ddbc793dd86b285cf08c5f233d412030203667a9026f804f9e229771c490e8f1

General

Target

ddbc793dd86b285cf08c5f233d412030203667a9026f804f9e229771c490e8f1.exe
Size

453KB
MD5

77314eb3bb769d6cf61fed7425f947dc
SHA1

2f161be8a9a8668d4311d3d08ae244a0513872fc
SHA256

ddbc793dd86b285cf08c5f233d412030203667a9026f804f9e229771c490e8f1
SHA512

82ca690e72a5a541c9939a04f9bf18906bdecdb0d8e681ef7774e813810d995641beb4f771af144d0e9231c39014ac056af02f39428c6b5e9bcbc68feb2fe6e2
SSDEEP

12288:JHICZ9iSCnm8B/Hw9pVKGCs64DVdZ3+8qFXTjQo:JoC7ijwFKlVadZ3+8qNQo

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

sf.exeab.exe

pid process

3628 sf.exe
3552 ab.exe

pid	process
3628	sf.exe
3552	ab.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeddbc793dd86b285cf08c5f233d412030203667a9026f804f9e229771c490e8f1.exeWScript.execmd.exesf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	ddbc793dd86b285cf08c5f233d412030203667a9026f804f9e229771c490e8f1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	sf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 3 IoCs

Processes:

ddbc793dd86b285cf08c5f233d412030203667a9026f804f9e229771c490e8f1.execmd.exesf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings	ddbc793dd86b285cf08c5f233d412030203667a9026f804f9e229771c490e8f1.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings	sf.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4100 AcroRd32.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AcroRd32.exe

pid process

4100 AcroRd32.exe
4100 AcroRd32.exe
4100 AcroRd32.exe
4100 AcroRd32.exe
4100 AcroRd32.exe

pid	process
4100	AcroRd32.exe

pid	process
4100	AcroRd32.exe
4100	AcroRd32.exe
4100	AcroRd32.exe
4100	AcroRd32.exe
4100	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ddbc793dd86b285cf08c5f233d412030203667a9026f804f9e229771c490e8f1.exeWScript.execmd.execmd.exesf.exeWScript.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 400 wrote to memory of 4504	400	ddbc793dd86b285cf08c5f233d412030203667a9026f804f9e229771c490e8f1.exe	cmd.exe
PID 400 wrote to memory of 4504	400	ddbc793dd86b285cf08c5f233d412030203667a9026f804f9e229771c490e8f1.exe	cmd.exe
PID 400 wrote to memory of 4504	400	ddbc793dd86b285cf08c5f233d412030203667a9026f804f9e229771c490e8f1.exe	cmd.exe
PID 400 wrote to memory of 4260	400	ddbc793dd86b285cf08c5f233d412030203667a9026f804f9e229771c490e8f1.exe	WScript.exe
PID 400 wrote to memory of 4260	400	ddbc793dd86b285cf08c5f233d412030203667a9026f804f9e229771c490e8f1.exe	WScript.exe
PID 400 wrote to memory of 4260	400	ddbc793dd86b285cf08c5f233d412030203667a9026f804f9e229771c490e8f1.exe	WScript.exe
PID 4260 wrote to memory of 5064	4260	WScript.exe	cmd.exe
PID 4260 wrote to memory of 5064	4260	WScript.exe	cmd.exe
PID 4260 wrote to memory of 5064	4260	WScript.exe	cmd.exe
PID 4260 wrote to memory of 1576	4260	WScript.exe	cmd.exe
PID 4260 wrote to memory of 1576	4260	WScript.exe	cmd.exe
PID 4260 wrote to memory of 1576	4260	WScript.exe	cmd.exe
PID 5064 wrote to memory of 3628	5064	cmd.exe	sf.exe
PID 5064 wrote to memory of 3628	5064	cmd.exe	sf.exe
PID 5064 wrote to memory of 3628	5064	cmd.exe	sf.exe
PID 1576 wrote to memory of 4100	1576	cmd.exe	AcroRd32.exe
PID 1576 wrote to memory of 4100	1576	cmd.exe	AcroRd32.exe
PID 1576 wrote to memory of 4100	1576	cmd.exe	AcroRd32.exe
PID 3628 wrote to memory of 4480	3628	sf.exe	WScript.exe
PID 3628 wrote to memory of 4480	3628	sf.exe	WScript.exe
PID 3628 wrote to memory of 4480	3628	sf.exe	WScript.exe
PID 4480 wrote to memory of 3552	4480	WScript.exe	ab.exe
PID 4480 wrote to memory of 3552	4480	WScript.exe	ab.exe
PID 4480 wrote to memory of 3552	4480	WScript.exe	ab.exe
PID 4100 wrote to memory of 3632	4100	AcroRd32.exe	RdrCEF.exe
PID 4100 wrote to memory of 3632	4100	AcroRd32.exe	RdrCEF.exe
PID 4100 wrote to memory of 3632	4100	AcroRd32.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe
PID 3632 wrote to memory of 1096	3632	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\ddbc793dd86b285cf08c5f233d412030203667a9026f804f9e229771c490e8f1.exe
"C:\Users\Admin\AppData\Local\Temp\ddbc793dd86b285cf08c5f233d412030203667a9026f804f9e229771c490e8f1.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:400

C:\WINDOWS\SysWOW64\cmd.exe
"C:\WINDOWS\system32\cmd.exe" /c rename C:\Users\Admin\AppData\Local\Temp\outside.gif outside.js
2⤵
PID:4504

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\outside.js"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\sf.exe -pGlue -dC:\Users\Admin\AppData\Local\Temp
3⤵
- Suspicious use of WriteProcessMemory
PID:5064

C:\Users\Admin\AppData\Local\Temp\sf.exe
C:\Users\Admin\AppData\Local\Temp\sf.exe -pGlue -dC:\Users\Admin\AppData\Local\Temp
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\inside.js"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4480

C:\Users\Admin\AppData\Local\Temp\ab.exe
"C:\Users\Admin\AppData\Local\Temp\ab.exe" -dC:\Users\Admin\AppData\Local\Temp
6⤵
- Executes dropped EXE
PID:3552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Shipping_Invoice.pdf -dC:\Users\Admin\AppData\Local\Temp
3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1576

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Shipping_Invoice.pdf"
4⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4100

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
5⤵
- Suspicious use of WriteProcessMemory
PID:3632

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C6E5DD20277399DCBACBBD34BE7CDD69 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C6E5DD20277399DCBACBBD34BE7CDD69 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
6⤵
PID:1096

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=90639E4E59FB10FFB9024066C695DAB5 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:1672

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DF1A62A033762EF9981C9D00ABBFDF5C --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:1360

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D5E25FC111FC686EFE22078523A2FBAC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D5E25FC111FC686EFE22078523A2FBAC --renderer-client-id=5 --mojo-platform-channel-handle=2080 --allow-no-sandbox-job /prefetch:1
6⤵
PID:2548

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0CA5662CAB4C9E9684F23199322077C3 --mojo-platform-channel-handle=2456 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:1592

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=15224C4AF0C3FD0266AA4938F144142A --mojo-platform-channel-handle=2400 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:1080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Shipping_Invoice.pdf

Filesize
9KB

MD5
998acb522b47bbfe95f9954d17aa9918

SHA1
e351952afc397d6e127784fe692cf4259e1c6189

SHA256
409e472b667ae747942e10d4dc691796c3b2eb00a0e407146e69b2f8205de40c

SHA512
be047cc246765384f0a484759849d75ac32edbfcd6d5f4a7b96e9a63f2afedd5ff5386db038885455f1736c450b57b9c2e9b9242b740c3560677a35432a3f760

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab.exe

Filesize
139KB

MD5
d7a7d31b679ef0b85847cc6001cd024f

SHA1
2a648ebc0a3acb54aa2a4a109936c3e84fc6cd39

SHA256
39af3f7f7a5f8cd5671fb83e122236070248361b284defa6476d5751f697ff66

SHA512
12d56566114d299ba3f38eebf0ffca1ce7c6ab5d12352dc23f89ae516194379992f098e7b2a5d53fc0c93fab17b512449894f82678c4391b4285cb1896c59741

