Analysis
-
max time kernel
141s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2024 16:58
Static task
static1
Behavioral task
behavioral1
Sample
68288c29d8546aadc301eda4436def32.exe
Resource
win7-20231215-en
General
-
Target
68288c29d8546aadc301eda4436def32.exe
-
Size
2.4MB
-
MD5
68288c29d8546aadc301eda4436def32
-
SHA1
b2f25aa72549ab250213e20850aa3e5beab1928f
-
SHA256
a5c263a5bf6522fcaaab2cf772e5d257644734d78a7149ae511fe338da350325
-
SHA512
d6b17aea77d4df88af97cebc0ecc40ec5bdb4e79f3ed44378c47438216eb03082544375327a93551c92ebe9e8003814781194983d88c12c525c95104bfa0b369
-
SSDEEP
49152:gX5TvrVpRCDhBeEJl+KVR/PKaF42Nt3XET4LTE7j5CS:gXxvrZeeEJRHa24sE71p
Malware Config
Signatures
-
Ardamax main executable 3 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\JHPMIJ\FQO.exe family_ardamax C:\Windows\SysWOW64\JHPMIJ\FQO.exe family_ardamax C:\Windows\SysWOW64\JHPMIJ\FQO.exe family_ardamax -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
HKCMB.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" HKCMB.exe -
Drops file in Drivers directory 1 IoCs
Processes:
HKCMB.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts HKCMB.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 5100 attrib.exe 1120 attrib.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
68288c29d8546aadc301eda4436def32.exeHKCMB.exeINSTALL.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 68288c29d8546aadc301eda4436def32.exe Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation HKCMB.exe Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation INSTALL.EXE -
Executes dropped EXE 5 IoCs
Processes:
Transaction mangement.exeHKCMB.exeINSTALL.EXEFQO.exemsdcsc.exepid process 3272 Transaction mangement.exe 3940 HKCMB.exe 1220 INSTALL.EXE 4864 FQO.exe 1368 msdcsc.exe -
Loads dropped DLL 3 IoCs
Processes:
FQO.exeAcroRd32.exepid process 4864 FQO.exe 3708 AcroRd32.exe 3708 AcroRd32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
HKCMB.exeFQO.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" HKCMB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FQO Start = "C:\\Windows\\SysWOW64\\JHPMIJ\\FQO.exe" FQO.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 9 IoCs
Processes:
HKCMB.exeINSTALL.EXEFQO.exedescription ioc process File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe HKCMB.exe File created C:\Windows\SysWOW64\JHPMIJ\AKV.exe INSTALL.EXE File created C:\Windows\SysWOW64\JHPMIJ\FQO.exe INSTALL.EXE File opened for modification C:\Windows\SysWOW64\JHPMIJ\ FQO.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe HKCMB.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ HKCMB.exe File created C:\Windows\SysWOW64\JHPMIJ\FQO.004 INSTALL.EXE File created C:\Windows\SysWOW64\JHPMIJ\FQO.001 INSTALL.EXE File created C:\Windows\SysWOW64\JHPMIJ\FQO.002 INSTALL.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Transaction mangement.exedescription pid process target process PID 3272 set thread context of 3940 3272 Transaction mangement.exe HKCMB.exe -
Drops file in Windows directory 4 IoCs
Processes:
attrib.exeTransaction mangement.exeattrib.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe Transaction mangement.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe Transaction mangement.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 2 IoCs
Processes:
HKCMB.exe68288c29d8546aadc301eda4436def32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ HKCMB.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings 68288c29d8546aadc301eda4436def32.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
AcroRd32.exepid process 3708 AcroRd32.exe 3708 AcroRd32.exe 3708 AcroRd32.exe 3708 AcroRd32.exe 3708 AcroRd32.exe 3708 AcroRd32.exe 3708 AcroRd32.exe 3708 AcroRd32.exe 3708 AcroRd32.exe 3708 AcroRd32.exe 3708 AcroRd32.exe 3708 AcroRd32.exe 3708 AcroRd32.exe 3708 AcroRd32.exe 3708 AcroRd32.exe 3708 AcroRd32.exe 3708 AcroRd32.exe 3708 AcroRd32.exe 3708 AcroRd32.exe 3708 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
