Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2023 17:30
Static task
static1
Behavioral task
behavioral1
Sample
c556abc2e04d6889cf0a059f9133af60.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
c556abc2e04d6889cf0a059f9133af60.exe
Resource
win10v2004-20231127-en
General
-
Target
c556abc2e04d6889cf0a059f9133af60.exe
-
Size
1008KB
-
MD5
c556abc2e04d6889cf0a059f9133af60
-
SHA1
80d768a65c200d34517bdf788e8ae649e4f4addf
-
SHA256
7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220a
-
SHA512
1b766194cf4c7419366f9c05d1ba58ead14413125ce309825d4cd607edb4cb49bee7d4af46397df9d9bf27ea3418d96f642932ef068ea403f89a91b7e29162f7
-
SSDEEP
24576:p1tk+pJ16fvFeZ81CAH9ddcuq+vHWH32M4L:rZJUf9HH9Euqn32r
Malware Config
Extracted
Protocol: smtp- Host:
mail.worlorderbillions.top - Port:
587 - Username:
[email protected] - Password:
vqpF.#;cCodu
Extracted
agenttesla
Protocol: smtp- Host:
mail.worlorderbillions.top - Port:
587 - Username:
[email protected] - Password:
vqpF.#;cCodu - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c556abc2e04d6889cf0a059f9133af60.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Control Panel\International\Geo\Nation c556abc2e04d6889cf0a059f9133af60.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 42 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c556abc2e04d6889cf0a059f9133af60.exedescription pid process target process PID 2060 set thread context of 3588 2060 c556abc2e04d6889cf0a059f9133af60.exe c556abc2e04d6889cf0a059f9133af60.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
c556abc2e04d6889cf0a059f9133af60.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings c556abc2e04d6889cf0a059f9133af60.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
c556abc2e04d6889cf0a059f9133af60.exec556abc2e04d6889cf0a059f9133af60.exeAcroRd32.exepid process 2060 c556abc2e04d6889cf0a059f9133af60.exe 2060 c556abc2e04d6889cf0a059f9133af60.exe 2060 c556abc2e04d6889cf0a059f9133af60.exe 2060 c556abc2e04d6889cf0a059f9133af60.exe 3588 c556abc2e04d6889cf0a059f9133af60.exe 3588 c556abc2e04d6889cf0a059f9133af60.exe 4724 AcroRd32.exe 4724 AcroRd32.exe 4724 AcroRd32.exe 4724 AcroRd32.exe 4724 AcroRd32.exe 4724 AcroRd32.exe 4724 AcroRd32.exe 4724 AcroRd32.exe 4724 AcroRd32.exe 4724 AcroRd32.exe 4724 AcroRd32.exe 4724 AcroRd32.exe 4724 AcroRd32.exe 4724 AcroRd32.exe 4724 AcroRd32.exe 4724 AcroRd32.exe 4724 AcroRd32.exe 4724 AcroRd32.exe 4724 AcroRd32.exe 4724 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
c556abc2e04d6889cf0a059f9133af60.exec556abc2e04d6889cf0a059f9133af60.exedescription pid process Token: SeDebugPrivilege 2060 c556abc2e04d6889cf0a059f9133af60.exe Token: SeDebugPrivilege 3588 c556abc2e04d6889cf0a059f9133af60.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 4724 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 4724 AcroRd32.exe 4724 AcroRd32.exe 4724 AcroRd32.exe 4724 AcroRd32.exe 4724 AcroRd32.exe 4724 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c556abc2e04d6889cf0a059f9133af60.exec556abc2e04d6889cf0a059f9133af60.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 2060 wrote to memory of 1780 2060 c556abc2e04d6889cf0a059f9133af60.exe c556abc2e04d6889cf0a059f9133af60.exe PID 2060 wrote to memory of 1780 2060 c556abc2e04d6889cf0a059f9133af60.exe c556abc2e04d6889cf0a059f9133af60.exe PID 2060 wrote to memory of 1780 2060 c556abc2e04d6889cf0a059f9133af60.exe c556abc2e04d6889cf0a059f9133af60.exe PID 2060 wrote to memory of 3556 2060 c556abc2e04d6889cf0a059f9133af60.exe c556abc2e04d6889cf0a059f9133af60.exe PID 2060 wrote to memory of 3556 2060 c556abc2e04d6889cf0a059f9133af60.exe c556abc2e04d6889cf0a059f9133af60.exe PID 2060 wrote to memory of 3556 2060 c556abc2e04d6889cf0a059f9133af60.exe c556abc2e04d6889cf0a059f9133af60.exe PID 2060 wrote to memory of 3588 2060 c556abc2e04d6889cf0a059f9133af60.exe c556abc2e04d6889cf0a059f9133af60.exe PID 2060 wrote to memory of 3588 2060 c556abc2e04d6889cf0a059f9133af60.exe c556abc2e04d6889cf0a059f9133af60.exe PID 2060 wrote to memory of 3588 2060 c556abc2e04d6889cf0a059f9133af60.exe