adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53

General

Target

adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe
Size

310KB
MD5

65c009ec4bc81ac1d4d3883974003b0a
SHA1

6ea8e112aee7e53d98dada520a25ef804a8f7399
SHA256

adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53
SHA512

977062301afcdb9e3a588db7f7fd95bfb3b18c68bccd379f7f579cf4b3b823178beffc25faa248e9d3d9f7ef898116c96c08c927b649faa7110549d7d4ef064d
SSDEEP

6144:5yZcAuFcCf38XolyxnDFJ6VcRBha8wB9iLsU64XxrzEWekrBNYsLjZiT:gTOcCf6y05u/y+OrBNYsZiT

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\40929 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\msweljyd.scr"	svchost.exe

Executes dropped EXE 3 IoCs

Processes:

card4610468692679384 .execard4610468692679384.execard4610468692679384.exe

pid process

2584 card4610468692679384 .exe
2916 card4610468692679384.exe
1116 card4610468692679384.exe

pid	process
2584	card4610468692679384 .exe
2916	card4610468692679384.exe
1116	card4610468692679384.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.execard4610468692679384 .exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	card4610468692679384 .exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

card4610468692679384.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	card4610468692679384.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	card4610468692679384.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

card4610468692679384.exe

description pid process target process

PID 2916 set thread context of 1116 2916 card4610468692679384.exe card4610468692679384.exe
Drops file in Program Files directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\PROGRA~3\LOCALS~1\Temp\msweljyd.scr svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2916 set thread context of 1116	2916	card4610468692679384.exe	card4610468692679384.exe

description	ioc	process
File created	C:\PROGRA~3\LOCALS~1\Temp\msweljyd.scr	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

card4610468692679384.exeAcroRd32.exe

pid	process
1116	card4610468692679384.exe
1116	card4610468692679384.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

card4610468692679384.execard4610468692679384.exe

pid process

2916 card4610468692679384.exe
2916 card4610468692679384.exe
1116 card4610468692679384.exe
1116 card4610468692679384.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

2560 AcroRd32.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AcroRd32.exe

pid process

2560 AcroRd32.exe
2560 AcroRd32.exe
2560 AcroRd32.exe
2560 AcroRd32.exe
2560 AcroRd32.exe

pid	process
2916	card4610468692679384.exe
2916	card4610468692679384.exe
1116	card4610468692679384.exe
1116	card4610468692679384.exe

pid	process
2560	AcroRd32.exe

pid	process
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.execard4610468692679384 .execard4610468692679384.execard4610468692679384.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 420 wrote to memory of 2584	420	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe	card4610468692679384 .exe
PID 420 wrote to memory of 2584	420	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe	card4610468692679384 .exe
PID 420 wrote to memory of 2584	420	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe	card4610468692679384 .exe
PID 420 wrote to memory of 2560	420	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe	AcroRd32.exe
PID 420 wrote to memory of 2560	420	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe	AcroRd32.exe
PID 420 wrote to memory of 2560	420	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe	AcroRd32.exe
PID 2584 wrote to memory of 2916	2584	card4610468692679384 .exe	card4610468692679384.exe
PID 2584 wrote to memory of 2916	2584	card4610468692679384 .exe	card4610468692679384.exe
PID 2584 wrote to memory of 2916	2584	card4610468692679384 .exe	card4610468692679384.exe
PID 2584 wrote to memory of 4588	2584	card4610468692679384 .exe	cmd.exe
PID 2584 wrote to memory of 4588	2584	card4610468692679384 .exe	cmd.exe
PID 2584 wrote to memory of 4588	2584	card4610468692679384 .exe	cmd.exe
PID 420 wrote to memory of 2900	420	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe	cmd.exe
PID 420 wrote to memory of 2900	420	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe	cmd.exe
PID 420 wrote to memory of 2900	420	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe	cmd.exe
PID 2916 wrote to memory of 1116	2916	card4610468692679384.exe	card4610468692679384.exe
PID 2916 wrote to memory of 1116	2916	card4610468692679384.exe	card4610468692679384.exe
PID 2916 wrote to memory of 1116	2916	card4610468692679384.exe	card4610468692679384.exe
PID 1116 wrote to memory of 2204	1116	card4610468692679384.exe	svchost.exe
PID 1116 wrote to memory of 2204	1116	card4610468692679384.exe	svchost.exe
PID 1116 wrote to memory of 2204	1116	card4610468692679384.exe	svchost.exe
PID 2560 wrote to memory of 1236	2560	AcroRd32.exe	RdrCEF.exe
PID 2560 wrote to memory of 1236	2560	AcroRd32.exe	RdrCEF.exe
PID 2560 wrote to memory of 1236	2560	AcroRd32.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe
PID 1236 wrote to memory of 4696	1236	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe
"C:\Users\Admin\AppData\Local\Temp\adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:420