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab.exe

Filesize
139KB

MD5
d7a7d31b679ef0b85847cc6001cd024f

SHA1
2a648ebc0a3acb54aa2a4a109936c3e84fc6cd39

SHA256
39af3f7f7a5f8cd5671fb83e122236070248361b284defa6476d5751f697ff66

SHA512
12d56566114d299ba3f38eebf0ffca1ce7c6ab5d12352dc23f89ae516194379992f098e7b2a5d53fc0c93fab17b512449894f82678c4391b4285cb1896c59741

Download Submit
C:\Users\Admin\AppData\Local\Temp\inside.js

Filesize
81B

MD5
60eb46dd81c28a274d8f2aef1bc557fa

SHA1
902d992c6b245a70a84632608122e976d561c09d

SHA256
df58a069bd5d2b98275dd124dc72de12ff5fccfb86eeb698c7a63ae9875da026

SHA512
1ded12c5aca377c289d412c6f8ed6903dbaaf5de3413b94cb8b57eef7913d84a3d115426267fa5e48e5277b902f67840a9362283d1cc6e8cb87648c2a8c20633

Download Submit
C:\Users\Admin\AppData\Local\Temp\outside.gif

Filesize
972B

MD5
0ee537f176cfd99964a85186db06d302

SHA1
77aa74fb3a14b56fe35964f4042f8d39dccf1684

SHA256
d7714fab24c3c172b2c3e9a0a6fd155deb4911c041528f4c0289b601f06a559f

SHA512
dbd7a68b30202301f6958f0c4927b010148a1877bbc02961dde8a65154ff9bfce421e375e859f6524b4b834af716e02271b221d58f5036f172c3529c5723c38f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sf.exe

Filesize
277KB

MD5
8716ac6ce445a226080763da7df57f00

SHA1
5e29e26b90b409041770236205f521e8722aa0df

SHA256
12850970a3b394cc59e88e4cb2a5ebf2319d4d5c27312ec7cd9d50188d83cd6c

SHA512
558e13f998da96164fa8fabee5e596dfb89b2492ff64b27d6ea873ff9eb6ac00cd1a33bfee55720351a20d6b26c65613474e2ff1c555faec8bec4447d4c0d354

Download Submit
C:\Users\Admin\AppData\Local\Temp\sf.exe

Filesize
277KB

MD5
8716ac6ce445a226080763da7df57f00

SHA1
5e29e26b90b409041770236205f521e8722aa0df

SHA256
12850970a3b394cc59e88e4cb2a5ebf2319d4d5c27312ec7cd9d50188d83cd6c

SHA512
558e13f998da96164fa8fabee5e596dfb89b2492ff64b27d6ea873ff9eb6ac00cd1a33bfee55720351a20d6b26c65613474e2ff1c555faec8bec4447d4c0d354

Download Submit
C:\Users\Admin\AppData\Local\Temp\sf.png

Filesize
277KB

MD5
c04a4315c0ba40acaee4c345304b9278

SHA1
edbe6baa536fdf0b1946df6d88e4004c8d32eb2b

SHA256
c017fea199a5182078c98d716697a31d90c80f13df8b610ef36fa1feff4051c7

SHA512
23c2b53feeaca042b2f3ac47d9dba820e4c57bad1f4c008087cd5937565a50cabb42ec08414bfb8a31897c4e93f6164dee02840289efbfd2ed4e78bb91b69271

Download Submit
memory/1080-170-0x0000000000000000-mapping.dmp

Download
memory/1096-151-0x0000000000000000-mapping.dmp

Download
memory/1360-159-0x0000000000000000-mapping.dmp

Download
memory/1576-137-0x0000000000000000-mapping.dmp

Download
memory/1592-167-0x0000000000000000-mapping.dmp

Download
memory/1672-154-0x0000000000000000-mapping.dmp

Download
memory/2548-162-0x0000000000000000-mapping.dmp

Download
memory/3552-146-0x0000000000000000-mapping.dmp

Download
memory/3552-148-0x0000000002670000-0x0000000002705000-memory.dmp

Filesize
596KB

Download
memory/3628-138-0x0000000000000000-mapping.dmp

Download
memory/3632-149-0x0000000000000000-mapping.dmp

Download
memory/4100-142-0x0000000000000000-mapping.dmp

Download
memory/4260-134-0x0000000000000000-mapping.dmp

Download
memory/4480-143-0x0000000000000000-mapping.dmp

Download
memory/4504-132-0x0000000000000000-mapping.dmp

Download
memory/5064-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads