e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59

General

Target

e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe
Size

415KB
MD5

0bb3ffc4d6acd1e4bb2c0699bfe5d6e4
SHA1

613d57217ef99242fd58a53f8a231a1b40e03fcc
SHA256

e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59
SHA512

5dfd6ac9a6140f353dccc062c1fa0ddc7165a024f4b797ce64156da70dbdb3e89a5e143855959e0afd86ed7dc92e318ef172039feb42e563ff88edcc29b5df60
SSDEEP

6144:uHICZ9i1D3MCn/ucvB/HJ5vo9pcfJJicIn0fJYzfannM+MywwfoyO1EETXlCMzZ:uHICZ9iSCnm8B/Hw9pnn0fwSnn1uTXlF

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Gl.exean.exe

pid process

916 Gl.exe
1688 an.exe

pid	process
916	Gl.exe
1688	an.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exeWScript.execmd.exeGl.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Gl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 3 IoCs

Processes:

e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exeGl.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	Gl.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

AcroRd32.exe

pid	process
3468	AcroRd32.exe
3468	AcroRd32.exe
3468	AcroRd32.exe
3468	AcroRd32.exe
3468	AcroRd32.exe
3468	AcroRd32.exe
3468	AcroRd32.exe
3468	AcroRd32.exe
3468	AcroRd32.exe
3468	AcroRd32.exe
3468	AcroRd32.exe
3468	AcroRd32.exe
3468	AcroRd32.exe
3468	AcroRd32.exe
3468	AcroRd32.exe
3468	AcroRd32.exe
3468	AcroRd32.exe
3468	AcroRd32.exe
3468	AcroRd32.exe
3468	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3468 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

3468 AcroRd32.exe
3468 AcroRd32.exe
3468 AcroRd32.exe
3468 AcroRd32.exe
3468 AcroRd32.exe
3468 AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exeWScript.execmd.exeGl.exeWScript.execmd.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4752 wrote to memory of 1096	4752	e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe	cmd.exe
PID 4752 wrote to memory of 1096	4752	e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe	cmd.exe
PID 4752 wrote to memory of 1096	4752	e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe	cmd.exe
PID 4752 wrote to memory of 3860	4752	e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe	WScript.exe
PID 4752 wrote to memory of 3860	4752	e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe	WScript.exe
PID 4752 wrote to memory of 3860	4752	e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe	WScript.exe
PID 3860 wrote to memory of 916	3860	WScript.exe	Gl.exe
PID 3860 wrote to memory of 916	3860	WScript.exe	Gl.exe
PID 3860 wrote to memory of 916	3860	WScript.exe	Gl.exe
PID 3860 wrote to memory of 2116	3860	WScript.exe	cmd.exe
PID 3860 wrote to memory of 2116	3860	WScript.exe	cmd.exe
PID 3860 wrote to memory of 2116	3860	WScript.exe	cmd.exe
PID 2116 wrote to memory of 3468	2116	cmd.exe	AcroRd32.exe
PID 2116 wrote to memory of 3468	2116	cmd.exe	AcroRd32.exe
PID 2116 wrote to memory of 3468	2116	cmd.exe	AcroRd32.exe
PID 916 wrote to memory of 2240	916	Gl.exe	WScript.exe
PID 916 wrote to memory of 2240	916	Gl.exe	WScript.exe
PID 916 wrote to memory of 2240	916	Gl.exe	WScript.exe
PID 2240 wrote to memory of 4708	2240	WScript.exe	cmd.exe
PID 2240 wrote to memory of 4708	2240	WScript.exe	cmd.exe
PID 2240 wrote to memory of 4708	2240	WScript.exe	cmd.exe
PID 4708 wrote to memory of 1688	4708	cmd.exe	an.exe
PID 4708 wrote to memory of 1688	4708	cmd.exe	an.exe
PID 4708 wrote to memory of 1688	4708	cmd.exe	an.exe
PID 3468 wrote to memory of 2972	3468	AcroRd32.exe	RdrCEF.exe
PID 3468 wrote to memory of 2972	3468	AcroRd32.exe	RdrCEF.exe
PID 3468 wrote to memory of 2972	3468	AcroRd32.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe
PID 2972 wrote to memory of 3396	2972	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe
"C:\Users\Admin\AppData\Local\Temp\e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4752
- C:\WINDOWS\SysWOW64\cmd.exe
  "C:\WINDOWS\system32\cmd.exe" /c rename C:\Users\Admin\AppData\Local\Temp\out.gif out.js
  2⤵
  PID:1096
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\out.js"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Users\Admin\AppData\Local\Temp\Gl.exe
    "C:\Users\Admin\AppData\Local\Temp\Gl.exe" -pGlue1 -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\inside.js"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2240
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\an.exe -dC:\Users\Admin\AppData\Local\Temp
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4708
      - C:\Users\Admin\AppData\Local\Temp\an.exe
        
