Analysis
-
max time kernel
152s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 13:23
Static task
static1
Behavioral task
behavioral1
Sample
cnf3669009.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
cnf3669009.exe
Resource
win10v2004-20220414-en
General
-
Target
cnf3669009.exe
-
Size
625KB
-
MD5
f13aa37174903d14951c141da29ec4bc
-
SHA1
f54aa0b0a452ffba34bb154a467dbef3bf347fd9
-
SHA256
b5f9a952c4009061a21147103fc6d762c60e070fc588cab92846fc1c29679715
-
SHA512
bc682d8c2fbd050a9100f5716a783580067eb553b5f7ddffe8bf39efc4e389145c104dc46c3765ac4bd3d464c891f53b1ae50dca3c2727065ffadfa932573736
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Host.exeHost.exeHost.exepid process 2528 Host.exe 5080 Host.exe 3848 Host.exe -
Processes:
resource yara_rule behavioral2/memory/1488-130-0x0000000000400000-0x0000000000520000-memory.dmp upx behavioral2/memory/1488-131-0x0000000000400000-0x0000000000520000-memory.dmp upx behavioral2/memory/3448-135-0x0000000000400000-0x0000000000520000-memory.dmp upx behavioral2/memory/3448-136-0x0000000000400000-0x0000000000520000-memory.dmp upx C:\Users\Admin\AppData\Roaming\Install\Host.exe upx C:\Users\Admin\AppData\Roaming\Install\Host.exe upx behavioral2/memory/2528-141-0x0000000000400000-0x0000000000520000-memory.dmp upx behavioral2/memory/3096-143-0x0000000000400000-0x0000000000520000-memory.dmp upx C:\Users\Admin\AppData\Roaming\Install\Host.exe upx C:\Users\Admin\AppData\Roaming\Install\Host.exe upx behavioral2/memory/2528-154-0x0000000000400000-0x0000000000520000-memory.dmp upx behavioral2/memory/3096-156-0x0000000000400000-0x0000000000520000-memory.dmp upx behavioral2/memory/3556-155-0x0000000000400000-0x0000000000520000-memory.dmp upx behavioral2/memory/3848-157-0x0000000000400000-0x0000000000520000-memory.dmp upx behavioral2/memory/3556-158-0x0000000000400000-0x0000000000520000-memory.dmp upx behavioral2/memory/3848-159-0x0000000000400000-0x0000000000520000-memory.dmp upx -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cnf3669009.exeHost.execnf3669009.execnf3669009.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation cnf3669009.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Host.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation cnf3669009.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation cnf3669009.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
cnf3669009.exeHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ cnf3669009.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnf3669009.exe" cnf3669009.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Host.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe" Host.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
cnf3669009.exeHost.execnf3669009.exedescription pid process target process PID 1488 set thread context of 3492 1488 cnf3669009.exe cnf3669009.exe PID 2528 set thread context of 5080 2528 Host.exe Host.exe PID 3096 set thread context of 3424 3096 cnf3669009.exe cnf3669009.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exeAcroRd32.exeAcroRd32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 3 IoCs
Processes:
cnf3669009.execnf3669009.exeHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings cnf3669009.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings cnf3669009.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings Host.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
cnf3669009.execnf3669009.exeHost.execnf3669009.execnf3669009.exeHost.exepid process 1488 cnf3669009.exe 1488 cnf3669009.exe 3448 cnf3669009.exe 3448 cnf3669009.exe 3448 cnf3669009.exe 3448 cnf3669009.exe 3448 cnf3669009.exe 3448 cnf3669009.exe 3448 cnf3669009.exe 3448 cnf3669009.exe 2528 Host.exe 2528 Host.exe 3096 cnf3669009.exe 3096 cnf3669009.exe 3556 cnf3669009.exe 3556 cnf3669009.exe 3556 cnf3669009.exe 3556 cnf3669009.exe 3848 Host.exe 3848 Host.exe 3848 Host.exe 3848 Host.exe 3848 Host.exe 3848 Host.exe 3556 cnf3669009.exe 3556 cnf3669009.exe 3848 Host.exe 3848 Host.exe 3556 cnf3669009.exe 3556 cnf3669009.exe 3556 cnf3669009.exe 3556 cnf3669009.exe 3848 Host.exe 3848 Host.exe 3848 Host.exe 3848 Host.exe 3556 cnf3669009.exe 3556 cnf3669009.exe 3848 Host.exe 3848 Host.exe 3556 cnf3669009.exe 3556 cnf3669009.exe 3848 Host.exe 3848 Host.exe 3556 cnf3669009.exe 3556 cnf3669009.exe 3848 Host.exe 3848 Host.exe 3556 cnf3669009.exe 3556 cnf3669009.exe 3848 Host.exe 3848 Host.exe 3556 cnf3669009.exe 3556 cnf3669009.exe 3848 Host.exe 3848 Host.exe 3556 cnf3669009.exe 3556 cnf3669009.exe 3848 Host.exe 3848 Host.exe 3556 cnf3669009.exe 3556 cnf3669009.exe 3848 Host.exe 3848 Host.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
cnf3669009.exeHost.execnf3669009.exepid process 1488 cnf3669009.exe 2528 Host.exe 3096 cnf3669009.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 3456 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
AcroRd32.exeAcroRd32.exeAcroRd32.exeAdobeARM.exepid process 3456 AcroRd32.exe 3456 AcroRd32.exe 2812 AcroRd32.exe 4528 AcroRd32.exe 3456 AcroRd32.exe 3456 AcroRd32.exe 3456 AcroRd32.exe 3456 AcroRd32.exe 3932 AdobeARM.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cnf3669009.execnf3669009.execnf3669009.exeHost.execnf3669009.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 1488 wrote to memory of 3456 1488 cnf3669009.exe AcroRd32.exe PID 1488 wrote to memory of 3456 1488 cnf3669009.exe AcroRd32.exe PID 1488 wrote to memory of 3456 1488 cnf3669009.exe AcroRd32.exe PID 1488 wrote to memory of 3492 1488 cnf3669009.exe cnf3669009.exe PID 1488 wrote to memory of 3492 1488 cnf3669009.exe cnf3669009.exe PID 1488 wrote to memory of 3492 1488 cnf3669009.exe cnf3669009.exe PID 1488 wrote to memory of 3448 1488 cnf3669009.exe cnf3669009.exe PID 1488 wrote to memory of 3448 1488 cnf3669009.exe cnf3669009.exe PID 1488 wrote to memory of 3448 1488 cnf3669009.exe cnf3669009.exe PID 3492 wrote to memory of 2528 3492 cnf3669009.exe Host.exe PID 3492 wrote to memory of 2528 3492 cnf3669009.exe Host.exe PID 3492 wrote to memory of 2528 3492 cnf3669009.exe Host.exe PID 3448 wrote to memory of 3096 3448 cnf3669009.exe cnf3669009.exe PID 3448 wrote to memory of 3096 3448 cnf3669009.exe cnf3669009.exe PID 3448 wrote to memory of 3096 3448 cnf3669009.exe cnf3669009.exe PID 2528 wrote to memory of 2812 2528 Host.exe AcroRd32.exe PID 2528 wrote to memory of 2812 2528 Host.exe AcroRd32.exe PID 2528 wrote to memory of 2812 2528 Host.exe AcroRd32.exe PID 2528 wrote to memory of 5080 2528 Host.exe Host.exe PID 2528 wrote to memory of 5080 2528 Host.exe Host.exe PID 2528 wrote to memory of 5080 2528 Host.exe Host.exe PID 3096 wrote to memory of 4528 3096 cnf3669009.exe AcroRd32.exe PID 3096 wrote to memory of 4528 3096 cnf3669009.exe AcroRd32.exe PID 3096 wrote to memory of 4528 3096 cnf3669009.exe AcroRd32.exe PID 3096 wrote to memory of 3424 3096 cnf3669009.exe cnf3669009.exe PID 3096 wrote to memory of 3424 3096 cnf3669009.exe cnf3669009.exe PID 3096 wrote to memory of 3424 3096 cnf3669009.exe cnf3669009.exe PID 2528 wrote to memory of 3848 2528 Host.exe Host.exe PID 2528 wrote to memory of 3848 2528 Host.exe Host.exe PID 2528 wrote to memory of 3848 2528 Host.exe Host.exe PID 3096 wrote to memory of 3556 3096 cnf3669009.exe cnf3669009.exe PID 3096 wrote to memory of 3556 3096 cnf3669009.exe cnf3669009.exe PID 3096 wrote to memory of 3556 3096 cnf3669009.exe cnf3669009.exe PID 3456 wrote to memory of 4752 3456 AcroRd32.exe RdrCEF.exe PID 3456 wrote to memory of 4752 3456 AcroRd32.exe RdrCEF.exe PID 3456 wrote to memory of 4752 3456 AcroRd32.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe PID 4752 wrote to memory of 4256 4752 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cnf3669009.exe"C:\Users\Admin\AppData\Local\Temp\cnf3669009.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Caixa.pdf"2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=18F572A22B8F7D78F382BB6590D60334 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6BAC842359210369B96D8951740E4F3C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6BAC842359210369B96D8951740E4F3C --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=793714EDE0BA9DD6CEE9F2F6CECAA980 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=793714EDE0BA9DD6CEE9F2F6CECAA980 --renderer-client-id=4 --mojo-platform-channel-handle=2172 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1F781BD6677A626210EFDA00821708D3 --mojo-platform-channel-handle=2560 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AAB9D97B9B63F7FE71EF12F6DFECEBA0 --mojo-platform-channel-handle=1804 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B36094E7092934A386145122A33A1031 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:33⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\cnf3669009.exe"C:\Users\Admin\AppData\Local\Temp\cnf3669009.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Caixa.pdf"4⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe" 2 5080 2405513904⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\cnf3669009.exe"C:\Users\Admin\AppData\Local\Temp\cnf3669009.exe" 2 3492 2405505462⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cnf3669009.exe"C:\Users\Admin\AppData\Local\Temp\cnf3669009.exe"3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Caixa.pdf"4⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\cnf3669009.exe"C:\Users\Admin\AppData\Local\Temp\cnf3669009.exe"4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\cnf3669009.exe"C:\Users\Admin\AppData\Local\Temp\cnf3669009.exe" 2 3424 2405514534⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Caixa.pdfFilesize
207KB
MD5246222bebe4293c15d735017e635f27a
SHA19d57e7dd21ad9da29c274980cf7e0ac2ae05be19
SHA25609f3e707d2854559554d317aec887c91e752e78a28caf46f24441b8884409d0d
SHA5129a254cf2158a7f883a1bfdf318af39916cdc97ad39a444155bc7694c6f2078d285dee44ee67ae66db028dc84624f096edd84b629df973490caed974ed44cc611
-
C:\Users\Admin\AppData\Local\Temp\Caixa.pdfFilesize
207KB
MD5246222bebe4293c15d735017e635f27a
SHA19d57e7dd21ad9da29c274980cf7e0ac2ae05be19
SHA25609f3e707d2854559554d317aec887c91e752e78a28caf46f24441b8884409d0d
SHA5129a254cf2158a7f883a1bfdf318af39916cdc97ad39a444155bc7694c6f2078d285dee44ee67ae66db028dc84624f096edd84b629df973490caed974ed44cc611
-
C:\Users\Admin\AppData\Local\Temp\Caixa.pdfFilesize
207KB
MD5246222bebe4293c15d735017e635f27a
SHA19d57e7dd21ad9da29c274980cf7e0ac2ae05be19
SHA25609f3e707d2854559554d317aec887c91e752e78a28caf46f24441b8884409d0d
SHA5129a254cf2158a7f883a1bfdf318af39916cdc97ad39a444155bc7694c6f2078d285dee44ee67ae66db028dc84624f096edd84b629df973490caed974ed44cc611
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
625KB
MD5f13aa37174903d14951c141da29ec4bc
SHA1f54aa0b0a452ffba34bb154a467dbef3bf347fd9
SHA256b5f9a952c4009061a21147103fc6d762c60e070fc588cab92846fc1c29679715
SHA512bc682d8c2fbd050a9100f5716a783580067eb553b5f7ddffe8bf39efc4e389145c104dc46c3765ac4bd3d464c891f53b1ae50dca3c2727065ffadfa932573736
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
625KB
MD5f13aa37174903d14951c141da29ec4bc
SHA1f54aa0b0a452ffba34bb154a467dbef3bf347fd9
SHA256b5f9a952c4009061a21147103fc6d762c60e070fc588cab92846fc1c29679715
SHA512bc682d8c2fbd050a9100f5716a783580067eb553b5f7ddffe8bf39efc4e389145c104dc46c3765ac4bd3d464c891f53b1ae50dca3c2727065ffadfa932573736
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
625KB
MD5f13aa37174903d14951c141da29ec4bc
SHA1f54aa0b0a452ffba34bb154a467dbef3bf347fd9
SHA256b5f9a952c4009061a21147103fc6d762c60e070fc588cab92846fc1c29679715
SHA512bc682d8c2fbd050a9100f5716a783580067eb553b5f7ddffe8bf39efc4e389145c104dc46c3765ac4bd3d464c891f53b1ae50dca3c2727065ffadfa932573736
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
625KB
MD5f13aa37174903d14951c141da29ec4bc
SHA1f54aa0b0a452ffba34bb154a467dbef3bf347fd9
SHA256b5f9a952c4009061a21147103fc6d762c60e070fc588cab92846fc1c29679715
SHA512bc682d8c2fbd050a9100f5716a783580067eb553b5f7ddffe8bf39efc4e389145c104dc46c3765ac4bd3d464c891f53b1ae50dca3c2727065ffadfa932573736
-
memory/1488-130-0x0000000000400000-0x0000000000520000-memory.dmpFilesize
1.1MB
-
memory/1488-131-0x0000000000400000-0x0000000000520000-memory.dmpFilesize
1.1MB
-
memory/2528-137-0x0000000000000000-mapping.dmp
-
memory/2528-154-0x0000000000400000-0x0000000000520000-memory.dmpFilesize
1.1MB
-
memory/2528-141-0x0000000000400000-0x0000000000520000-memory.dmpFilesize
1.1MB
-
memory/2812-146-0x0000000000000000-mapping.dmp
-
memory/2932-170-0x0000000000000000-mapping.dmp
-
memory/3096-143-0x0000000000400000-0x0000000000520000-memory.dmpFilesize
1.1MB
-
memory/3096-140-0x0000000000000000-mapping.dmp
-
memory/3096-156-0x0000000000400000-0x0000000000520000-memory.dmpFilesize
1.1MB
-
memory/3372-184-0x0000000000000000-mapping.dmp
-
memory/3424-150-0x0000000000000000-mapping.dmp
-
memory/3448-135-0x0000000000400000-0x0000000000520000-memory.dmpFilesize
1.1MB
-
memory/3448-134-0x0000000000000000-mapping.dmp
-
memory/3448-136-0x0000000000400000-0x0000000000520000-memory.dmpFilesize
1.1MB
-
memory/3456-132-0x0000000000000000-mapping.dmp
-
memory/3492-133-0x0000000000000000-mapping.dmp
-
memory/3556-155-0x0000000000400000-0x0000000000520000-memory.dmpFilesize
1.1MB
-
memory/3556-158-0x0000000000400000-0x0000000000520000-memory.dmpFilesize
1.1MB
-
memory/3556-152-0x0000000000000000-mapping.dmp
-
memory/3848-151-0x0000000000000000-mapping.dmp
-
memory/3848-157-0x0000000000400000-0x0000000000520000-memory.dmpFilesize
1.1MB
-
memory/3848-159-0x0000000000400000-0x0000000000520000-memory.dmpFilesize
1.1MB
-
memory/3932-183-0x0000000000000000-mapping.dmp
-
memory/4036-178-0x0000000000000000-mapping.dmp
-
memory/4192-165-0x0000000000000000-mapping.dmp
-
memory/4256-162-0x0000000000000000-mapping.dmp
-
memory/4528-147-0x0000000000000000-mapping.dmp
-
memory/4560-175-0x0000000000000000-mapping.dmp
-
memory/4752-160-0x0000000000000000-mapping.dmp
-
memory/4876-181-0x0000000000000000-mapping.dmp
-
memory/5080-148-0x0000000000000000-mapping.dmp