6e8f3c2bfc537726a90b7fe7e3f4cf6f5b73a8389ed4d9caf241829350d70aa5

General

Target

6e8f3c2bfc537726a90b7fe7e3f4cf6f5b73a8389ed4d9caf241829350d70aa5.exe
Size

426KB
MD5

36f05fc6e1353917655db1b5a98341bd
SHA1

dd5f29c01d639a91452fcd44f39cd33414a93e34
SHA256

6e8f3c2bfc537726a90b7fe7e3f4cf6f5b73a8389ed4d9caf241829350d70aa5
SHA512

c2705508fe81e1c3896d0b65acd7a69afd8161dfff616b2f29dcba50203ac44c8914ed3bd4eb785556729085e5fba2830e2474464fbb947c2889ddcd1b069d0c
SSDEEP

12288:uHICZ9iSCnm8B/Hw9pnn0fwSnn1uTXlgdVt:uoC7ijw3wpUrlgd/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Gl.exean.exe

pid process

756 Gl.exe
1744 an.exe

pid	process
756	Gl.exe
1744	an.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe6e8f3c2bfc537726a90b7fe7e3f4cf6f5b73a8389ed4d9caf241829350d70aa5.exeWScript.exeGl.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	6e8f3c2bfc537726a90b7fe7e3f4cf6f5b73a8389ed4d9caf241829350d70aa5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Gl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 3 IoCs

Processes:

Gl.execmd.exe6e8f3c2bfc537726a90b7fe7e3f4cf6f5b73a8389ed4d9caf241829350d70aa5.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	Gl.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	6e8f3c2bfc537726a90b7fe7e3f4cf6f5b73a8389ed4d9caf241829350d70aa5.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

AcroRd32.exe

pid	process
2360	AcroRd32.exe
2360	AcroRd32.exe
2360	AcroRd32.exe
2360	AcroRd32.exe
2360	AcroRd32.exe
2360	AcroRd32.exe
2360	AcroRd32.exe
2360	AcroRd32.exe
2360	AcroRd32.exe
2360	AcroRd32.exe
2360	AcroRd32.exe
2360	AcroRd32.exe
2360	AcroRd32.exe
2360	AcroRd32.exe
2360	AcroRd32.exe
2360	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

2360 AcroRd32.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AcroRd32.exe

pid process

2360 AcroRd32.exe
2360 AcroRd32.exe
2360 AcroRd32.exe
2360 AcroRd32.exe
2360 AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6e8f3c2bfc537726a90b7fe7e3f4cf6f5b73a8389ed4d9caf241829350d70aa5.exeWScript.exeGl.execmd.exeWScript.execmd.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4436 wrote to memory of 1036	4436	6e8f3c2bfc537726a90b7fe7e3f4cf6f5b73a8389ed4d9caf241829350d70aa5.exe	cmd.exe
PID 4436 wrote to memory of 1036	4436	6e8f3c2bfc537726a90b7fe7e3f4cf6f5b73a8389ed4d9caf241829350d70aa5.exe	cmd.exe
PID 4436 wrote to memory of 1036	4436	6e8f3c2bfc537726a90b7fe7e3f4cf6f5b73a8389ed4d9caf241829350d70aa5.exe	cmd.exe
PID 4436 wrote to memory of 3964	4436	6e8f3c2bfc537726a90b7fe7e3f4cf6f5b73a8389ed4d9caf241829350d70aa5.exe	WScript.exe
PID 4436 wrote to memory of 3964	4436	6e8f3c2bfc537726a90b7fe7e3f4cf6f5b73a8389ed4d9caf241829350d70aa5.exe	WScript.exe
PID 4436 wrote to memory of 3964	4436	6e8f3c2bfc537726a90b7fe7e3f4cf6f5b73a8389ed4d9caf241829350d70aa5.exe	WScript.exe
PID 3964 wrote to memory of 756	3964	WScript.exe	Gl.exe
PID 3964 wrote to memory of 756	3964	WScript.exe	Gl.exe
PID 3964 wrote to memory of 756	3964	WScript.exe	Gl.exe
PID 3964 wrote to memory of 4396	3964	WScript.exe	cmd.exe
PID 3964 wrote to memory of 4396	3964	WScript.exe	cmd.exe
PID 3964 wrote to memory of 4396	3964	WScript.exe	cmd.exe
PID 756 wrote to memory of 4240	756	Gl.exe	WScript.exe
PID 756 wrote to memory of 4240	756	Gl.exe	WScript.exe
PID 756 wrote to memory of 4240	756	Gl.exe	WScript.exe
PID 4396 wrote to memory of 2360	4396	cmd.exe	AcroRd32.exe
PID 4396 wrote to memory of 2360	4396	cmd.exe	AcroRd32.exe
PID 4396 wrote to memory of 2360	4396	cmd.exe	AcroRd32.exe
PID 4240 wrote to memory of 2136	4240	WScript.exe	cmd.exe
PID 4240 wrote to memory of 2136	4240	WScript.exe	cmd.exe
PID 4240 wrote to memory of 2136	4240	WScript.exe	cmd.exe
PID 2136 wrote to memory of 1744	2136	cmd.exe	an.exe
PID 2136 wrote to memory of 1744	2136	cmd.exe	an.exe
PID 2136 wrote to memory of 1744	2136	cmd.exe	an.exe
PID 2360 wrote to memory of 2676	2360	AcroRd32.exe	RdrCEF.exe
PID 2360 wrote to memory of 2676	2360	AcroRd32.exe	RdrCEF.exe
PID 2360 wrote to memory of 2676	2360	AcroRd32.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe
PID 2676 wrote to memory of 1236	2676	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\6e8f3c2bfc537726a90b7fe7e3f4cf6f5b73a8389ed4d9caf241829350d70aa5.exe
"C:\Users\Admin\AppData\Local\Temp\6e8f3c2bfc537726a90b7fe7e3f4cf6f5b73a8389ed4d9caf241829350d70aa5.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4436

