b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe
Size

200KB
MD5

0a61b7b1f70d609f70161f4dce53d290
SHA1

a4b6610df7e4c92ea8777df610d85b593dafc7f8
SHA256

b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7
SHA512

ae9bc96b9c61fe7c9ea8fbc703e2227cc76599ec0cb5753b4be9d7915f6d553f21eea9abc14e55a2266f0df58db4ac6fdccc2bced659c4eb0ddeb3afbad3d17c
SSDEEP

3072:9BI5ArKGCnhgU1XA+ArXjeaMoh6lgUaVwQ+/76bSSN+PS7VyoCeJ6ikanHul3vfS:9K5ArKjbAxXSaegUqGeGpBohMmH

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3248	AtBrroxy.exe
2620	fontanel.exe
5100	~9CE1.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nslontui = "C:\\Users\\Admin\\AppData\\Roaming\\mounnced\\AtBrroxy.exe"	b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fontanel.exe	b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3248	AtBrroxy.exe
3248	AtBrroxy.exe
744	Explorer.EXE
744	Explorer.EXE
2620	fontanel.exe
2620	fontanel.exe
744	Explorer.EXE
744	Explorer.EXE
2620	fontanel.exe
2620	fontanel.exe
744	Explorer.EXE
744	Explorer.EXE
2620	fontanel.exe
2620	fontanel.exe
744	Explorer.EXE
744	Explorer.EXE
2620	fontanel.exe
2620	fontanel.exe
744	Explorer.EXE
744	Explorer.EXE
2620	fontanel.exe
2620	fontanel.exe
744	Explorer.EXE
744	Explorer.EXE
2620	fontanel.exe
2620	fontanel.exe
744	Explorer.EXE
744	Explorer.EXE
2620	fontanel.exe
2620	fontanel.exe
2620	fontanel.exe
2620	fontanel.exe
744	Explorer.EXE
744	Explorer.EXE
744	Explorer.EXE
744	Explorer.EXE
2620	fontanel.exe
2620	fontanel.exe
744	Explorer.EXE
744	Explorer.EXE
2620	fontanel.exe
2620	fontanel.exe
744	Explorer.EXE
744	Explorer.EXE
2620	fontanel.exe
2620	fontanel.exe
744	Explorer.EXE
744	Explorer.EXE
2620	fontanel.exe
2620	fontanel.exe
744	Explorer.EXE
744	Explorer.EXE
2620	fontanel.exe
2620	fontanel.exe
744	Explorer.EXE
744	Explorer.EXE
2620	fontanel.exe
2620	fontanel.exe
744	Explorer.EXE
744	Explorer.EXE
2620	fontanel.exe
2620	fontanel.exe
744	Explorer.EXE
744	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	744	Explorer.EXE
Token: SeCreatePagefilePrivilege	744	Explorer.EXE
Token: SeShutdownPrivilege	744	Explorer.EXE
Token: SeCreatePagefilePrivilege	744	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1220	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1220	AcroRd32.exe
1220	AcroRd32.exe
1220	AcroRd32.exe
1220	AcroRd32.exe
1220	AcroRd32.exe
1220	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 3248	4844	b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe	82
PID 4844 wrote to memory of 3248	4844	b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe	82
PID 4844 wrote to memory of 3248	4844	b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe	82
PID 3248 wrote to memory of 5100	3248	AtBrroxy.exe	84
PID 3248 wrote to memory of 5100	3248	AtBrroxy.exe	84
PID 5100 wrote to memory of 744	5100	~9CE1.tmp	26
PID 4844 wrote to memory of 1220	4844	b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe	85
PID 4844 wrote to memory of 1220	4844	b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe	85
PID 4844 wrote to memory of 1220	4844	b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe	85
PID 1220 wrote to memory of 3308	1220	AcroRd32.exe	86
PID 1220 wrote to memory of 3308	1220	AcroRd32.exe	86
PID 1220 wrote to memory of 3308	1220	AcroRd32.exe	86
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 2696	3308	RdrCEF.exe	89
PID 3308 wrote to memory of 3804	3308	RdrCEF.exe	90
PID 3308 wrote to memory of 3804	3308	RdrCEF.exe	90
PID 3308 wrote to memory of 3804	3308	RdrCEF.exe	90
PID 3308 wrote to memory of 3804	3308	RdrCEF.exe	90
PID 3308 wrote to memory of 3804	3308	RdrCEF.exe	90
PID 3308 wrote to memory of 3804	3308	RdrCEF.exe	90
PID 3308 wrote to memory of 3804	3308	RdrCEF.exe	90
PID 3308 wrote to memory of 3804	3308	RdrCEF.exe	90
PID 3308 wrote to memory of 3804	3308	RdrCEF.exe	90
PID 3308 wrote to memory of 3804	3308	RdrCEF.exe	90
PID 3308 wrote to memory of 3804	3308	RdrCEF.exe	90

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:744
- C:\Users\Admin\AppData\Local\Temp\b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe
  "C:\Users\Admin\AppData\Local\Temp\b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Users\Admin\AppData\Roaming\mounnced\AtBrroxy.exe
    "C:\Users\Admin\AppData\Roaming\mounnced\AtBrroxy.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Users\Admin\AppData\Local\Temp\~9CE1.tmp
      "C:\Users\Admin\AppData\Local\Temp\~9CE1.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5100
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\~9D4E.tmp.pdf"
    3⤵
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3308
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7C332850A4C7707B2E2F1AC5F02CC5E0 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:2696
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=75948DEBDB3029A991291E7B44919FF9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=75948DEBDB3029A991291E7B44919FF9 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:3804
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5286C8AC145C9B61F66852D798ECFD27 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5286C8AC145C9B61F66852D798ECFD27 --renderer-client-id=4 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:4644
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0731E636C3F71D0BC830A5F263967504 --mojo-platform-channel-handle=2456 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:1136
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=20AD8D6803E0CEB8AA7FED43E5CAB675 --mojo-platform-channel-handle=1820 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:1832
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C4D2C240A52C5F1321957AD7A20BFA50 --mojo-platform-channel-handle=2500 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:2244

C:\Windows\SysWOW64\fontanel.exe
C:\Windows\SysWOW64\fontanel.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~9CE1.tmp

Filesize
6KB

MD5
4e6d8d5133806584a4c12288a4e1c402

SHA1
f5cd377b6a7a4770759834842ff034bb0b20766c

SHA256
29ae2163b84421076e0450d0459d8fb28f3a0a165d88557884121232494b118a

SHA512
2e27e457c8a4f6ebcf00d6d09b63c5494e58c2514b952cc561b1061b6112f0d71b993d6cb8da503ceef9500f5f5d25fd69d65fdfc4c1a6ed77c5dbdb2d50baaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\~9CE1.tmp

Filesize
6KB

MD5
4e6d8d5133806584a4c12288a4e1c402

SHA1
f5cd377b6a7a4770759834842ff034bb0b20766c

SHA256
29ae2163b84421076e0450d0459d8fb28f3a0a165d88557884121232494b118a

SHA512
2e27e457c8a4f6ebcf00d6d09b63c5494e58c2514b952cc561b1061b6112f0d71b993d6cb8da503ceef9500f5f5d25fd69d65fdfc4c1a6ed77c5dbdb2d50baaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\~9D4E.tmp.pdf

Filesize
8KB

MD5
53b6aedf7552363ef189badd823b5153

SHA1
59107eb0c5d94f4ec19c2e89114513ed2490640c

SHA256
e7d085103f208cfa2198a0c111c4fe2ad7ced06dd2f9c4628bca169e2f4d0eb3

SHA512
38d3411d0c17d2ce9bd6409c18db341c278c14d48a05610ff8547a71a42cf858fa78f83ec150cd028e355f990aabecea96d0de21c60b68e77e99b3f100e46583

Download Submit
C:\Users\Admin\AppData\Roaming\mounnced\AtBrroxy.exe

Filesize
172KB

MD5
0d7556d0c186aed6a6e342aeea10494a

SHA1
fdcc5a3cfa19cae3bdb2eb47b15cd45f253a7243

SHA256
3d106c460e73dc3582f0feb269cb2e0186a4c3103cc1d2e54c05791f8daf5c4f

SHA512
b6781fbc402da0485cd3c111949281e2f9766b639e663a74ddcd452751dfee2af08160029a96489cb2671e2344c2a5fb47ee7fd784346924c1a7a32ed60a2309

Download Submit
C:\Users\Admin\AppData\Roaming\mounnced\AtBrroxy.exe

Filesize
172KB

MD5
0d7556d0c186aed6a6e342aeea10494a

SHA1
fdcc5a3cfa19cae3bdb2eb47b15cd45f253a7243

SHA256
3d106c460e73dc3582f0feb269cb2e0186a4c3103cc1d2e54c05791f8daf5c4f

SHA512
b6781fbc402da0485cd3c111949281e2f9766b639e663a74ddcd452751dfee2af08160029a96489cb2671e2344c2a5fb47ee7fd784346924c1a7a32ed60a2309

Download Submit
C:\Windows\SysWOW64\fontanel.exe

Filesize
200KB

MD5
0a61b7b1f70d609f70161f4dce53d290

SHA1
a4b6610df7e4c92ea8777df610d85b593dafc7f8

SHA256
b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7

SHA512
ae9bc96b9c61fe7c9ea8fbc703e2227cc76599ec0cb5753b4be9d7915f6d553f21eea9abc14e55a2266f0df58db4ac6fdccc2bced659c4eb0ddeb3afbad3d17c

Download Submit
C:\Windows\SysWOW64\fontanel.exe

Filesize
200KB

MD5
0a61b7b1f70d609f70161f4dce53d290

SHA1
a4b6610df7e4c92ea8777df610d85b593dafc7f8

SHA256
b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7

SHA512
ae9bc96b9c61fe7c9ea8fbc703e2227cc76599ec0cb5753b4be9d7915f6d553f21eea9abc14e55a2266f0df58db4ac6fdccc2bced659c4eb0ddeb3afbad3d17c

Download Submit
memory/744-143-0x0000000002B20000-0x0000000002B61000-memory.dmp

Filesize
260KB

Download
memory/2620-142-0x00000000006F0000-0x0000000000735000-memory.dmp

Filesize
276KB

Download
memory/4844-132-0x00000000009A0000-0x00000000009E5000-memory.dmp

Filesize
276KB

Download