Analysis
-
max time kernel
118s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22-06-2022 08:44
Static task
static1
Behavioral task
behavioral1
Sample
2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe
Resource
win10v2004-20220414-en
General
-
Target
2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe
-
Size
1.0MB
-
MD5
19e9776e8c45eab003baa27408b46c0c
-
SHA1
1b785eb0188d4be4ad90d9ddcd7fc309f9d841da
-
SHA256
2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578
-
SHA512
b9c002b77d3e9d8d1cef4efb69d3594bf8089a315602a626f482aa7512ffbb35301004e43d2777fc6b631c53158fc4fa9c17126e5300a17c64a8845f70b96667
Malware Config
Signatures
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/2504-144-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/2504-146-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/2504-147-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/3456-167-0x0000000000400000-0x000000000045A000-memory.dmp WebBrowserPassView behavioral2/memory/3456-169-0x0000000000400000-0x000000000045A000-memory.dmp WebBrowserPassView behavioral2/memory/3456-171-0x0000000000400000-0x000000000045A000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
Processes:
resource yara_rule behavioral2/memory/2504-144-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2504-146-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2504-147-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3456-167-0x0000000000400000-0x000000000045A000-memory.dmp Nirsoft behavioral2/memory/3456-169-0x0000000000400000-0x000000000045A000-memory.dmp Nirsoft behavioral2/memory/3456-171-0x0000000000400000-0x000000000045A000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 31 checkip.dyndns.org -
Suspicious use of SetThreadContext 3 IoCs
Processes:
2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exedescription pid process target process PID 1628 set thread context of 5024 1628 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe PID 5024 set thread context of 2504 5024 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe vbc.exe PID 5024 set thread context of 3456 5024 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1908 timeout.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exevbc.exeAcroRd32.exeAdobeARM.exepid process 1628 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe 1628 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe 1628 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe 1628 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe 3456 vbc.exe 3456 vbc.exe 3456 vbc.exe 3456 vbc.exe 3456 vbc.exe 3456 vbc.exe 3456 vbc.exe 3456 vbc.exe 3456 vbc.exe 3456 vbc.exe 3456 vbc.exe 3456 vbc.exe 1836 AcroRd32.exe 1836 AcroRd32.exe 1836 AcroRd32.exe 1836 AcroRd32.exe 1836 AcroRd32.exe 1836 AcroRd32.exe 1836 AcroRd32.exe 1836 AcroRd32.exe 1836 AcroRd32.exe 1836 AcroRd32.exe 1836 AcroRd32.exe 1836 AcroRd32.exe 1836 AcroRd32.exe 1836 AcroRd32.exe 1836 AcroRd32.exe 1836 AcroRd32.exe 1836 AcroRd32.exe 1836 AcroRd32.exe 1836 AcroRd32.exe 1836 AcroRd32.exe 3912 AdobeARM.exe 3912 AdobeARM.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exedescription pid process Token: SeDebugPrivilege 1628 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe Token: 33 1628 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe Token: SeIncBasePriorityPrivilege 1628 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe Token: SeDebugPrivilege 5024 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exeAcroRd32.exeAdobeARM.exepid process 5024 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe 1836 AcroRd32.exe 1836 AcroRd32.exe 1836 AcroRd32.exe 1836 AcroRd32.exe 1836 AcroRd32.exe 1836 AcroRd32.exe 3912 AdobeARM.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.execmd.execmd.exe2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 1628 wrote to memory of 4376 1628 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe cmd.exe PID 1628 wrote to memory of 4376 1628 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe cmd.exe PID 1628 wrote to memory of 4376 1628 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe cmd.exe PID 4376 wrote to memory of 2828 4376 cmd.exe reg.exe PID 4376 wrote to memory of 2828 4376 cmd.exe reg.exe PID 4376 wrote to memory of 2828 4376 cmd.exe reg.exe PID 1628 wrote to memory of 5024 1628 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe PID 1628 wrote to memory of 5024 1628 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe PID 1628 wrote to memory of 5024 1628 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe PID 1628 wrote to memory of 5024 1628 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe PID 1628 wrote to memory of 5024 1628 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe PID 1628 wrote to memory of 5024 1628 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe PID 1628 wrote to memory of 5024 1628 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe PID 1628 wrote to memory of 5024 1628 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe PID 1628 wrote to memory of 5080 1628 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe cmd.exe PID 1628 wrote to memory of 5080 1628 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe cmd.exe PID 1628 wrote to memory of 5080 1628 