C:\WINDOWS\SysWOW64\cmd.exe
"C:\WINDOWS\system32\cmd.exe" /c rename C:\Users\Admin\AppData\Local\Temp\out.gif out.js
2⤵
PID:1036

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\out.js"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3964

C:\Users\Admin\AppData\Local\Temp\Gl.exe
"C:\Users\Admin\AppData\Local\Temp\Gl.exe" -pGlue1 -dC:\Users\Admin\AppData\Local\Temp
3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\inside.js"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\an.exe -dC:\Users\Admin\AppData\Local\Temp
5⤵
- Suspicious use of WriteProcessMemory
PID:2136

C:\Users\Admin\AppData\Local\Temp\an.exe
C:\Users\Admin\AppData\Local\Temp\an.exe -dC:\Users\Admin\AppData\Local\Temp
6⤵
- Executes dropped EXE
PID:1744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Shipping_Inv.pdf -dC:\Users\Admin\AppData\Local\Temp
3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4396

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Shipping_Inv.pdf"
4⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
5⤵
- Suspicious use of WriteProcessMemory
PID:2676

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5459B956758513B7016D13CBFE48AD14 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:1236

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=471A6340E78439EF78D3511BB0595761 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=471A6340E78439EF78D3511BB0595761 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
6⤵
PID:2196

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DD58BD8A1EDDF59B12FA4550DDFA671B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DD58BD8A1EDDF59B12FA4550DDFA671B --renderer-client-id=4 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job /prefetch:1
6⤵
PID:2332

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=026AF156420E5DF7B4E0F54C23F46219 --mojo-platform-channel-handle=2448 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:2516

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=04B47B72ECA09C8F8BFB7C19B7931109 --mojo-platform-channel-handle=2660 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:4172

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=09E28B97B66F061B548CC3A4B15CDBEE --mojo-platform-channel-handle=2680 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:3544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Gl.exe
Filesize
282KB

MD5
45c5a25bb4add91fd4e8bc8a0c003977

SHA1
815d3cad4d6f0d39d17a3075c454c2089185afe9

SHA256
31c8b84f172d9977f6a204af31257f189bae5b9a7f3e425e57c504d410cd385d

SHA512
5e8c6c39a1c708042b647e04f3395e26ef846e377559778e59b64b7319308f5c32c50aca0d7634e57dd8f0cb20883265af30984516b630c757ffe4d5fd0fc058

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gl.exe
Filesize
282KB

MD5
45c5a25bb4add91fd4e8bc8a0c003977

SHA1
815d3cad4d6f0d39d17a3075c454c2089185afe9

SHA256
31c8b84f172d9977f6a204af31257f189bae5b9a7f3e425e57c504d410cd385d

SHA512
5e8c6c39a1c708042b647e04f3395e26ef846e377559778e59b64b7319308f5c32c50aca0d7634e57dd8f0cb20883265af30984516b630c757ffe4d5fd0fc058

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gl.png
Filesize
282KB

MD5
2ff306f691a4dd48e0e688e8a3e6e374

SHA1
7ec4b7c22d478c8aa47029eeb9c507a8ba6769cb

SHA256
f9cca52c9d840f3cfc8997e77a42ebc7640ea71f7729fa1782d8596a05ed963b

SHA512
0f7de7c99146ce8bf7165613cae06991153c2453fa775e6802b65f757c0aa1b097749e09e2981739e61749e3e43503a2b99cd810b6ad8e0d4cdd3bfd90a69375

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shipping_Inv.pdf
Filesize
9KB

MD5
998acb522b47bbfe95f9954d17aa9918

SHA1
e351952afc397d6e127784fe692cf4259e1c6189

SHA256
409e472b667ae747942e10d4dc691796c3b2eb00a0e407146e69b2f8205de40c

SHA512
be047cc246765384f0a484759849d75ac32edbfcd6d5f4a7b96e9a63f2afedd5ff5386db038885455f1736c450b57b9c2e9b9242b740c3560677a35432a3f760

Download Submit
C:\Users\Admin\AppData\Local\Temp\an.exe
Filesize
143KB

MD5
b30d8d55201cd988899c29bc01239085

SHA1
413ef22a404e433892bb0448f39e1d3594f3407e

SHA256
8a1279c890cbf622ed6f7fe3f087b4ce77c5acffeb60efaad44c57eba1c61794

SHA512
a7657a1afef81a81b2656f9da9890ed954185b8665d0e15e27f8331734055bcae54ad278254dd954acd1bbb6cc6e88fda86d7520fe3896da0e3a9d11958c4a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\an.exe
Filesize
143KB

MD5
b30d8d55201cd988899c29bc01239085

SHA1
413ef22a404e433892bb0448f39e1d3594f3407e

SHA256
8a1279c890cbf622ed6f7fe3f087b4ce77c5acffeb60efaad44c57eba1c61794

SHA512
a7657a1afef81a81b2656f9da9890ed954185b8665d0e15e27f8331734055bcae54ad278254dd954acd1bbb6cc6e88fda86d7520fe3896da0e3a9d11958c4a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\inside.js
Filesize
100B

MD5
1e7c8e75533812eabc488a16a924bb73

SHA1
3fcdc8292f73bb35610d64223f19208f6570af27

SHA256
6155c98419fa536481857f51a85db74ce04c3375dd0f1fd0d81d5f40d9e29ba7

SHA512
04215f67fe68c4d6beac03ed77eeec2ad7d4bc77be270f8f762c3877fa21b53d5bf46589bacd67cca0f827dda030af38198b98daadc5a85bacfb7e4dba5a2db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\out.gif
Filesize
900B

MD5
1938c5f7d1e343069723ea82e8805dca

SHA1
367834e08fcea13d45856680d461d6ad29ce7152

SHA256
50859a87a252222a4599e0235632e4530ca614aacf33d481e7ad644a1bdf7953

SHA512
f636093ad6810c0a066d0f76218b1aeb2b139379822b5a3e69f54b2d7c7f91ad404e56be34957fd75a4796bfcc39b25aea4a28c0048b11ddea63316b1d9c85fb

Download Submit
memory/756-136-0x0000000000000000-mapping.dmp

Download
memory/1036-132-0x0000000000000000-mapping.dmp

Download
memory/1236-152-0x0000000000000000-mapping.dmp

Download
memory/1744-144-0x0000000000000000-mapping.dmp

Download
memory/1744-149-0x00000000022E0000-0x0000000002310000-memory.dmp

Filesize
192KB

Download
memory/1744-148-0x00000000022E0000-0x0000000002310000-memory.dmp

Filesize
192KB

Download
memory/2136-143-0x0000000000000000-mapping.dmp

Download
memory/2196-155-0x0000000000000000-mapping.dmp

Download
memory/2332-160-0x0000000000000000-mapping.dmp

Download
memory/2360-147-0x0000000000000000-mapping.dmp

Download
memory/2516-165-0x0000000000000000-mapping.dmp

Download
memory/2676-150-0x0000000000000000-mapping.dmp

Download
memory/3544-171-0x0000000000000000-mapping.dmp

Download
memory/3964-134-0x0000000000000000-mapping.dmp

Download
memory/4172-168-0x0000000000000000-mapping.dmp

Download
memory/4240-140-0x0000000000000000-mapping.dmp

Download
memory/4396-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads