Resubmissions
16-02-2023 18:21
230216-wzrrhsaf91 1007-02-2023 15:57
230207-tee6wace33 1007-02-2023 15:36
230207-s11h9sff3w 10Analysis
-
max time kernel
214s -
max time network
289s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
16-02-2023 18:21
Static task
static1
Behavioral task
behavioral1
Sample
dot.exe
Resource
win7-20220812-en
General
-
Target
dot.exe
-
Size
3.4MB
-
MD5
ac88204b208f187a908c6a1148b7aee8
-
SHA1
74b895683f51a69f1bce838ac174c019a796cb1a
-
SHA256
fc97b364bebaf6b1b4baa16e906b4b9f9f8604034f0b9df1f7deb0418f3d229e
-
SHA512
2f5e6fff1f98403e987dd6a6a50df757604c8abe474d88143f04c6df6c8bfb4e62652f8f29f19acd834fd865998feaec4f03e2d9a48434ecb8c2cfad5e8e5e27
-
SSDEEP
24576:7cqJge1JYGhCP3dbTb2XShCFVshuhBcomEl+11s3jYx9pcualicf2IZ:kyXALoh+eQEualt7Z
Malware Config
Signatures
-
ParallaxRat payload 7 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral2/memory/3540-136-0x0000000000400000-0x0000000000778000-memory.dmp parallax_rat behavioral2/memory/3540-161-0x0000000000400000-0x0000000000778000-memory.dmp parallax_rat behavioral2/memory/3540-166-0x0000000000400000-0x0000000000778000-memory.dmp parallax_rat behavioral2/memory/1460-177-0x0000000000400000-0x0000000000778000-memory.dmp parallax_rat behavioral2/memory/1460-181-0x0000000000400000-0x0000000000778000-memory.dmp parallax_rat behavioral2/memory/2804-192-0x0000000000400000-0x0000000000778000-memory.dmp parallax_rat behavioral2/memory/2804-194-0x0000000000400000-0x0000000000778000-memory.dmp parallax_rat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation dot.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation dot.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation dot.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Search64.exe.exe DllHost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Search64.exe.exe DllHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings dot.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings dot.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings dot.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 3540 dot.exe 4936 AcroRd32.exe 4936 AcroRd32.exe 4936 AcroRd32.exe 4936 AcroRd32.exe 4936 AcroRd32.exe 4936 AcroRd32.exe 4936 AcroRd32.exe 4936 AcroRd32.exe 4936 AcroRd32.exe 4936 AcroRd32.exe 4936 AcroRd32.exe 4936 AcroRd32.exe 4936 AcroRd32.exe 4936 AcroRd32.exe 4936 AcroRd32.exe 4936 AcroRd32.exe 4936 AcroRd32.exe 4936 AcroRd32.exe 4936 AcroRd32.exe 4936 AcroRd32.exe 1460 dot.exe 1460 dot.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeShutdownPrivilege 2080 Explorer.EXE Token: SeCreatePagefilePrivilege 2080 Explorer.EXE Token: SeShutdownPrivilege 2080 Explorer.EXE Token: SeCreatePagefilePrivilege 2080 Explorer.EXE Token: SeShutdownPrivilege 2080 Explorer.EXE Token: SeCreatePagefilePrivilege 2080 Explorer.EXE Token: SeShutdownPrivilege 2080 Explorer.EXE Token: SeCreatePagefilePrivilege 2080 Explorer.EXE Token: SeShutdownPrivilege 2080 Explorer.EXE Token: SeCreatePagefilePrivilege 2080 Explorer.EXE Token: SeShutdownPrivilege 2080 Explorer.EXE Token: SeCreatePagefilePrivilege 2080 Explorer.EXE Token: SeShutdownPrivilege 2080 Explorer.EXE Token: SeCreatePagefilePrivilege 2080 Explorer.EXE Token: SeShutdownPrivilege 2080 Explorer.EXE Token: SeCreatePagefilePrivilege 2080 Explorer.EXE Token: SeShutdownPrivilege 2080 Explorer.EXE Token: SeCreatePagefilePrivilege 2080 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4936 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4936 AcroRd32.exe 4936 AcroRd32.exe 4936 AcroRd32.exe 4936 AcroRd32.exe 4936 AcroRd32.exe 4936 AcroRd32.exe 3960 AcroRd32.exe 4936 AcroRd32.exe 3560 AcroRd32.exe 4936 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3540 wrote to memory of 4936 3540 dot.exe 84 PID 3540 wrote to memory of 4936 3540 dot.exe 84 PID 3540 wrote to memory of 4936 3540 dot.exe 84 PID 3540 wrote to memory of 2080 3540 dot.exe 49 PID 4936 wrote to memory of 560 4936 AcroRd32.exe 88 PID 4936 wrote to memory of 560 4936 AcroRd32.exe 88 PID 4936 wrote to memory of 560 4936 AcroRd32.exe 88 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3756 560 RdrCEF.exe 91 PID 560 wrote to memory of 3708 560 RdrCEF.exe 92 PID 560 wrote to memory of 3708 560 RdrCEF.exe 92 PID 560 wrote to memory of 3708 560 RdrCEF.exe 92 PID 560 wrote to memory of 3708 560 RdrCEF.exe 92 PID 560 wrote to memory of 3708 560 RdrCEF.exe 92 PID 560 wrote to memory of 3708 560 RdrCEF.exe 92 PID 560 wrote to memory of 3708 560 RdrCEF.exe 92 PID 560 wrote to memory of 3708 560 RdrCEF.exe 92 PID 560 wrote to memory of 3708 560 RdrCEF.exe 92 PID 560 wrote to memory of 3708 560 RdrCEF.exe 92 PID 560 wrote to memory of 3708 560 RdrCEF.exe 92 PID 560 wrote to memory of 3708 560 RdrCEF.exe 92 PID 560 wrote to memory of 3708 560 RdrCEF.exe 92 PID 560 wrote to memory of 3708 560 RdrCEF.exe 92 PID 560 wrote to memory of 3708 560 RdrCEF.exe 92 PID 560 wrote to memory of 3708 560 RdrCEF.exe 92
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\dot.exe"C:\Users\Admin\AppData\Local\Temp\dot.exe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\KhPHE.pdf"3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D510CCBFDBB4AE00D5BF8D03E36A16FB --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:3756
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E1224D8ABB489FDD8B453F469B2E91A3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E1224D8ABB489FDD8B453F469B2E91A3 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:15⤵PID:3708
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C28E175ED159878CDC9C5815852EEA98 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C28E175ED159878CDC9C5815852EEA98 --renderer-client-id=4 --mojo-platform-channel-handle=2176 --allow-no-sandbox-job /prefetch:15⤵PID:3832
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=21BD08C03A2F2341C0B0ECE2783E347B --mojo-platform-channel-handle=1864 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:4764
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1B578E0EA439CA74317EA6EBD64B83CF --mojo-platform-channel-handle=2588 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:2172
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3855569761EC81D5E9B5D48434ECC5FE --mojo-platform-channel-handle=2680 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:792
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=40904AC7885515AE67AFABC514CBEBDE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=40904AC7885515AE67AFABC514CBEBDE --renderer-client-id=10 --mojo-platform-channel-handle=1160 --allow-no-sandbox-job /prefetch:15⤵PID:3756
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EA3B9CA8DCF12BD33980D677F23E1E49 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EA3B9CA8DCF12BD33980D677F23E1E49 --renderer-client-id=12 --mojo-platform-channel-handle=2012 --allow-no-sandbox-job /prefetch:15⤵PID:2808
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\UN.vbs"3⤵PID:1300
-
-
-
C:\Users\Admin\AppData\Local\Temp\dot.exeC:\Windows\Explorer.EXE2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1460 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\XDXkZ.pdf"3⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:3960
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\UN.vbs"3⤵PID:3552
-
-
-
C:\Users\Admin\AppData\Local\Temp\dot.exeC:\Windows\Explorer.EXE2⤵
- Checks computer location settings
- Modifies registry class
PID:2804 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\kGfCG.pdf"3⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:3560
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵
- Drops startup file
PID:4472
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2248
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD530180336f09f66d50a46a31b0e67e580
SHA1172af56223f37d7bec8ebc0ed3584bddbe167f88
SHA256f361d01c7a799b937b182ebc961538b0609aa469651da1d7879605ec41b15c41
SHA512d42cf1827accef0e73915d12b53c0cefeaad5a1fcf30dd9ca86187d5b234be81b6065394cc40a58d38bc6c841c21f732613db98fa1a69c1b7352932ff2fc1772
-
Filesize
618B
MD57c8a84e48ae50d516811c6de2e9e743e
SHA1ef77fe196aea85ad44aa5e8fee4ae06d73ab5c72
SHA256cefeb32ce68df39ba677736e0eb30bfb002cb848a5b42892c37eff1c1c7b153c
SHA512133eda897b73af071a2578d915103c819917f6978c6411b12ff52a7ce2c4638ffc2e716d506763d2ff5ac50dae1036f7b02eadb766b68fbbd34f8be2d0a6bc80
-
Filesize
618B
MD5a1521d2b0bb5d736ad5db93f5a545aaf
SHA1705c456ef2683b59701652c3391150e33218ee55
SHA2563a15db3520018f4b6a8a629aabe5c4a32671e1e1291d1c472d4fc0c5f53d81fb
SHA512970f2e5120fb936e350597340b7b1abfcbd23032cd86d76077ad1644d0b543150c381cad4fd2c47d7668bbbc199c7cdac5c611506640dbb07ac29271dbc24054
-
Filesize
33KB
MD530180336f09f66d50a46a31b0e67e580
SHA1172af56223f37d7bec8ebc0ed3584bddbe167f88
SHA256f361d01c7a799b937b182ebc961538b0609aa469651da1d7879605ec41b15c41
SHA512d42cf1827accef0e73915d12b53c0cefeaad5a1fcf30dd9ca86187d5b234be81b6065394cc40a58d38bc6c841c21f732613db98fa1a69c1b7352932ff2fc1772
-
Filesize
33KB
MD530180336f09f66d50a46a31b0e67e580
SHA1172af56223f37d7bec8ebc0ed3584bddbe167f88
SHA256f361d01c7a799b937b182ebc961538b0609aa469651da1d7879605ec41b15c41
SHA512d42cf1827accef0e73915d12b53c0cefeaad5a1fcf30dd9ca86187d5b234be81b6065394cc40a58d38bc6c841c21f732613db98fa1a69c1b7352932ff2fc1772