Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 20:46
Static task
static1
Behavioral task
behavioral1
Sample
5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe
Resource
win10v2004-20220901-en
General
-
Target
5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe
-
Size
788KB
-
MD5
4252062a013af0c7953e4d14fe646e93
-
SHA1
ada3f9cf06008cba824e4bcda68f80da99d13893
-
SHA256
5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d
-
SHA512
83c9d4e85a378e8d02393315c480dac1e6fab024bb95717e8ef4a9598782e784539374b127836695a6722662d1dc74a54ddc54d6bf02fc2e7c2dcd1a810f6f89
-
SSDEEP
24576:UraCDwovMPVLs5pcMrQJ63f81b34B5O8f:4aSJMPJGrQJ6vYr4jO8f
Malware Config
Extracted
Protocol: smtp- Host:
work-toolz.click - Port:
587 - Username:
[email protected] - Password:
3HLkst~=QzD3
Extracted
agenttesla
Protocol: smtp- Host:
work-toolz.click - Port:
587 - Username:
[email protected] - Password:
3HLkst~=QzD3
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
LocalNePRdcnFKm.exeLocalNePRdcnFKm.exepid process 4244 LocalNePRdcnFKm.exe 1036 LocalNePRdcnFKm.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exeLocalNePRdcnFKm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation LocalNePRdcnFKm.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
LocalNePRdcnFKm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LocalNePRdcnFKm.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LocalNePRdcnFKm.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LocalNePRdcnFKm.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 59 api.ipify.org 60 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
LocalNePRdcnFKm.exedescription pid process target process PID 4244 set thread context of 1036 4244 LocalNePRdcnFKm.exe LocalNePRdcnFKm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings 5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
AcroRd32.exeLocalNePRdcnFKm.exepowershell.exepowershell.exeLocalNePRdcnFKm.exepid process 3388 AcroRd32.exe 3388 AcroRd32.exe 3388 AcroRd32.exe 3388 AcroRd32.exe 3388 AcroRd32.exe 3388 AcroRd32.exe 3388 AcroRd32.exe 3388 AcroRd32.exe 3388 AcroRd32.exe 3388 AcroRd32.exe 3388 AcroRd32.exe 3388 AcroRd32.exe 3388 AcroRd32.exe 3388 AcroRd32.exe 3388 AcroRd32.exe 3388 AcroRd32.exe 3388 AcroRd32.exe 3388 AcroRd32.exe 3388 AcroRd32.exe 3388 AcroRd32.exe 4244 LocalNePRdcnFKm.exe 1712 powershell.exe 1712 powershell.exe 3268 powershell.exe 3268 powershell.exe 3268 powershell.exe 1712 powershell.exe 4244 LocalNePRdcnFKm.exe 4244 LocalNePRdcnFKm.exe 4244 LocalNePRdcnFKm.exe 1036 LocalNePRdcnFKm.exe 1036 LocalNePRdcnFKm.exe 1036 LocalNePRdcnFKm.exe 1036 LocalNePRdcnFKm.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
LocalNePRdcnFKm.exepowershell.exepowershell.exeLocalNePRdcnFKm.exedescription pid process Token: SeDebugPrivilege 4244 LocalNePRdcnFKm.exe Token: SeDebugPrivilege 3268 powershell.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 1036 LocalNePRdcnFKm.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 3388 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
AcroRd32.exepid process 3388 AcroRd32.exe 3388 AcroRd32.exe 3388 AcroRd32.exe 3388 AcroRd32.exe 3388 AcroRd32.exe 3388 AcroRd32.exe 3388 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 2068 wrote to memory of 4244 2068 5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe LocalNePRdcnFKm.exe PID 2068 wrote to memory of 4244 2068 5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe LocalNePRdcnFKm.exe PID 2068 wrote to memory of 4244 2068 5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe LocalNePRdcnFKm.exe PID 2068 wrote to memory of 3388 2068 5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe AcroRd32.exe PID 2068 wrote to memory of 3388 2068 5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe AcroRd32.exe PID 2068 wrote to memory of 3388 2068 5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe AcroRd32.exe PID 3388 wrote to memory of 3600 3388 AcroRd32.exe RdrCEF.exe PID 3388 wrote to memory of 3600 3388 AcroRd32.exe RdrCEF.exe PID 3388 wrote to memory of 3600 3388 AcroRd32.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4444 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4872 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4872 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4872 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4872 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4872 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4872 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4872 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4872 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4872 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4872 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4872 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4872 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4872 3600 RdrCEF.exe RdrCEF.exe PID 3600 wrote to memory of 4872 3600 RdrCEF.exe RdrCEF.exe -
outlook_office_path 1 IoCs
Processes:
LocalNePRdcnFKm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LocalNePRdcnFKm.exe -
outlook_win_path 1 IoCs
Processes:
LocalNePRdcnFKm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LocalNePRdcnFKm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe"C:\Users\Admin\AppData\Local\Temp\5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\LocalNePRdcnFKm.exe"C:\Users\Admin\AppData\LocalNePRdcnFKm.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4244 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\LocalNePRdcnFKm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mrYHLrofvW.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3268 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mrYHLrofvW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp591C.tmp"3⤵
- Creates scheduled task(s)
PID:3812 -
C:\Users\Admin\AppData\LocalNePRdcnFKm.exe"C:\Users\Admin\AppData\LocalNePRdcnFKm.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1036 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\LocalRguquifM_i.pdf"2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=39A2C16AE09F313C47B9FDCC0F29E230 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:4444
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=ABF0AE0BB585334FF8B5C480CF410F97 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=ABF0AE0BB585334FF8B5C480CF410F97 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:14⤵PID:4872
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A3703B53589C5DFC8FB04C71BA058650 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:1268
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=028AABA91F85814BB649FC4D5E435944 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=028AABA91F85814BB649FC4D5E435944 --renderer-client-id=5 --mojo-platform-channel-handle=2348 --allow-no-sandbox-job /prefetch:14⤵PID:4440
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E3D8863B1E97E35BAA499E4DCF256EDF --mojo-platform-channel-handle=1848 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:3076
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5BA01999CABB1EEE90B6C84147120ADE --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:4132
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1700
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalNePRdcnFKm.exeFilesize
746KB
MD5cf358bc6184346eb189370a89efb4faa
SHA14cc15bf7e60150cce098c5e905702d3038996e46
SHA25629e98316caac2dec3ca75404f4abe20a0f8a4ae82b9560e6db20c4ec76b6425b
SHA5125c8b15c9d1b2f0075674ad34ee3f51ab1f6617b61170722aa91f9a35fca08522bca0d69955ecdc7f9baa0b88ca048160ad7ccf9aec6a27a3aae52f94df1c402f
-
C:\Users\Admin\AppData\LocalNePRdcnFKm.exeFilesize
746KB
MD5cf358bc6184346eb189370a89efb4faa
SHA14cc15bf7e60150cce098c5e905702d3038996e46
SHA25629e98316caac2dec3ca75404f4abe20a0f8a4ae82b9560e6db20c4ec76b6425b
SHA5125c8b15c9d1b2f0075674ad34ee3f51ab1f6617b61170722aa91f9a35fca08522bca0d69955ecdc7f9baa0b88ca048160ad7ccf9aec6a27a3aae52f94df1c402f
-
C:\Users\Admin\AppData\LocalNePRdcnFKm.exeFilesize
746KB
MD5cf358bc6184346eb189370a89efb4faa
SHA14cc15bf7e60150cce098c5e905702d3038996e46
SHA25629e98316caac2dec3ca75404f4abe20a0f8a4ae82b9560e6db20c4ec76b6425b
SHA5125c8b15c9d1b2f0075674ad34ee3f51ab1f6617b61170722aa91f9a35fca08522bca0d69955ecdc7f9baa0b88ca048160ad7ccf9aec6a27a3aae52f94df1c402f
-
C:\Users\Admin\AppData\LocalRguquifM_i.pdfFilesize
4KB
MD56ed5d6c645a65626a8722d0c9e63deba
SHA1614cba83aff230d5500e93580a2a9bd06bc500ef
SHA256bc723b24c022a75063ce07bbb96bd8182621c8aea4a37cd3b6c02650b24ed78c
SHA512c6f97d4d9d05f6f130fc7754f274d820a30790f94e88119b052597cd85e752449455e15a6438d263059e75f3008862e92f9dfa2b7ac2fe1eb5fc56e6f5854a29
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD56e49ac8606438d7131040e7d43533142
SHA12abe7f4c486990766c9e388f1939270f808ae996
SHA25689cb24723bc2aba40426bdc068e34316067f473e6b2bc2c9cd32c4c8791873ea
SHA5122fc4ae44893f3062affda7dc6985b7336572551dbb13a2deff3e28ae75667e8004826f01f77e8ab5945de6ff41a3b93ebd1127cda6db1352ef1c0d9b41b5d2d1
-
C:\Users\Admin\AppData\Local\Temp\tmp591C.tmpFilesize
1KB
MD5b703e66ae137e40af1287a494a404bbe
SHA13859e378eb6090be7e0d161185b5ca5c66c56f14
SHA2564d06b9d65b30226c34a4f9fd9f6bd8e93e733a1af3b02ce4db8c95baff18f922
SHA51230e27f49a894fb6074721a273bf819923d1394839d7a83ab6c32ee3aeab529fb171eed1f0bc5faf6906b7d206eda718351b83a4fd0eb08f5a451c47a27c16042
-
memory/1036-192-0x0000000006B20000-0x0000000006B70000-memory.dmpFilesize
320KB
-
memory/1036-175-0x0000000000000000-mapping.dmp
-
memory/1036-176-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1268-152-0x0000000000000000-mapping.dmp
-
memory/1712-170-0x00000000050B0000-0x00000000056D8000-memory.dmpFilesize
6.2MB
-
memory/1712-178-0x0000000005E70000-0x0000000005E8E000-memory.dmpFilesize
120KB
-
memory/1712-180-0x000000006DFC0000-0x000000006E00C000-memory.dmpFilesize
304KB
-
memory/1712-183-0x00000000077C0000-0x0000000007E3A000-memory.dmpFilesize
6.5MB
-
memory/1712-168-0x0000000002550000-0x0000000002586000-memory.dmpFilesize
216KB
-
memory/1712-187-0x00000000073B0000-0x00000000073BE000-memory.dmpFilesize
56KB
-
memory/1712-189-0x00000000074A0000-0x00000000074A8000-memory.dmpFilesize
32KB
-
memory/1712-166-0x0000000000000000-mapping.dmp
-
memory/1712-173-0x0000000004F40000-0x0000000004FA6000-memory.dmpFilesize
408KB
-
memory/2068-132-0x00007FFA96E20000-0x00007FFA97856000-memory.dmpFilesize
10.2MB
-
memory/3076-160-0x0000000000000000-mapping.dmp
-
memory/3268-181-0x000000006DFC0000-0x000000006E00C000-memory.dmpFilesize
304KB
-
memory/3268-182-0x0000000006D20000-0x0000000006D3E000-memory.dmpFilesize
120KB
-
memory/3268-172-0x00000000056D0000-0x00000000056F2000-memory.dmpFilesize
136KB
-
memory/3268-167-0x0000000000000000-mapping.dmp
-
memory/3268-174-0x00000000060C0000-0x0000000006126000-memory.dmpFilesize
408KB
-
memory/3268-188-0x0000000007DC0000-0x0000000007DDA000-memory.dmpFilesize
104KB
-
memory/3268-186-0x0000000007D00000-0x0000000007D96000-memory.dmpFilesize
600KB
-
memory/3268-185-0x0000000007AF0000-0x0000000007AFA000-memory.dmpFilesize
40KB
-
memory/3268-179-0x0000000006D40000-0x0000000006D72000-memory.dmpFilesize
200KB
-
memory/3268-184-0x0000000007A80000-0x0000000007A9A000-memory.dmpFilesize
104KB
-
memory/3388-136-0x0000000000000000-mapping.dmp
-
memory/3600-142-0x0000000000000000-mapping.dmp
-
memory/3812-169-0x0000000000000000-mapping.dmp
-
memory/4132-163-0x0000000000000000-mapping.dmp
-
memory/4244-140-0x0000000002500000-0x000000000250A000-memory.dmpFilesize
40KB
-
memory/4244-139-0x0000000004C40000-0x0000000004CD2000-memory.dmpFilesize
584KB
-
memory/4244-138-0x00000000051F0000-0x0000000005794000-memory.dmpFilesize
5.6MB
-
memory/4244-137-0x0000000000080000-0x0000000000140000-memory.dmpFilesize
768KB
-
memory/4244-165-0x0000000007260000-0x00000000072FC000-memory.dmpFilesize
624KB
-
memory/4244-133-0x0000000000000000-mapping.dmp
-
memory/4440-155-0x0000000000000000-mapping.dmp
-
memory/4444-144-0x0000000000000000-mapping.dmp
-
memory/4872-147-0x0000000000000000-mapping.dmp