C:\Users\Admin\AppData\Local\Temp\card4610468692679384 .exe
"C:\Users\Admin\AppData\Local\Temp\card4610468692679384 .exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2584

C:\Users\Admin\AppData\Local\Temp\card4610468692679384.exe
"C:\Users\Admin\AppData\Local\Temp\card4610468692679384.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2916

C:\Users\Admin\AppData\Local\Temp\card4610468692679384.exe
"C:\Users\Admin\AppData\Local\Temp\card4610468692679384.exe"
4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
5⤵
- Adds policy Run key to start application
- Drops file in Program Files directory
PID:2204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx001.cmd" "
3⤵
PID:4588

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\card4610468692679384.pdf"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- Suspicious use of WriteProcessMemory
PID:1236

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BF147948D698863F91E7FF9DA17B4489 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BF147948D698863F91E7FF9DA17B4489 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
4⤵
PID:4696

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D1F2262C1140D326142CCF7B11F4839E --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3484

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6CA87593B307C07D01CB055CF9B730FD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6CA87593B307C07D01CB055CF9B730FD --renderer-client-id=4 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job /prefetch:1
4⤵
PID:3496

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EE155DFD04ABC2B3DCB321ED5BF5381A --mojo-platform-channel-handle=2456 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:480

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=433F1F55140D5E3793A893F11E40C94D --mojo-platform-channel-handle=2020 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4128

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C1CCDEA38E171C7DC93D2290E59D3BED --mojo-platform-channel-handle=2784 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
2⤵
PID:2900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
Filesize
300B

MD5
5d72968ba35b54618c9110174cf65484

SHA1
78d46908e84909c8ed2b7fade721973150a731d5

SHA256
6edd7ce4c1c67f7065577bae0de3b5b27e180f66938473774b4c9c078f8cc5cb

SHA512
a30f6d3d9b16222bf7e7bc70b2d63133d9f94e78925180e1f5dd7e19975f829e8d494ffc2900694786206634603ed76d43be41b863e2a94ad871d8bbaf049c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx001.cmd
Filesize
214B

MD5
d9cc48a8d6678fd22501a3123d0c283a

SHA1
6fa7511009febcb4cef0a04dbe776e63bace8730

SHA256
d25add1001eeefe8dc0c45c61536d6b232a164e2564a5b03f84dc49de9126eb5

SHA512
5e22ba77c90c9f538ee99095c1cfa44d303bca7e392c4efa7db112fdfa63b8ac31d8a11ca9491e44b0b9aa5a9e4b043b5c966d5d4a7f972582c49bfea87d6f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\card4610468692679384 .exe
Filesize
177KB

MD5
d69f8ac047d601181cfb1f373db3bb7b

SHA1
eab4d288204dd5d0c9f554ee7a1c9943d0ebee40

SHA256
358d34ee9e3ec88d11c28ad6e56091d129377a05299f7117a32afc9df83c626f

SHA512
b362883db98b854bfbe180d1e9715115d16bd4c20e8a447d8540d88b1ec8f3ff562c7c28913e93efd109d6514de27cb45e9ed35e1e3f765b8657670588bd44cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\card4610468692679384 .exe
Filesize
177KB

MD5
d69f8ac047d601181cfb1f373db3bb7b

SHA1
eab4d288204dd5d0c9f554ee7a1c9943d0ebee40

SHA256
358d34ee9e3ec88d11c28ad6e56091d129377a05299f7117a32afc9df83c626f

SHA512
b362883db98b854bfbe180d1e9715115d16bd4c20e8a447d8540d88b1ec8f3ff562c7c28913e93efd109d6514de27cb45e9ed35e1e3f765b8657670588bd44cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\card4610468692679384.exe
Filesize
226KB

MD5
f51f595b416e370cc46f65c7e62c8a41

SHA1
67c2f5a5dc5b1a3f6d259e7065260c7caa0d50c9

SHA256
7c3d6a21af2d9f20b71f61565c772a5aaa0c38613a5bb836b80b3578f46b7301

SHA512
f26a99f8229cbdf7551851e96fdb72b28c919fb3492556604b695dee4565c813d6964f168c0ce3ab00da2a9b34df8c9f0212a9919a033b21f60a46537c8569c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\card4610468692679384.exe
Filesize
226KB

MD5
f51f595b416e370cc46f65c7e62c8a41

SHA1
67c2f5a5dc5b1a3f6d259e7065260c7caa0d50c9

SHA256
7c3d6a21af2d9f20b71f61565c772a5aaa0c38613a5bb836b80b3578f46b7301

SHA512
f26a99f8229cbdf7551851e96fdb72b28c919fb3492556604b695dee4565c813d6964f168c0ce3ab00da2a9b34df8c9f0212a9919a033b21f60a46537c8569c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\card4610468692679384.exe
Filesize
226KB

MD5
f51f595b416e370cc46f65c7e62c8a41

SHA1
67c2f5a5dc5b1a3f6d259e7065260c7caa0d50c9

SHA256
7c3d6a21af2d9f20b71f61565c772a5aaa0c38613a5bb836b80b3578f46b7301

SHA512
f26a99f8229cbdf7551851e96fdb72b28c919fb3492556604b695dee4565c813d6964f168c0ce3ab00da2a9b34df8c9f0212a9919a033b21f60a46537c8569c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\card4610468692679384.pdf
Filesize
80KB

MD5
e171debd0d6749cc61cf836f0f80bc29

SHA1
c67d404ef98dd7dc81e6e8b7d25cd12be98bed5b

SHA256
dc46b6b468eee7f2feeb3c3f1757d31a92345ceb5aa3bed5633cb149c96475e2

SHA512
b2d2eeabd89b912bd2bc72efa2381c8d32d47f315b007125405e7aef5ff98936fc47312dd4d42473b96374c8af281497a9275e2d113ded924e6ec8d3721de8cd

Download Submit
memory/480-165-0x0000000000000000-mapping.dmp

Download
memory/1116-146-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1116-143-0x0000000000000000-mapping.dmp

Download
memory/1236-150-0x0000000000000000-mapping.dmp

Download
memory/2204-147-0x0000000000020000-0x000000000002E000-memory.dmp

Filesize
56KB

Download
memory/2204-145-0x0000000000000000-mapping.dmp

Download
memory/2204-173-0x0000000000E10000-0x0000000000E15000-memory.dmp

Filesize
20KB

Download
memory/2204-148-0x0000000000E10000-0x0000000000E15000-memory.dmp

Filesize
20KB

Download
memory/2560-135-0x0000000000000000-mapping.dmp

Download
memory/2584-132-0x0000000000000000-mapping.dmp

Download
memory/2592-171-0x0000000000000000-mapping.dmp

Download
memory/2900-140-0x0000000000000000-mapping.dmp

Download
memory/2916-136-0x0000000000000000-mapping.dmp

Download
memory/3484-156-0x0000000000000000-mapping.dmp

Download
memory/3496-160-0x0000000000000000-mapping.dmp

Download
memory/4128-168-0x0000000000000000-mapping.dmp

Download
memory/4588-139-0x0000000000000000-mapping.dmp

Download
memory/4696-152-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads