parallax | 94510c2d7148d7375fb511b7489a23d5fc37db9919f4569bfaec9ee913a87240

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2023 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8X/Code_Of_Conduct_-_2023(EN-US).exe
Size

3.1MB
MD5

e82211b4675c0f9d9bf66e4d8cc21f33
SHA1

752f2b5cd8212637c6bb33e103be01bf18abd1e0
SHA256

dfd6626c2da60e9af7b6a1fefa726056239aa675022542ca69e0cf7f3db35fe4
SHA512

92ff39ff6dadea5d98352d9ab6c4ba256a68a087b2030f1803b772f0f5f85723b450a7ce80b25361f16dfca47edca724868a26f11fce6050280a80c858cf6311
SSDEEP

24576:VcqJge1JYGhCP3dbTb2XShCFVshuhBcomEl+11sHLYx9ptbVT/QgI:myXALoh+KYVbVe

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 2 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/4020-136-0x0000000000400000-0x000000000071F000-memory.dmp	parallax_rat
behavioral2/memory/4020-161-0x0000000000400000-0x000000000071F000-memory.dmp	parallax_rat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Code_Of_Conduct_-_2023(EN-US).exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Search.exe.exe	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Search.exe.exe	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	Code_Of_Conduct_-_2023(EN-US).exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4020	Code_Of_Conduct_-_2023(EN-US).exe
4868	AcroRd32.exe
4868	AcroRd32.exe
4868	AcroRd32.exe
4868	AcroRd32.exe
4868	AcroRd32.exe
4868	AcroRd32.exe
4868	AcroRd32.exe
4868	AcroRd32.exe
4868	AcroRd32.exe
4868	AcroRd32.exe
4868	AcroRd32.exe
4868	AcroRd32.exe
4868	AcroRd32.exe
4868	AcroRd32.exe
4868	AcroRd32.exe
4868	AcroRd32.exe
4868	AcroRd32.exe
4868	AcroRd32.exe
4868	AcroRd32.exe
4868	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2592	Explorer.EXE
Token: SeCreatePagefilePrivilege	2592	Explorer.EXE
Token: SeShutdownPrivilege	2592	Explorer.EXE
Token: SeCreatePagefilePrivilege	2592	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4868	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4868	AcroRd32.exe
4868	AcroRd32.exe
4868	AcroRd32.exe
4868	AcroRd32.exe
4868	AcroRd32.exe
4868	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 4868	4020	Code_Of_Conduct_-_2023(EN-US).exe	81
PID 4020 wrote to memory of 4868	4020	Code_Of_Conduct_-_2023(EN-US).exe	81
PID 4020 wrote to memory of 4868	4020	Code_Of_Conduct_-_2023(EN-US).exe	81
PID 4020 wrote to memory of 2592	4020	Code_Of_Conduct_-_2023(EN-US).exe	54
PID 4868 wrote to memory of 1148	4868	AcroRd32.exe	82
PID 4868 wrote to memory of 1148	4868	AcroRd32.exe	82
PID 4868 wrote to memory of 1148	4868	AcroRd32.exe	82
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 1404	1148	RdrCEF.exe	85
PID 1148 wrote to memory of 4324	1148	RdrCEF.exe	86
PID 1148 wrote to memory of 4324	1148	RdrCEF.exe	86
PID 1148 wrote to memory of 4324	1148	RdrCEF.exe	86
PID 1148 wrote to memory of 4324	1148	RdrCEF.exe	86
PID 1148 wrote to memory of 4324	1148	RdrCEF.exe	86
PID 1148 wrote to memory of 4324	1148	RdrCEF.exe	86
PID 1148 wrote to memory of 4324	1148	RdrCEF.exe	86
PID 1148 wrote to memory of 4324	1148	RdrCEF.exe	86
PID 1148 wrote to memory of 4324	1148	RdrCEF.exe	86
PID 1148 wrote to memory of 4324	1148	RdrCEF.exe	86
PID 1148 wrote to memory of 4324	1148	RdrCEF.exe	86
PID 1148 wrote to memory of 4324	1148	RdrCEF.exe	86
PID 1148 wrote to memory of 4324	1148	RdrCEF.exe	86
PID 1148 wrote to memory of 4324	1148	RdrCEF.exe	86
PID 1148 wrote to memory of 4324	1148	RdrCEF.exe	86
PID 1148 wrote to memory of 4324	1148	RdrCEF.exe	86

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2592
- C:\Users\Admin\AppData\Local\Temp\8X\Code_Of_Conduct_-_2023(EN-US).exe
  "C:\Users\Admin\AppData\Local\Temp\8X\Code_Of_Conduct_-_2023(EN-US).exe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\wIZus.pdf"
    3⤵
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=91AEDB1AF0A58F7D762699CD8DE2F8A1 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:1404
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=86C3683AC26ED16249EE19E980ABF49F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=86C3683AC26ED16249EE19E980ABF49F --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:4324
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3530E3E31DBE251CB88170C1024DBD91 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3530E3E31DBE251CB88170C1024DBD91 --renderer-client-id=4 --mojo-platform-channel-handle=2172 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:3468
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EA31DE2ADD4E23C464642F38FC1E3C5D --mojo-platform-channel-handle=2548 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:4460
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FC3BA6CDD79038BE78A9045C1F9470D3 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:1596
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B3D1D564A8BF0856413B54D3EED5B37C --mojo-platform-channel-handle=2576 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:2476

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:4208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wIZus.pdf

Filesize
49KB

MD5
382efbf6edc46e188fcc021df4248d74

SHA1
dfffe4838fb329b6a3c3a455a82de4778e5818c2

SHA256
a41e8efc92d274a3b259f03e7a43432ac890765d33845f40ff447d23d92861d6

SHA512
d30f64636964fb31b55eaea2e13bca2453ea3dbc8fe21b6f1be2491d78d8edb619637a0927671496659fb339096ae984659500ac99f210472daab7e60f6ec555

Download Submit
memory/4020-136-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/4020-135-0x0000000002670000-0x0000000002813000-memory.dmp

Filesize
1.6MB

Download
memory/4020-132-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/4020-133-0x0000000002480000-0x00000000024FB000-memory.dmp

Filesize
492KB

Download
memory/4020-161-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/4020-162-0x0000000002480000-0x00000000024FB000-memory.dmp

Filesize
492KB

Download