c556abc2e04d6889cf0a059f9133af60.exe PID 2060 wrote to memory of 3588 2060 c556abc2e04d6889cf0a059f9133af60.exe c556abc2e04d6889cf0a059f9133af60.exe PID 2060 wrote to memory of 3588 2060 c556abc2e04d6889cf0a059f9133af60.exe c556abc2e04d6889cf0a059f9133af60.exe PID 2060 wrote to memory of 3588 2060 c556abc2e04d6889cf0a059f9133af60.exe c556abc2e04d6889cf0a059f9133af60.exe PID 2060 wrote to memory of 3588 2060 c556abc2e04d6889cf0a059f9133af60.exe c556abc2e04d6889cf0a059f9133af60.exe PID 2060 wrote to memory of 3588 2060 c556abc2e04d6889cf0a059f9133af60.exe c556abc2e04d6889cf0a059f9133af60.exe PID 3588 wrote to memory of 4724 3588 c556abc2e04d6889cf0a059f9133af60.exe AcroRd32.exe PID 3588 wrote to memory of 4724 3588 c556abc2e04d6889cf0a059f9133af60.exe AcroRd32.exe PID 3588 wrote to memory of 4724 3588 c556abc2e04d6889cf0a059f9133af60.exe AcroRd32.exe PID 4724 wrote to memory of 5108 4724 AcroRd32.exe RdrCEF.exe PID 4724 wrote to memory of 5108 4724 AcroRd32.exe RdrCEF.exe PID 4724 wrote to memory of 5108 4724 AcroRd32.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 4636 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 3316 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 3316 5108 RdrCEF.exe RdrCEF.exe PID 5108 wrote to memory of 3316 5108 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c556abc2e04d6889cf0a059f9133af60.exe"C:\Users\Admin\AppData\Local\Temp\c556abc2e04d6889cf0a059f9133af60.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\c556abc2e04d6889cf0a059f9133af60.exe"C:\Users\Admin\AppData\Local\Temp\c556abc2e04d6889cf0a059f9133af60.exe"2⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\c556abc2e04d6889cf0a059f9133af60.exe"C:\Users\Admin\AppData\Local\Temp\c556abc2e04d6889cf0a059f9133af60.exe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\EMBARGO SALARIAL_MURILLO UMAÑA ANTONIO ROSARIO.pdf"3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2C67AD5BD52F01E0C1A2FEBE01E59DE2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:4636
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0D89A6F7C40C6314B7A98346BC3722D0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0D89A6F7C40C6314B7A98346BC3722D0 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:15⤵PID:3316
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2F1FB4BC0094644885812994A1C0E3A0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2F1FB4BC0094644885812994A1C0E3A0 --renderer-client-id=5 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job /prefetch:15⤵PID:4480
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0AFD670ED8BB4E8C17C251FF84391B6A --mojo-platform-channel-handle=2296 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:2584
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6D5847F46FF4E9B8A9788B3537DEACA5 --mojo-platform-channel-handle=2568 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:4548
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CD9C0D4AF8F829CF8133DB74C2379F19 --mojo-platform-channel-handle=2448 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\c556abc2e04d6889cf0a059f9133af60.exe"C:\Users\Admin\AppData\Local\Temp\c556abc2e04d6889cf0a059f9133af60.exe"2⤵PID:3556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5ac17bf2f5850193d8aed3d33c14c143c
SHA16a861961fe2664510a5c533ef3e627d28d9c12f6
SHA256bb889751bee2217c79c4c9de4e7adfeed12f2b02db890aa28dd2905f6ecbc813
SHA512bf157bb8d54de7cb5b22461dbcda5ec3499a1e89228096440d2b765c1bf424eb83db698e7972bab27dbf12acbada51175247eff6d7957b7b8914661c439be833
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\c556abc2e04d6889cf0a059f9133af60.exe.log
Filesize1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\EMBARGO SALARIAL_MURILLO UMAÑA ANTONIO ROSARIO.pdf
Filesize120KB
MD55fcdd51c3cd1d44b10275bec6e299ab5
SHA123f6b41f34950a0d6776b3b593c57474c7440797
SHA256abcd38761579196d1f5fd4efa7c5eebc1f1e32c031775cb5539acef2dfc24bf5
SHA51252c3bc80621716adbd9126d8ab284053bc298ab9c425ba455509851d32ae644eefb0856a33846eebe084d64d37495b479b21e7c26188aab4ed71f0b3a2ab50d6