        C:\Users\Admin\AppData\Local\Temp\an.exe -dC:\Users\Admin\AppData\Local\Temp
        6⤵
        Executes dropped EXE
        
        PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Shipping_Inv.pdf -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Shipping_Inv.pdf"
      4⤵
      Checks processor information in registry
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3468
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2972
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D7E1B0325BFEB7B9A308DA16B8158587 --mojo-platform-channel-handle=1720 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:3396
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=57085ABD896AB2FC3039EC304E14523D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=57085ABD896AB2FC3039EC304E14523D --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
        6⤵
        
        PID:4140
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3DF0A302B2D3190C4BCECF062F2FF31C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3DF0A302B2D3190C4BCECF062F2FF31C --renderer-client-id=4 --mojo-platform-channel-handle=2172 --allow-no-sandbox-job /prefetch:1
        6⤵
        
        PID:3644
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2C865F281D63BDCE1483AF1CF7EA120A --mojo-platform-channel-handle=2548 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:2472
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=043382A3274C7F968DF96F7A4020AF18 --mojo-platform-channel-handle=1788 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:4280
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=462D1CCCF7242C0BFF4502A7042F09D5 --mojo-platform-channel-handle=2780 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:3928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Gl.exe

Filesize
282KB

MD5
45c5a25bb4add91fd4e8bc8a0c003977

SHA1
815d3cad4d6f0d39d17a3075c454c2089185afe9

SHA256
31c8b84f172d9977f6a204af31257f189bae5b9a7f3e425e57c504d410cd385d

SHA512
5e8c6c39a1c708042b647e04f3395e26ef846e377559778e59b64b7319308f5c32c50aca0d7634e57dd8f0cb20883265af30984516b630c757ffe4d5fd0fc058

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gl.exe

Filesize
282KB

MD5
45c5a25bb4add91fd4e8bc8a0c003977

SHA1
815d3cad4d6f0d39d17a3075c454c2089185afe9

SHA256
31c8b84f172d9977f6a204af31257f189bae5b9a7f3e425e57c504d410cd385d

SHA512
5e8c6c39a1c708042b647e04f3395e26ef846e377559778e59b64b7319308f5c32c50aca0d7634e57dd8f0cb20883265af30984516b630c757ffe4d5fd0fc058

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gl.png

Filesize
282KB

MD5
2ff306f691a4dd48e0e688e8a3e6e374

SHA1
7ec4b7c22d478c8aa47029eeb9c507a8ba6769cb

SHA256
f9cca52c9d840f3cfc8997e77a42ebc7640ea71f7729fa1782d8596a05ed963b

SHA512
0f7de7c99146ce8bf7165613cae06991153c2453fa775e6802b65f757c0aa1b097749e09e2981739e61749e3e43503a2b99cd810b6ad8e0d4cdd3bfd90a69375

