Analysis
-
max time kernel
133s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-01-2023 04:29
Behavioral task
behavioral1
Sample
a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
Resource
win7-20221111-en
General
-
Target
a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
-
Size
784KB
-
MD5
0d564e476fc7812db303da40e79697d0
-
SHA1
9b9ae661a250966a18e72ad98abf3d6e0e0d1e8b
-
SHA256
a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac
-
SHA512
98a1747d2688cfeed81e4cfb461b7b4a55cd4943afa81169c8341f98c06846615c95dad82bd1d48f2434230c83faac6ea13f7bacafffcf9aca264ed25da84c4f
-
SSDEEP
12288:4cW7KEZlPzCy37/J1lrOfUkKlKVWetkuk2QOXAdn8/b5ZdKebJ:0KiRzC01dtIVWetkuk9Owdn8lO
Malware Config
Extracted
darkcomet
Guest16
192.168.30.128:1604
DC_MUTEX-888FBA9
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
p5UHrgxwHf0b
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 3768 msdcsc.exe -
Processes:
resource yara_rule behavioral2/memory/4264-132-0x0000000000400000-0x0000000000559000-memory.dmp upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx behavioral2/memory/3768-137-0x0000000000400000-0x0000000000559000-memory.dmp upx behavioral2/memory/4264-138-0x0000000000400000-0x0000000000559000-memory.dmp upx behavioral2/memory/3768-142-0x0000000000400000-0x0000000000559000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
AcroRd32.exepid process 3756 AcroRd32.exe 3756 AcroRd32.exe 3756 AcroRd32.exe 3756 AcroRd32.exe 3756 AcroRd32.exe 3756 AcroRd32.exe 3756 AcroRd32.exe 3756 AcroRd32.exe 3756 AcroRd32.exe 3756 AcroRd32.exe 3756 AcroRd32.exe 3756 AcroRd32.exe 3756 AcroRd32.exe 3756 AcroRd32.exe 3756 AcroRd32.exe 3756 AcroRd32.exe 3756 AcroRd32.exe 3756 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe Token: SeSecurityPrivilege 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe Token: SeTakeOwnershipPrivilege 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe Token: SeLoadDriverPrivilege 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe Token: SeSystemProfilePrivilege 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe Token: SeSystemtimePrivilege 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe Token: SeProfSingleProcessPrivilege 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe Token: SeIncBasePriorityPrivilege 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe Token: SeCreatePagefilePrivilege 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe Token: SeBackupPrivilege 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe Token: SeRestorePrivilege 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe Token: SeShutdownPrivilege 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe Token: SeDebugPrivilege 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe Token: SeSystemEnvironmentPrivilege 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe Token: SeChangeNotifyPrivilege 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe Token: SeRemoteShutdownPrivilege 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe Token: SeUndockPrivilege 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe Token: SeManageVolumePrivilege 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe Token: SeImpersonatePrivilege 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe Token: SeCreateGlobalPrivilege 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe Token: 33 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe Token: 34 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe Token: 35 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe Token: 36 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe Token: SeIncreaseQuotaPrivilege 3768 msdcsc.exe Token: SeSecurityPrivilege 3768 msdcsc.exe Token: SeTakeOwnershipPrivilege 3768 msdcsc.exe Token: SeLoadDriverPrivilege 3768 msdcsc.exe Token: SeSystemProfilePrivilege 3768 msdcsc.exe Token: SeSystemtimePrivilege 3768 msdcsc.exe Token: SeProfSingleProcessPrivilege 3768 msdcsc.exe Token: SeIncBasePriorityPrivilege 3768 msdcsc.exe Token: SeCreatePagefilePrivilege 3768 msdcsc.exe Token: SeBackupPrivilege 3768 msdcsc.exe Token: SeRestorePrivilege 3768 msdcsc.exe Token: SeShutdownPrivilege 3768 msdcsc.exe Token: SeDebugPrivilege 3768 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3768 msdcsc.exe Token: SeChangeNotifyPrivilege 3768 msdcsc.exe Token: SeRemoteShutdownPrivilege 3768 msdcsc.exe Token: SeUndockPrivilege 3768 msdcsc.exe Token: SeManageVolumePrivilege 3768 msdcsc.exe Token: SeImpersonatePrivilege 3768 msdcsc.exe Token: SeCreateGlobalPrivilege 3768 msdcsc.exe Token: 33 3768 msdcsc.exe Token: 34 3768 msdcsc.exe Token: 35 3768 msdcsc.exe Token: 36 3768 msdcsc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 3756 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
msdcsc.exeAcroRd32.exepid process 3768 msdcsc.exe 3756 AcroRd32.exe 3756 AcroRd32.exe 3756 AcroRd32.exe 3756 AcroRd32.exe 3756 AcroRd32.exe 3756 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 4264 wrote to memory of 3756 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe AcroRd32.exe PID 4264 wrote to memory of 3756 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe AcroRd32.exe PID 4264 wrote to memory of 3756 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe AcroRd32.exe PID 4264 wrote to memory of 3768 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe msdcsc.exe PID 4264 wrote to memory of 3768 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe msdcsc.exe PID 4264 wrote to memory of 3768 4264 a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe msdcsc.exe PID 3756 wrote to memory of 3040 3756 AcroRd32.exe RdrCEF.exe PID 3756 wrote to memory of 3040 3756 AcroRd32.exe RdrCEF.exe PID 3756 wrote to memory of 3040 3756 AcroRd32.exe RdrCEF.exe PID 3756 wrote to memory of 3196 3756 AcroRd32.exe RdrCEF.exe PID 3756 wrote to memory of 3196 3756 AcroRd32.exe RdrCEF.exe PID 3756 wrote to memory of 3196 3756 AcroRd32.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 3508 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 2708 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 2708 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 2708 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 2708 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 2708 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 2708 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 2708 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 2708 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 2708 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 2708 3040 RdrCEF.exe RdrCEF.exe PID 3040 wrote to memory of 2708 3040 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe"C:\Users\Admin\AppData\Local\Temp\a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\LABORATORIO MODULO 2 INFORMATION GATHERING.PDF"2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1D25D30F5A33BD0EC714DAF26FFB2795 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8F5B414A37AF432C6A5CC297A87E5F5A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8F5B414A37AF432C6A5CC297A87E5F5A --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=CA6FD45996DF72F7949A53A738A29CDE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=CA6FD45996DF72F7949A53A738A29CDE --renderer-client-id=4 --mojo-platform-channel-handle=2180 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E5CEACAF3E45D28D88689E81E871C4BE --mojo-platform-channel-handle=1812 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6580838B51FEA8B4FC6C2A4243438414 --mojo-platform-channel-handle=2684 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D6AECC217511156FF73669E0B1E39846 --mojo-platform-channel-handle=2664 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\LABORATORIO MODULO 2 INFORMATION GATHERING.PDFFilesize
450KB
MD5444a1cbd3faa9c90d236295b0650e289
SHA1e6f6869dd333b41dcc02268ca92e08ad3df3987e
SHA256c483b276ae3bf9d48183e20a16675074884af61d0a684fdc71be9c74be50864d
SHA512b0e4eb5dbc22bfabb7e4f3fe2c1ae0d74d98fc6054975172848d936c37070a32e222c37718c5671ea423a1c57c298054d218844f5d84b31f67e1ad7b249f3f1c
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
784KB
MD50d564e476fc7812db303da40e79697d0
SHA19b9ae661a250966a18e72ad98abf3d6e0e0d1e8b
SHA256a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac
SHA51298a1747d2688cfeed81e4cfb461b7b4a55cd4943afa81169c8341f98c06846615c95dad82bd1d48f2434230c83faac6ea13f7bacafffcf9aca264ed25da84c4f
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
784KB
MD50d564e476fc7812db303da40e79697d0
SHA19b9ae661a250966a18e72ad98abf3d6e0e0d1e8b
SHA256a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac
SHA51298a1747d2688cfeed81e4cfb461b7b4a55cd4943afa81169c8341f98c06846615c95dad82bd1d48f2434230c83faac6ea13f7bacafffcf9aca264ed25da84c4f
-
memory/1896-163-0x0000000000000000-mapping.dmp
-
memory/2320-160-0x0000000000000000-mapping.dmp
-
memory/2708-147-0x0000000000000000-mapping.dmp
-
memory/3040-140-0x0000000000000000-mapping.dmp
-
memory/3196-141-0x0000000000000000-mapping.dmp
-
memory/3508-144-0x0000000000000000-mapping.dmp
-
memory/3756-133-0x0000000000000000-mapping.dmp
-
memory/3768-137-0x0000000000400000-0x0000000000559000-memory.dmpFilesize
1.3MB
-
memory/3768-142-0x0000000000400000-0x0000000000559000-memory.dmpFilesize
1.3MB
-
memory/3768-134-0x0000000000000000-mapping.dmp
-
memory/4264-138-0x0000000000400000-0x0000000000559000-memory.dmpFilesize
1.3MB
-
memory/4264-132-0x0000000000400000-0x0000000000559000-memory.dmpFilesize
1.3MB
-
memory/4308-157-0x0000000000000000-mapping.dmp
-
memory/4352-152-0x0000000000000000-mapping.dmp