asyncrat | c808e17f32c426d4059a19c888c71348c23ddebe9ee227c70a0a56a91dea708e

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2023 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Confirmation.exe
Size

1.3MB
MD5

52ffadcc31852e900c70f28498187bc6
SHA1

a6ef0d114f2a25c01eafb7a611f8821bfdc0e8af
SHA256

5c06318e1614eed017bf727ddaf46ee6cb90a2115199b35e408bea8152298e1e
SHA512

60028a5dba40a381554469d02fd56d2612d3a1f8250e1fca89c74ce7cab44127c5003845468ab044988cfcdb60dc3b590b2fb90c75f28576f6a407beb49c1787
SSDEEP

24576:wNA3R5drXhDFw71enfWt03TzmNJ4Yx8eQ+aFvWoTzPslCsmUKedewxFJ5:p5VmefWts+NByeQJ9WoTzPPsmUVnXJ5

Score

10^/10

asyncrat dxgroup rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

DxGroup

flurrybeatmecamtest.ddns.net:6767

flurrybeatmecamtest.ddns.net:4141

flurrybeatmecamtest.sytes.net:6767

flurrybeatmecamtest.sytes.net:4141

Mutex

AsyncMutex_6SI8OkRtG

Attributes

delay
4
install
true
install_file
mrec.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3468-183-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Confirmation.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	ytijder.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	ytijder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	dsifh.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	dsifh.exe

Executes dropped EXE 7 IoCs

pid	Process
4720	ytijder.sfx.exe
444	ytijder.exe
3260	dsifh.sfx.exe
2568	dsifh.exe
3468	dsifh.exe
3184	mrec.exe
1640	mrec.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2568 set thread context of 3468	2568	dsifh.exe	96
PID 3184 set thread context of 1640	3184	mrec.exe	115

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2596	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4340	timeout.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	Confirmation.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
3468	dsifh.exe
3468	dsifh.exe
3468	dsifh.exe
3468	dsifh.exe
3468	dsifh.exe
3468	dsifh.exe
3468	dsifh.exe
3468	dsifh.exe
3468	dsifh.exe
3468	dsifh.exe
3468	dsifh.exe
3468	dsifh.exe
3468	dsifh.exe
3468	dsifh.exe
3468	dsifh.exe
3468	dsifh.exe
3468	dsifh.exe
3468	dsifh.exe
3468	dsifh.exe
3468	dsifh.exe
3468	dsifh.exe
3468	dsifh.exe
3468	dsifh.exe
1684	AcroRd32.exe
1684	AcroRd32.exe
1684	AcroRd32.exe
1684	AcroRd32.exe
1684	AcroRd32.exe
1684	AcroRd32.exe
1684	AcroRd32.exe
1684	AcroRd32.exe
1684	AcroRd32.exe
1684	AcroRd32.exe
1684	AcroRd32.exe
1684	AcroRd32.exe
1684	AcroRd32.exe
1684	AcroRd32.exe
1684	AcroRd32.exe
1684	AcroRd32.exe
1684	AcroRd32.exe
1684	AcroRd32.exe
1684	AcroRd32.exe
1684	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	dsifh.exe
Token: SeDebugPrivilege	3468	dsifh.exe
Token: SeDebugPrivilege	3184	mrec.exe
Token: SeDebugPrivilege	1640	mrec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1684	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1684	AcroRd32.exe
1684	AcroRd32.exe
1684	AcroRd32.exe
1684	AcroRd32.exe
1684	AcroRd32.exe
1684	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 1684	1432	Confirmation.exe	85
PID 1432 wrote to memory of 1684	1432	Confirmation.exe	85
PID 1432 wrote to memory of 1684	1432	Confirmation.exe	85
PID 1432 wrote to memory of 3496	1432	Confirmation.exe	87
PID 1432 wrote to memory of 3496	1432	Confirmation.exe	87
PID 1432 wrote to memory of 3496	1432	Confirmation.exe	87
PID 3496 wrote to memory of 4720	3496	cmd.exe	89
PID 3496 wrote to memory of 4720	3496	cmd.exe	89
PID 3496 wrote to memory of 4720	3496	cmd.exe	89
PID 4720 wrote to memory of 444	4720	ytijder.sfx.exe	90
PID 4720 wrote to memory of 444	4720	ytijder.sfx.exe	90
PID 4720 wrote to memory of 444	4720	ytijder.sfx.exe	90
PID 444 wrote to memory of 4916	444	ytijder.exe	91
PID 444 wrote to memory of 4916	444	ytijder.exe	91
PID 444 wrote to memory of 4916	444	ytijder.exe	91
PID 4916 wrote to memory of 3260	4916	cmd.exe	93
PID 4916 wrote to memory of 3260	4916	cmd.exe	93
PID 4916 wrote to memory of 3260	4916	cmd.exe	93
PID 3260 wrote to memory of 2568	3260	dsifh.sfx.exe	94
PID 3260 wrote to memory of 2568	3260	dsifh.sfx.exe	94
PID 3260 wrote to memory of 2568	3260	dsifh.sfx.exe	94
PID 1684 wrote to memory of 4700	1684	AcroRd32.exe	95
PID 1684 wrote to memory of 4700	1684	AcroRd32.exe	95
PID 1684 wrote to memory of 4700	1684	AcroRd32.exe	95
PID 2568 wrote to memory of 3468	2568	dsifh.exe	96
PID 2568 wrote to memory of 3468	2568	dsifh.exe	96
PID 2568 wrote to memory of 3468	2568	dsifh.exe	96
PID 2568 wrote to memory of 3468	2568	dsifh.exe	96
PID 2568 wrote to memory of 3468	2568	dsifh.exe	96
PID 2568 wrote to memory of 3468	2568	dsifh.exe	96
PID 2568 wrote to memory of 3468	2568	dsifh.exe	96
PID 2568 wrote to memory of 3468	2568	dsifh.exe	96
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97
PID 4700 wrote to memory of 4216	4700	RdrCEF.exe	97

