000000077EB3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads