1c3b271f968b45773005a216c6505f23066f4b54f2c3c7b3b000a83cdf20f041

Analysis

max time kernel
170s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c3b271f968b45773005a216c6505f23066f4b54f2c3c7b3b000a83cdf20f041.jar
Size

4.1MB
MD5

ec976b857d9e92c111868d9049c425e4
SHA1

c32760f9e7d37a800de227416744565403f4c70e
SHA256

1c3b271f968b45773005a216c6505f23066f4b54f2c3c7b3b000a83cdf20f041
SHA512

83d1c2061520580e96dee497ecf6a3c9c8af0ae88fe6157d203fddd43d5f4cacd1507d78e6f41b32570e03e1eee80e193826cb8c0f54c0643d686c9b494c065d
SSDEEP

98304:cHZztJVudVKkGxbbPsGQA9037qhLqbVe1pxmo6W9pTIgbyRsS:cHZzcXnGtb7XOmcVvnsIgO2S

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe\debugger = "svchost.exe"	regedit.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1852	attrib.exe
1800	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Javaw = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Java TM\\Java.txt\""	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Javaw = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Java TM\\Java.txt\""	reg.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Java TM\Desktop.ini	javaw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Java TM\Desktop.ini	attrib.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\tem.txt	javaw.exe
File opened for modification	C:\Windows\tem.txt	javaw.exe
File created	C:\Windows\tem.txt	javaw.exe
File opened for modification	C:\Windows\tem.txt	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1964	reg.exe
3148	reg.exe
4104	reg.exe
4544	reg.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3820	regedit.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4028	AcroRd32.exe
4028	AcroRd32.exe
4028	AcroRd32.exe
4028	AcroRd32.exe
4028	AcroRd32.exe
4028	AcroRd32.exe
4028	AcroRd32.exe
4028	AcroRd32.exe
4028	AcroRd32.exe
4028	AcroRd32.exe
4028	AcroRd32.exe
4028	AcroRd32.exe
4028	AcroRd32.exe
4028	AcroRd32.exe
4028	AcroRd32.exe
4028	AcroRd32.exe
4028	AcroRd32.exe
4028	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4028	AcroRd32.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3184	java.exe
4312	javaw.exe
4028	AcroRd32.exe
4028	AcroRd32.exe
1016	javaw.exe
4028	AcroRd32.exe
4028	AcroRd32.exe
4028	AcroRd32.exe
4028	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 4312	3184	java.exe	81
PID 3184 wrote to memory of 4312	3184	java.exe	81
PID 3184 wrote to memory of 4436	3184	java.exe	82
PID 3184 wrote to memory of 4436	3184	java.exe	82
PID 4436 wrote to memory of 4028	4436	cmd.exe	84
PID 4436 wrote to memory of 4028	4436	cmd.exe	84
PID 4436 wrote to memory of 4028	4436	cmd.exe	84
PID 4312 wrote to memory of 1964	4312	javaw.exe	86
PID 4312 wrote to memory of 1964	4312	javaw.exe	86
PID 4312 wrote to memory of 3148	4312	javaw.exe	87
PID 4312 wrote to memory of 3148	4312	javaw.exe	87
PID 4312 wrote to memory of 1852	4312	javaw.exe	88
PID 4312 wrote to memory of 1852	4312	javaw.exe	88
PID 4312 wrote to memory of 1800	4312	javaw.exe	91
PID 4312 wrote to memory of 1800	4312	javaw.exe	91
PID 4312 wrote to memory of 1016	4312	javaw.exe	94
PID 4312 wrote to memory of 1016	4312	javaw.exe	94
PID 1016 wrote to memory of 4104	1016	javaw.exe	95
PID 1016 wrote to memory of 4104	1016	javaw.exe	95
PID 1016 wrote to memory of 4544	1016	javaw.exe	98
PID 1016 wrote to memory of 4544	1016	javaw.exe	98
PID 4028 wrote to memory of 5024	4028	AcroRd32.exe	99
PID 4028 wrote to memory of 5024	4028	AcroRd32.exe	99
PID 4028 wrote to memory of 5024	4028	AcroRd32.exe	99
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102
PID 5024 wrote to memory of 4996	5024	RdrCEF.exe	102

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1852	attrib.exe
1800	attrib.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\1c3b271f968b45773005a216c6505f23066f4b54f2c3c7b3b000a83cdf20f041.jar
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\asdqw1940938520763295607013.jar"
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\SYSTEM32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Javaw /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\Java TM\Java.txt\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1964
- - C:\Windows\SYSTEM32\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Javaw /f
    3⤵
    - Modifies registry key
    PID:3148
- - C:\Windows\SYSTEM32\attrib.exe
    attrib +s +h +r "C:\Users\Admin\AppData\Roaming\Java TM\*.*"
    3⤵
    - Sets file to hidden
    - Drops desktop.ini file(s)
    - Views/modifies file attributes
    PID:1852
- - C:\Windows\SYSTEM32\attrib.exe
    attrib +s +h +r "C:\Users\Admin\AppData\Roaming\Java TM"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1800
- - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\Java TM\Java.txt"
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1016
  - - C:\Windows\SYSTEM32\reg.exe
      reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Javaw /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\Java TM\Java.txt\"" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:4104
  - - C:\Windows\SYSTEM32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Javaw /f
      4⤵
      Modifies registry key
      PID:4544
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c regedit /s C:\Users\Admin\AppData\Local\Temp\TaskNetworkGathor1575673011994649633.reg
      4⤵
      PID:3912
    - - C:\Windows\regedit.exe
        
        regedit /s C:\Users\Admin\AppData\Local\Temp\TaskNetworkGathor1575673011994649633.reg
        5⤵
        Sets file execution options in registry
        Runs .reg file with regedit
        
        PID:3820
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asdqw32455406211606014311payment_reminder.pdf
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\asdqw32455406211606014311payment_reminder.pdf"
    3⤵
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4028
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5024
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1CE52865B075D49620B5F0C392376927 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:4996
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D19E488AA46CA226D9EB4A5B0651FC62 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D19E488AA46CA226D9EB4A5B0651FC62 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:1112
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C70AE52E5694DF28DAF4A0CCF666238E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C70AE52E5694DF28DAF4A0CCF666238E --renderer-client-id=4 --mojo-platform-channel-handle=2192 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:4516
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=09CCD37B954A13929FC3619A90040D7C --mojo-platform-channel-handle=2448 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:4212
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4A2B68AF3812BFE05A28155BE8D5A09A --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:5048
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E5BEF5DEEE8632BF7D21EF0A845D2E2E --mojo-platform-channel-handle=2680 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:3432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
ccf2ec172a9fb9d2d7872b1f8a2e3dce

SHA1
42caeb45cfb4635dfb409127279752648964b546

SHA256
91ea69acc811b2b4b2b3b0a1b629c49c9c054c61f67c8a2d7140570ad6f5a3d8

SHA512
18bcde95e2fbcef4d2a689f2fcc83de796f0a2eca60557516fc0105b8a2553df2ce2ce6fdbc512357c88e0725192d75ab1b64b532fd84ac55341ebe519b7f773

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
7dac57877154a29be89fb8e878d1ac3f

SHA1
e552d6d901d0cc55fe967edb2d71923225933f1e

SHA256
877572bfa3baf74c7581f35ac773defd7c14ba8275efd4db224f5625f8a487ac

SHA512
581e4d2813801c55043d4995497723ca888d53ecae4c30e1b90695c8dac3381f7fc56137432befaf81e64fa983092fe0001cd0107b6af7cbca56485fe9fbfb1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskNetworkGathor1575673011994649633.reg

Filesize
286B

MD5
027357aa9efa48678191245d3f6f63b9

SHA1
f26d3d51af209f29ee480a7624d67f094bcc927a

SHA256
4cfa4a95f63dad7450eaa5ac7cfd2842fbb7cc87ef1cd80e28ee3966cf23c4bc

SHA512
a8bf351eb4a77e727ea4b17550502de041b72d866b8231a897c2261e33f92d8e2f65ac593f76e911577240b583bc6c8d65dde3945d228da3a1457dd3db49c205

Download Submit
C:\Users\Admin\AppData\Local\Temp\asdqw1940938520763295607013.jar

Filesize
47KB

MD5
6f705ddb7b6e05abaa659642c569d7ed

SHA1
53227c1b29ed8290263fc9bdccaaf7a03ec6aba2

SHA256
4f2aefa4c0b242741f3d32f65969e595859fadb8929f95e9c1195daef8172fa0

SHA512
8ae341008fde4f9d08b8884b993e7ddbda6821099668d932385649b00c30b24cc934637389f7b70615b6a5a0e3614185da4c3049b7f5a7fb18858b158f31a065

Download Submit
C:\Users\Admin\AppData\Local\Temp\asdqw32455406211606014311payment_reminder.pdf

Filesize
4.3MB

MD5
a21d2a19a4c66cce8e4d7975604dfac7

SHA1
ce77aa7b9f3af5f091c0fa18ae18f310bd89df85

SHA256
634dafa7a5591d5425b4fa4e46d71f429aba805972b605f8576df57241901eaf

SHA512
b5d72080e52af8706a04e7fdebc34d46a6713848330566a3f441fc1d84f13da036a082dd08c6a2dfc3154d1780a7f81afd6461c554aee8dae15ffc1eef7ad161

Download Submit
C:\Users\Admin\AppData\Roaming\Java TM\Desktop.ini

Filesize
63B

MD5
e783bdd20a976eaeaae1ff4624487420

SHA1
c2a44fab9df00b3e11582546b16612333c2f9286

SHA256
2f65fa9c7ed712f493782abf91467f869419a2f8b5adf23b44019c08190fa3f3

SHA512
8c883678e4625ef44f4885b8c6d7485196774f9cb0b9eee7dd18711749bcae474163df9965effcd13ecd1a33cd7265010c152f8504d6013e4f4d85d68a901a80

Download Submit
C:\Users\Admin\AppData\Roaming\Java TM\Java.txt

Filesize
47KB

MD5
6f705ddb7b6e05abaa659642c569d7ed

SHA1
53227c1b29ed8290263fc9bdccaaf7a03ec6aba2

SHA256
4f2aefa4c0b242741f3d32f65969e595859fadb8929f95e9c1195daef8172fa0

SHA512
8ae341008fde4f9d08b8884b993e7ddbda6821099668d932385649b00c30b24cc934637389f7b70615b6a5a0e3614185da4c3049b7f5a7fb18858b158f31a065

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2295526160-1155304984-640977766-1000\83aa4cc77f591dfc2374580bbd95f6ba_4b401a7f-b7c1-4c1c-a9cf-2b1aa260545d

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
memory/1016-178-0x00000000027E0000-0x00000000037E0000-memory.dmp

Filesize
16.0MB

Download
memory/1016-210-0x00000000027E0000-0x00000000037E0000-memory.dmp

Filesize
16.0MB

Download
memory/1016-165-0x0000000000000000-mapping.dmp

Download
memory/1112-186-0x0000000000000000-mapping.dmp

Download
memory/1800-162-0x0000000000000000-mapping.dmp

Download
memory/1852-161-0x0000000000000000-mapping.dmp

Download
memory/1964-158-0x0000000000000000-mapping.dmp

Download
memory/3148-159-0x0000000000000000-mapping.dmp

Download
memory/3184-134-0x0000000002E50000-0x0000000003E50000-memory.dmp

Filesize
16.0MB

Download
memory/3432-205-0x0000000000000000-mapping.dmp

Download
memory/3820-208-0x0000000000000000-mapping.dmp

Download
memory/3912-206-0x0000000000000000-mapping.dmp

Download
memory/4028-160-0x0000000000000000-mapping.dmp

Download
memory/4104-179-0x0000000000000000-mapping.dmp

Download
memory/4212-196-0x0000000000000000-mapping.dmp

Download
memory/4312-157-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/4312-155-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/4312-142-0x0000000000000000-mapping.dmp

Download
memory/4436-146-0x0000000000000000-mapping.dmp

Download
memory/4516-191-0x0000000000000000-mapping.dmp

Download
memory/4544-180-0x0000000000000000-mapping.dmp

Download
memory/4996-183-0x0000000000000000-mapping.dmp

Download
memory/5024-181-0x0000000000000000-mapping.dmp

Download
memory/5048-199-0x0000000000000000-mapping.dmp

Download