C:\Users\Admin\AppData\Local\Temp\Confirmation.exe
"C:\Users\Admin\AppData\Local\Temp\Confirmation.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\confirmation.pdf"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4700
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CA48A97C7A3719D9CC2A48ACB776F16E --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4216
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=17FA86DB2DA2581B0827AA2E0CEBB2E6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=17FA86DB2DA2581B0827AA2E0CEBB2E6 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:4328
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C6DB767F00FDAABE3C0C79EFA2F9E05E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C6DB767F00FDAABE3C0C79EFA2F9E05E --renderer-client-id=4 --mojo-platform-channel-handle=2184 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:4656
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=24C99CA3D720C650A0DCC11330952C63 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2180
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7230A5791E2D8143BA80EF4D38ADCA6D --mojo-platform-channel-handle=2212 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:748
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EEB99C519977E95C5C4AAF966680F001 --mojo-platform-channel-handle=2680 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roetfg.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Users\Admin\AppData\Local\Temp\ytijder.sfx.exe
    ytijder.sfx.exe -pwujtndaslonkhgythagtnoiuthnjmdkolqhjyoNomeyjmjhgtprbnhotafugBbsddfdtuxTnYhnVb -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\ytijder.exe
      "C:\Users\Admin\AppData\Local\Temp\ytijder.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:444
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ftome.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4916
      - C:\Users\Admin\AppData\Local\Temp\dsifh.sfx.exe
        
        dsifh.sfx.exe -pyehnfriolpmnbfXcgscvmhjfjgBbsdirhndmkaloyrhnlyunhlndfdyehngfszafugyRfvbghnEwCiynB -dC:\Users\Admin\AppData\Local\Temp
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\dsifh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dsifh.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\dsifh.exe
        
        C:\Users\Admin\AppData\Local\Temp\dsifh.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mrec" /tr '"C:\Users\Admin\AppData\Roaming\mrec.exe"' & exit
        9⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "mrec" /tr '"C:\Users\Admin\AppData\Roaming\mrec.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEAE2.tmp.bat""
        9⤵
        
        PID:840
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        10⤵
        Delays execution with timeout.exe
        
        PID:4340
        
        C:\Users\Admin\AppData\Roaming\mrec.exe
        
        "C:\Users\Admin\AppData\Roaming\mrec.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3184
        
        C:\Users\Admin\AppData\Roaming\mrec.exe
        
        C:\Users\Admin\AppData\Roaming\mrec.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
514acbedcc00f15144782ba565c18b8d

SHA1
4b3ad9a416645f516cb328fa77c106c546cf3c97

SHA256
0bcee2cd1043b3d764e52004097781bd8fe313647decbd873887aec1831d430c

SHA512
9756ff11bfa6374ddb538e9549486adf93933f60a3dc2a44b2d4a4aa93148758261af3484b912812d94f0000d81d5327aa8c97c8fa5965e96938d94591a9c4c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dsifh.exe.log

Filesize
706B

MD5
d95c58e609838928f0f49837cab7dfd2

SHA1
55e7139a1e3899195b92ed8771d1ca2c7d53c916

SHA256
0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

SHA512
405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\confirmation.pdf

Filesize
203KB

MD5
f08c652d1a177b00d2285d5218cd0d56

SHA1
bf7dd59aecf726612c796f7f6d4bee6cde7ef8af

SHA256
c3aefa15a61d94dacc6d78dbcc9f6f721550f0ffa3f5d67b3d0ebae24e9cf6cf

SHA512
8efdab452ffb75826b6d32ca3edc7968fabb79785c428e46f74cfcd3115aefd91ccb95462793f7f78883f597af6759ac205ec12899dd8ba61361201e9b4a49fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsifh.exe

Filesize
209KB

MD5
43307981bba0bad2a3e47f87dcd9df63

SHA1
91b7605e22582e0b3898c75812632be127c1a7fa

SHA256
119b22d773ab76e8c45d18e01e09103d6157046ba1b2abedd8b3abd344d16c39

SHA512
a2006da2a828a902c54f883a1eb272ac255c107767f2f1fae8d9428eba56cc3b0c962b18939f0bafe288c4afeb64e0a817125e7b8a0fc21e1c6ca706ac443909

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsifh.exe

Filesize
209KB

MD5
43307981bba0bad2a3e47f87dcd9df63

SHA1
91b7605e22582e0b3898c75812632be127c1a7fa

SHA256
119b22d773ab76e8c45d18e01e09103d6157046ba1b2abedd8b3abd344d16c39

SHA512
a2006da2a828a902c54f883a1eb272ac255c107767f2f1fae8d9428eba56cc3b0c962b18939f0bafe288c4afeb64e0a817125e7b8a0fc21e1c6ca706ac443909

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsifh.exe

Filesize
209KB

MD5
43307981bba0bad2a3e47f87dcd9df63

SHA1
91b7605e22582e0b3898c75812632be127c1a7fa

SHA256
119b22d773ab76e8c45d18e01e09103d6157046ba1b2abedd8b3abd344d16c39

SHA512
a2006da2a828a902c54f883a1eb272ac255c107767f2f1fae8d9428eba56cc3b0c962b18939f0bafe288c4afeb64e0a817125e7b8a0fc21e1c6ca706ac443909

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsifh.exe

Filesize
209KB

MD5
43307981bba0bad2a3e47f87dcd9df63

SHA1
91b7605e22582e0b3898c75812632be127c1a7fa

SHA256
119b22d773ab76e8c45d18e01e09103d6157046ba1b2abedd8b3abd344d16c39

SHA512
a2006da2a828a902c54f883a1eb272ac255c107767f2f1fae8d9428eba56cc3b0c962b18939f0bafe288c4afeb64e0a817125e7b8a0fc21e1c6ca706ac443909

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsifh.sfx.exe

Filesize
626KB

MD5
ff6c4a0789eaabf60749c1a081728e87

SHA1
cf979b477f6345260d6ffd7afa1703fc74fdd728

SHA256
ede4e1dab5569c00c8dbdb6f96e68e4dc6c79c5c4d034abb618b562802dd5a6b

SHA512
9040955ed66e7168ca525fc6475d1fb91dcec0616d3296c70619ac06fc4ce49ad85bc514354a6d8338b85667526590fd530e17ddc86bb090367546e854affd0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsifh.sfx.exe

Filesize
626KB

MD5
ff6c4a0789eaabf60749c1a081728e87

SHA1
cf979b477f6345260d6ffd7afa1703fc74fdd728

SHA256
ede4e1dab5569c00c8dbdb6f96e68e4dc6c79c5c4d034abb618b562802dd5a6b

SHA512
9040955ed66e7168ca525fc6475d1fb91dcec0616d3296c70619ac06fc4ce49ad85bc514354a6d8338b85667526590fd530e17ddc86bb090367546e854affd0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ftome.bat

Filesize
21KB

MD5
f369766afda09c616e8b557a7830bee2

SHA1
c7701b24c761b3bb788b8774a85d93418a805501

SHA256
a7c138b740a3e308f40f04f695472de9d66ced0bbb4e931d4b693c05fe9a1afe

SHA512
6eb4d3efeedee7a9fe72094ff88c1ac86b28857c425e89974a95410b16e214a18231637ec7465f9d70ea770a363ddfd6f46be5cf47eb5ec3f058f7eb24d21b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\roetfg.cmd

Filesize
19KB

MD5
328d9cc3e4461356f4482a6af28507eb

SHA1
5ad5e551e56af1e1921dbe2ff73999aea2d8a8f4

SHA256
e73590d744b5b995310baa9c9b649ea8a3f3cb011fdb964b9a331ccd6f9cc366

SHA512
84f4cff39d92636715481878d922290da8b4d011ea8d3e03176d00e6df347774c6df0201f184f929f628e3ec3a87d12b612a82f5e24d4171065e5d98e7460908

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEAE2.tmp.bat

Filesize
148B

MD5
003e9a0041464ee3bac5809914acf43e

SHA1
8dc9cc15c0a9a7426faa68b3d344962ea6c0b622

SHA256
4be1ccac4d79d22b3e19972ceb638a865931e834efa4ec04cb66c5b9ce1b064c

SHA512
afa085cd57241bfb0dc8e7beae57cd69abd30b12b883b88d7dbcc5af4bcb6dcc521134008f0df8e099c2c625fddf4ca13956a876db11a202c8b15d7872c59eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytijder.exe

Filesize
773KB

MD5
730c35e6e61d93b18d443a5e8699f254

SHA1
9b7b4743b0ef53bb05b4da5b2181fd30f3a82ad4

SHA256
cca0e31762a7a8fe369459a99cec4a99b3bc4b489b0abd6da31ca3b34e4419e5

SHA512
f4e56c21035f10687ecb118f1d0e56479fd13fa902b69036041640fba73e08b0e12c9dbb569ed7a30e763e2e284a8859a2add85fa7f28588055a70886587a15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytijder.exe

Filesize
773KB

MD5
730c35e6e61d93b18d443a5e8699f254

SHA1
9b7b4743b0ef53bb05b4da5b2181fd30f3a82ad4

SHA256
cca0e31762a7a8fe369459a99cec4a99b3bc4b489b0abd6da31ca3b34e4419e5

SHA512
f4e56c21035f10687ecb118f1d0e56479fd13fa902b69036041640fba73e08b0e12c9dbb569ed7a30e763e2e284a8859a2add85fa7f28588055a70886587a15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytijder.exe

Filesize
773KB

MD5
730c35e6e61d93b18d443a5e8699f254

SHA1
9b7b4743b0ef53bb05b4da5b2181fd30f3a82ad4

SHA256
cca0e31762a7a8fe369459a99cec4a99b3bc4b489b0abd6da31ca3b34e4419e5

SHA512
f4e56c21035f10687ecb118f1d0e56479fd13fa902b69036041640fba73e08b0e12c9dbb569ed7a30e763e2e284a8859a2add85fa7f28588055a70886587a15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytijder.sfx.exe

Filesize
1019KB

MD5
8d9cd44a4e9690631c4c247090db1fff

SHA1
84a04df3c9af3a1ef18808d2c704c78d245c3446

SHA256
c6db96f405126c255a04677b713ea1fd897b5af56155e27b86f297cb244b35eb

SHA512
813d769da3553c14d4d3ff47b2e846902ab003f0411cd04be1d8efa07e115e37b7489cfedaaaa88a8abd1ca320f2891d9e9817b23792a26ab3650fb3a1c39f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytijder.sfx.exe

Filesize
1019KB

MD5
8d9cd44a4e9690631c4c247090db1fff

SHA1
84a04df3c9af3a1ef18808d2c704c78d245c3446

SHA256
c6db96f405126c255a04677b713ea1fd897b5af56155e27b86f297cb244b35eb

SHA512
813d769da3553c14d4d3ff47b2e846902ab003f0411cd04be1d8efa07e115e37b7489cfedaaaa88a8abd1ca320f2891d9e9817b23792a26ab3650fb3a1c39f1f

Download Submit
C:\Users\Admin\AppData\Roaming\mrec.exe

Filesize
209KB

MD5
43307981bba0bad2a3e47f87dcd9df63

SHA1
91b7605e22582e0b3898c75812632be127c1a7fa

SHA256
119b22d773ab76e8c45d18e01e09103d6157046ba1b2abedd8b3abd344d16c39

SHA512
a2006da2a828a902c54f883a1eb272ac255c107767f2f1fae8d9428eba56cc3b0c962b18939f0bafe288c4afeb64e0a817125e7b8a0fc21e1c6ca706ac443909

Download Submit
C:\Users\Admin\AppData\Roaming\mrec.exe

Filesize
209KB

MD5
43307981bba0bad2a3e47f87dcd9df63

SHA1
91b7605e22582e0b3898c75812632be127c1a7fa

SHA256
119b22d773ab76e8c45d18e01e09103d6157046ba1b2abedd8b3abd344d16c39

SHA512
a2006da2a828a902c54f883a1eb272ac255c107767f2f1fae8d9428eba56cc3b0c962b18939f0bafe288c4afeb64e0a817125e7b8a0fc21e1c6ca706ac443909

Download Submit
C:\Users\Admin\AppData\Roaming\mrec.exe

Filesize
209KB

MD5
43307981bba0bad2a3e47f87dcd9df63

SHA1
91b7605e22582e0b3898c75812632be127c1a7fa

SHA256
119b22d773ab76e8c45d18e01e09103d6157046ba1b2abedd8b3abd344d16c39

SHA512
a2006da2a828a902c54f883a1eb272ac255c107767f2f1fae8d9428eba56cc3b0c962b18939f0bafe288c4afeb64e0a817125e7b8a0fc21e1c6ca706ac443909

Download Submit
memory/1640-331-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/1640-338-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/1684-337-0x000000000AFD0000-0x000000000B27B000-memory.dmp

Filesize
2.7MB

Download
memory/2568-181-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/2568-182-0x0000000005880000-0x0000000005912000-memory.dmp

Filesize
584KB

Download
memory/2568-180-0x000000000A500000-0x000000000AAA4000-memory.dmp

Filesize
5.6MB

Download
memory/2568-179-0x0000000009EB0000-0x0000000009F4C000-memory.dmp

Filesize
624KB

Download
memory/2568-178-0x0000000000D40000-0x0000000000D7A000-memory.dmp

Filesize
232KB

Download
memory/3184-252-0x0000000007790000-0x00000000077A0000-memory.dmp

Filesize
64KB

Download
memory/3468-217-0x0000000004EC0000-0x0000000004F26000-memory.dmp

Filesize
408KB

Download
memory/3468-215-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3468-183-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download