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shipping_Inv.pdf

Filesize
9KB

MD5
998acb522b47bbfe95f9954d17aa9918

SHA1
e351952afc397d6e127784fe692cf4259e1c6189

SHA256
409e472b667ae747942e10d4dc691796c3b2eb00a0e407146e69b2f8205de40c

SHA512
be047cc246765384f0a484759849d75ac32edbfcd6d5f4a7b96e9a63f2afedd5ff5386db038885455f1736c450b57b9c2e9b9242b740c3560677a35432a3f760

Download Submit
C:\Users\Admin\AppData\Local\Temp\an.exe

Filesize
143KB

MD5
b30d8d55201cd988899c29bc01239085

SHA1
413ef22a404e433892bb0448f39e1d3594f3407e

SHA256
8a1279c890cbf622ed6f7fe3f087b4ce77c5acffeb60efaad44c57eba1c61794

SHA512
a7657a1afef81a81b2656f9da9890ed954185b8665d0e15e27f8331734055bcae54ad278254dd954acd1bbb6cc6e88fda86d7520fe3896da0e3a9d11958c4a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\an.exe

Filesize
143KB

MD5
b30d8d55201cd988899c29bc01239085

SHA1
413ef22a404e433892bb0448f39e1d3594f3407e

SHA256
8a1279c890cbf622ed6f7fe3f087b4ce77c5acffeb60efaad44c57eba1c61794

SHA512
a7657a1afef81a81b2656f9da9890ed954185b8665d0e15e27f8331734055bcae54ad278254dd954acd1bbb6cc6e88fda86d7520fe3896da0e3a9d11958c4a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\inside.js

Filesize
100B

MD5
1e7c8e75533812eabc488a16a924bb73

SHA1
3fcdc8292f73bb35610d64223f19208f6570af27

SHA256
6155c98419fa536481857f51a85db74ce04c3375dd0f1fd0d81d5f40d9e29ba7

SHA512
04215f67fe68c4d6beac03ed77eeec2ad7d4bc77be270f8f762c3877fa21b53d5bf46589bacd67cca0f827dda030af38198b98daadc5a85bacfb7e4dba5a2db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\out.gif

Filesize
900B

MD5
1938c5f7d1e343069723ea82e8805dca

SHA1
367834e08fcea13d45856680d461d6ad29ce7152

SHA256
50859a87a252222a4599e0235632e4530ca614aacf33d481e7ad644a1bdf7953

SHA512
f636093ad6810c0a066d0f76218b1aeb2b139379822b5a3e69f54b2d7c7f91ad404e56be34957fd75a4796bfcc39b25aea4a28c0048b11ddea63316b1d9c85fb

Download Submit
memory/916-136-0x0000000000000000-mapping.dmp

Download
memory/1096-132-0x0000000000000000-mapping.dmp

Download
memory/1688-145-0x0000000000000000-mapping.dmp

Download
memory/1688-168-0x00000000022C0000-0x00000000022F0000-memory.dmp

Filesize
192KB

Download
memory/1688-148-0x00000000022C0000-0x00000000022F0000-memory.dmp

Filesize
192KB

Download
memory/2116-139-0x0000000000000000-mapping.dmp

Download
memory/2240-141-0x0000000000000000-mapping.dmp

Download
memory/2472-164-0x0000000000000000-mapping.dmp

Download
memory/2972-149-0x0000000000000000-mapping.dmp

Download
memory/3396-151-0x0000000000000000-mapping.dmp

Download
memory/3468-143-0x0000000000000000-mapping.dmp

Download
memory/3644-159-0x0000000000000000-mapping.dmp

Download
memory/3860-134-0x0000000000000000-mapping.dmp

Download
memory/3928-171-0x0000000000000000-mapping.dmp

Download
memory/4140-154-0x0000000000000000-mapping.dmp

Download
memory/4280-167-0x0000000000000000-mapping.dmp

Download
memory/4708-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads