cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674

Analysis

max time kernel
111s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 07:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe
Size

637KB
MD5

96513715fb7a2bea6fe9c33f66ee93e6
SHA1

daf1231b7a959a73a7e4dd0ae27613a27de6cd5c
SHA256

cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674
SHA512

d8c398c923ab68d0dbc3fdc777a85a82fa99494caa9c9228f5e4ca1fba846a38ad49ef5f03022ad45d4e492225903b6895e693f03bd0d0f927625fed7f3215bb
SSDEEP

12288:6TOcCf6y0gE59We9WE7u7LW3q4/tDqOQGNgTPO1Z7+EzU9BnDy9vrhgj:6TOpsgE59WoP7uXW3NFDqOQGe6iEY9NB

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\15125 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\mszahusm.com"	svchost.exe

Executes dropped EXE 3 IoCs

pid	Process
4752	claimcodeA2WQJJQQ .exe
4028	claimcodeA2WQJJQQ.exe
2700	claimcodeA2WQJJQQ.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	claimcodeA2WQJJQQ .exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	claimcodeA2WQJJQQ.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	claimcodeA2WQJJQQ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4028 set thread context of 2700	4028	claimcodeA2WQJJQQ.exe	91

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\LOCALS~1\Temp\mszahusm.com	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2700	claimcodeA2WQJJQQ.exe
2700	claimcodeA2WQJJQQ.exe
2236	AcroRd32.exe
2236	AcroRd32.exe
2236	AcroRd32.exe
2236	AcroRd32.exe
2236	AcroRd32.exe
2236	AcroRd32.exe
2236	AcroRd32.exe
2236	AcroRd32.exe
2236	AcroRd32.exe
2236	AcroRd32.exe
2236	AcroRd32.exe
2236	AcroRd32.exe
2236	AcroRd32.exe
2236	AcroRd32.exe
2236	AcroRd32.exe
2236	AcroRd32.exe
2236	AcroRd32.exe
2236	AcroRd32.exe
2236	AcroRd32.exe
2236	AcroRd32.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
4028	claimcodeA2WQJJQQ.exe
4028	claimcodeA2WQJJQQ.exe
2700	claimcodeA2WQJJQQ.exe
2700	claimcodeA2WQJJQQ.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2236	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2236	AcroRd32.exe
2236	AcroRd32.exe
2236	AcroRd32.exe
2236	AcroRd32.exe
2236	AcroRd32.exe
2236	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 4752	3628	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe	79
PID 3628 wrote to memory of 4752	3628	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe	79
PID 3628 wrote to memory of 4752	3628	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe	79
PID 3628 wrote to memory of 2236	3628	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe	80
PID 3628 wrote to memory of 2236	3628	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe	80
PID 3628 wrote to memory of 2236	3628	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe	80
PID 3628 wrote to memory of 2088	3628	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe	81
PID 3628 wrote to memory of 2088	3628	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe	81
PID 3628 wrote to memory of 2088	3628	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe	81
PID 4752 wrote to memory of 4028	4752	claimcodeA2WQJJQQ .exe	83
PID 4752 wrote to memory of 4028	4752	claimcodeA2WQJJQQ .exe	83
PID 4752 wrote to memory of 4028	4752	claimcodeA2WQJJQQ .exe	83
PID 4752 wrote to memory of 3384	4752	claimcodeA2WQJJQQ .exe	84
PID 4752 wrote to memory of 3384	4752	claimcodeA2WQJJQQ .exe	84
PID 4752 wrote to memory of 3384	4752	claimcodeA2WQJJQQ .exe	84
PID 2236 wrote to memory of 4864	2236	AcroRd32.exe	86
PID 2236 wrote to memory of 4864	2236	AcroRd32.exe	86
PID 2236 wrote to memory of 4864	2236	AcroRd32.exe	86
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 4316	4864	RdrCEF.exe	89
PID 4864 wrote to memory of 2728	4864	RdrCEF.exe	90
PID 4864 wrote to memory of 2728	4864	RdrCEF.exe	90
PID 4864 wrote to memory of 2728	4864	RdrCEF.exe	90
PID 4864 wrote to memory of 2728	4864	RdrCEF.exe	90
PID 4864 wrote to memory of 2728	4864	RdrCEF.exe	90

C:\Users\Admin\AppData\Local\Temp\cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe
"C:\Users\Admin\AppData\Local\Temp\cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ .exe
  "C:\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ .exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ.exe
    "C:\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    PID:4028
  - - C:\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ.exe
      "C:\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ.exe"
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:2700
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\syswow64\svchost.exe
        5⤵
        Adds policy Run key to start application
        Drops file in Program Files directory
        
        PID:4612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx001.cmd" "
    3⤵
    PID:3384
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ.pdf"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C71CAD3070C76EB8B64568F79AF636B7 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4316
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AE3232491697A996536089571C1344A9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AE3232491697A996536089571C1344A9 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:2728
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0FFD57FA25F4894F30D866E081ACB7E6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0FFD57FA25F4894F30D866E081ACB7E6 --renderer-client-id=4 --mojo-platform-channel-handle=2184 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:1568
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A748BB9B74F6B03AA838B1524DB21CAE --mojo-platform-channel-handle=2304 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1364
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5312E33F6D9D4E187E822908A4B51511 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2792
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=67CC9E41B07353C4A63886DA39D1B584 --mojo-platform-channel-handle=1988 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:5116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  PID:2088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
300B

MD5
a610329c8f1f9d4dc2658469867f0e4d

SHA1
21b4f3b011abd4444c2e26408f3697c5392182e8

SHA256
f7943de4303aadeaa77dd18c871d06f9a5e02258cf694476ac4da883a9281b26

SHA512
1226de2836e06192316bede29eac6811847313eaa1bc3b4555e0b0003781b7603ed981e32faf770e586d375f516bed65f7fcfe42514856e26c1e2a82264a83b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx001.cmd

Filesize
208B

MD5
b840731bfea38bd1b40c8f57a947c6d4

SHA1
83e3667db26ca11d83c860bf8b188072ea7cbfa9

SHA256
acd3157e473f1983cc17fe3cc58d52c86d9cfe21a7db06c09acf69e6eae8b769

SHA512
0d2d71b6f727d1a888ca52b03b2862e740ace21f9c9ab56ae2a4e012e93b99f0cb9a822c639fee087897dc0ad972d6409f316ae6960771bf0c60ea6df5de8df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ .exe

Filesize
382KB

MD5
70c95e309491bab951a37e404ea318e1

SHA1
dd0db1b297ee1eeaf8e21cafaaf71a19faec9761

SHA256
1f5d7ea129eed58d921d19155bde79ad8ad3eb588ca1473eefcdcc6b31d8a7ad

SHA512
787dee92614db5827441438bec6e08666bb4b476f419c18fe93c886217efe077e27f1b2cdc8bed8e49f42453137ce5e4a6b4392e752774ce2683d8c59bc7a1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ .exe

Filesize
382KB

MD5
70c95e309491bab951a37e404ea318e1

SHA1
dd0db1b297ee1eeaf8e21cafaaf71a19faec9761

SHA256
1f5d7ea129eed58d921d19155bde79ad8ad3eb588ca1473eefcdcc6b31d8a7ad

SHA512
787dee92614db5827441438bec6e08666bb4b476f419c18fe93c886217efe077e27f1b2cdc8bed8e49f42453137ce5e4a6b4392e752774ce2683d8c59bc7a1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ.exe

Filesize
793KB

MD5
f6d6feaa568103785888fec8fc0695fa

SHA1
e8880ca1ad65279012e81a2d61aa0a427072e34e

SHA256
b5aa47d182db0e15465dfa8dce8fd579e89dff245af54ab5b2735432938b1e13

SHA512
72f87b8821211b07c8fa72b51c3d282aa668f675d7600d35d0d2c672868e53a82cb6fc81c2c85141679b26af7f596b551e6305845de7e83463ba9f3458d9d099

Download Submit
C:\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ.exe

Filesize
793KB

MD5
f6d6feaa568103785888fec8fc0695fa

SHA1
e8880ca1ad65279012e81a2d61aa0a427072e34e

SHA256
b5aa47d182db0e15465dfa8dce8fd579e89dff245af54ab5b2735432938b1e13

SHA512
72f87b8821211b07c8fa72b51c3d282aa668f675d7600d35d0d2c672868e53a82cb6fc81c2c85141679b26af7f596b551e6305845de7e83463ba9f3458d9d099

Download Submit
C:\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ.exe

Filesize
793KB

MD5
f6d6feaa568103785888fec8fc0695fa

SHA1
e8880ca1ad65279012e81a2d61aa0a427072e34e

SHA256
b5aa47d182db0e15465dfa8dce8fd579e89dff245af54ab5b2735432938b1e13

SHA512
72f87b8821211b07c8fa72b51c3d282aa668f675d7600d35d0d2c672868e53a82cb6fc81c2c85141679b26af7f596b551e6305845de7e83463ba9f3458d9d099

Download Submit
C:\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ.pdf

Filesize
214KB

MD5
6846a7512960c54202273b0c64ee967c

SHA1
3c0ae1ddd1b95973106ee304389d00b327be390c

SHA256
de15835aa390235e0d44f338384608834ec3436eaabcae727760daef69d43e2f

SHA512
a97b2b3e73a2a3f89f3778cccb8027094631a77e04e172e25228e34df8bba93d9eff5568073bc406500e28fac494a7a647a422bd2894d536d11558e64ea1394d

Download Submit
memory/2700-158-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4028-155-0x00000000006A0000-0x00000000006A5000-memory.dmp

Filesize
20KB

Download
memory/4612-168-0x0000000000250000-0x000000000025E000-memory.dmp

Filesize
56KB

Download
memory/4612-169-0x00000000009B0000-0x00000000009B5000-memory.dmp

Filesize
20KB

Download
memory/4612-174-0x00000000009B0000-0x00000000009B5000-memory.dmp

Filesize
20KB

Download