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe cmd.exe PID 5080 wrote to memory of 1908 5080 cmd.exe timeout.exe PID 5080 wrote to memory of 1908 5080 cmd.exe timeout.exe PID 5080 wrote to memory of 1908 5080 cmd.exe timeout.exe PID 5024 wrote to memory of 1836 5024 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe AcroRd32.exe PID 5024 wrote to memory of 1836 5024 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe AcroRd32.exe PID 5024 wrote to memory of 1836 5024 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe AcroRd32.exe PID 5024 wrote to memory of 2504 5024 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe vbc.exe PID 5024 wrote to memory of 2504 5024 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe vbc.exe PID 5024 wrote to memory of 2504 5024 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe vbc.exe PID 5024 wrote to memory of 2504 5024 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe vbc.exe PID 5024 wrote to memory of 2504 5024 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe vbc.exe PID 5024 wrote to memory of 2504 5024 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe vbc.exe PID 5024 wrote to memory of 2504 5024 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe vbc.exe PID 5024 wrote to memory of 2504 5024 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe vbc.exe PID 5024 wrote to memory of 2504 5024 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe vbc.exe PID 1836 wrote to memory of 2552 1836 AcroRd32.exe RdrCEF.exe PID 1836 wrote to memory of 2552 1836 AcroRd32.exe RdrCEF.exe PID 1836 wrote to memory of 2552 1836 AcroRd32.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe PID 2552 wrote to memory of 5088 2552 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe"C:\Users\Admin\AppData\Local\Temp\2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe" /f3⤵
-
C:\Users\Admin\AppData\Local\Temp\2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe"C:\Users\Admin\AppData\Local\Temp\2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\BFile_1.pdf"3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A14FFE76EA49E5289EF03D141C74FAA4 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=61309817D46E80F6B7F8B8363AF7C74E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=61309817D46E80F6B7F8B8363AF7C74E --renderer-client-id=2 --mojo-platform-channel-handle=1692 --allow-no-sandbox-job /prefetch:15⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A79FB215D611CC8A128D39A24A7C0D21 --mojo-platform-channel-handle=2276 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7B60E481C960047AFCD9098091C501A0 --mojo-platform-channel-handle=1944 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C9851A2CEE96C360B72C538EECC6C11A --mojo-platform-channel-handle=2288 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:34⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\Mail.txt"3⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\Web.txt"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.batFilesize
204B
MD5bfcbf382f036462e63f307ca4ae280c7
SHA1ffe98d15fa5ea205220d6bc105e317253a6ea003
SHA2562c3dd84c3ce3e529117e611d8caf4fc7f5a902840350f4ca524c251a2152c727
SHA5121b912652cc989541b396df5fd6bf207a4cf4ed891dc6e3223b8d0497c19a2589cb644c4c96ca01d882a7643f240c566966d84e46d77e9ad33e05214f8f553d16
-
C:\Users\Admin\AppData\Local\Temp\Web.txtFilesize
3KB
MD5b9daf88205e7429feaceda806bd561d2
SHA11893c80e74cfea9914343c6e4213393804a92dd1
SHA256efa03262d4c3f5a46ab526946b8c7450d37eff4b5f8d53b43468655eea8cc027
SHA512649ba70698611bd66aa91e40aaa81327a60efc098c1705729f9eb316c18e9bcca6af2363b24f8ac4aea5d25f12303833aedaada6fd26f1eebb86711a4e9baaf1
-
memory/1408-173-0x0000000000000000-mapping.dmp
-
memory/1628-139-0x00000000749A0000-0x0000000074F51000-memory.dmpFilesize
5.7MB
-
memory/1628-130-0x00000000749A0000-0x0000000074F51000-memory.dmpFilesize
5.7MB
-
memory/1628-140-0x00000000749A0000-0x0000000074F51000-memory.dmpFilesize
5.7MB
-
memory/1836-142-0x0000000000000000-mapping.dmp
-
memory/1908-137-0x0000000000000000-mapping.dmp
-
memory/2136-164-0x0000000000000000-mapping.dmp
-
memory/2504-144-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2504-147-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2504-143-0x0000000000000000-mapping.dmp
-
memory/2504-146-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2552-148-0x0000000000000000-mapping.dmp
-
memory/2828-132-0x0000000000000000-mapping.dmp
-
memory/3396-153-0x0000000000000000-mapping.dmp
-
memory/3456-169-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/3456-166-0x0000000000000000-mapping.dmp
-
memory/3456-171-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/3456-167-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/3856-161-0x0000000000000000-mapping.dmp
-
memory/3912-172-0x0000000000000000-mapping.dmp
-
memory/4376-131-0x0000000000000000-mapping.dmp
-
memory/4624-158-0x0000000000000000-mapping.dmp
-
memory/5024-133-0x0000000000000000-mapping.dmp
-
memory/5024-138-0x00000000749A0000-0x0000000074F51000-memory.dmpFilesize
5.7MB
-
memory/5024-141-0x00000000749A0000-0x0000000074F51000-memory.dmpFilesize
5.7MB
-
memory/5024-134-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/5080-135-0x0000000000000000-mapping.dmp
-
memory/5088-150-0x0000000000000000-mapping.dmp