HKCMB.exeFQO.exedescription pid process Token: SeIncreaseQuotaPrivilege 3940 HKCMB.exe Token: SeSecurityPrivilege 3940 HKCMB.exe Token: SeTakeOwnershipPrivilege 3940 HKCMB.exe Token: SeLoadDriverPrivilege 3940 HKCMB.exe Token: SeSystemProfilePrivilege 3940 HKCMB.exe Token: SeSystemtimePrivilege 3940 HKCMB.exe Token: SeProfSingleProcessPrivilege 3940 HKCMB.exe Token: SeIncBasePriorityPrivilege 3940 HKCMB.exe Token: SeCreatePagefilePrivilege 3940 HKCMB.exe Token: SeBackupPrivilege 3940 HKCMB.exe Token: SeRestorePrivilege 3940 HKCMB.exe Token: SeShutdownPrivilege 3940 HKCMB.exe Token: SeDebugPrivilege 3940 HKCMB.exe Token: SeSystemEnvironmentPrivilege 3940 HKCMB.exe Token: SeChangeNotifyPrivilege 3940 HKCMB.exe Token: SeRemoteShutdownPrivilege 3940 HKCMB.exe Token: SeUndockPrivilege 3940 HKCMB.exe Token: SeManageVolumePrivilege 3940 HKCMB.exe Token: SeImpersonatePrivilege 3940 HKCMB.exe Token: SeCreateGlobalPrivilege 3940 HKCMB.exe Token: 33 3940 HKCMB.exe Token: 34 3940 HKCMB.exe Token: 35 3940 HKCMB.exe Token: 36 3940 HKCMB.exe Token: 33 4864 FQO.exe Token: SeIncBasePriorityPrivilege 4864 FQO.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 3708 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
AcroRd32.exeFQO.exepid process 3708 AcroRd32.exe 3708 AcroRd32.exe 3708 AcroRd32.exe 3708 AcroRd32.exe 4864 FQO.exe 4864 FQO.exe 4864 FQO.exe 4864 FQO.exe 3708 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
68288c29d8546aadc301eda4436def32.exeTransaction mangement.exeHKCMB.execmd.execmd.exeINSTALL.EXEAcroRd32.exeRdrCEF.exedescription pid process target process PID 4548 wrote to memory of 3272 4548 68288c29d8546aadc301eda4436def32.exe Transaction mangement.exe PID 4548 wrote to memory of 3272 4548 68288c29d8546aadc301eda4436def32.exe Transaction mangement.exe PID 4548 wrote to memory of 3272 4548 68288c29d8546aadc301eda4436def32.exe Transaction mangement.exe PID 4548 wrote to memory of 3708 4548 68288c29d8546aadc301eda4436def32.exe AcroRd32.exe PID 4548 wrote to memory of 3708 4548 68288c29d8546aadc301eda4436def32.exe AcroRd32.exe PID 4548 wrote to memory of 3708 4548 68288c29d8546aadc301eda4436def32.exe AcroRd32.exe PID 3272 wrote to memory of 3940 3272 Transaction mangement.exe HKCMB.exe PID 3272 wrote to memory of 3940 3272 Transaction mangement.exe HKCMB.exe PID 3272 wrote to memory of 3940 3272 Transaction mangement.exe HKCMB.exe PID 3272 wrote to memory of 3940 3272 Transaction mangement.exe HKCMB.exe PID 3272 wrote to memory of 3940 3272 Transaction mangement.exe HKCMB.exe PID 3272 wrote to memory of 3940 3272 Transaction mangement.exe HKCMB.exe PID 3272 wrote to memory of 3940 3272 Transaction mangement.exe HKCMB.exe PID 3272 wrote to memory of 3940 3272 Transaction mangement.exe HKCMB.exe PID 3272 wrote to memory of 3940 3272 Transaction mangement.exe HKCMB.exe PID 3272 wrote to memory of 3940 3272 Transaction mangement.exe HKCMB.exe PID 3272 wrote to memory of 3940 3272 Transaction mangement.exe HKCMB.exe PID 3272 wrote to memory of 3940 3272 Transaction mangement.exe HKCMB.exe PID 3272 wrote to memory of 3940 3272 Transaction mangement.exe HKCMB.exe PID 3272 wrote to memory of 3940 3272 Transaction mangement.exe HKCMB.exe PID 3940 wrote to memory of 5116 3940 HKCMB.exe cmd.exe PID 3940 wrote to memory of 5116 3940 HKCMB.exe cmd.exe PID 3940 wrote to memory of 5116 3940 HKCMB.exe cmd.exe PID 3940 wrote to memory of 876 3940 HKCMB.exe cmd.exe PID 3940 wrote to memory of 876 3940 HKCMB.exe cmd.exe PID 3940 wrote to memory of 876 3940 HKCMB.exe cmd.exe PID 3940 wrote to memory of 1220 3940 HKCMB.exe INSTALL.EXE PID 3940 wrote to memory of 1220 3940 HKCMB.exe INSTALL.EXE PID 3940 wrote to memory of 1220 3940 HKCMB.exe INSTALL.EXE PID 876 wrote to memory of 1120 876 cmd.exe attrib.exe PID 876 wrote to memory of 1120 876 cmd.exe attrib.exe PID 876 wrote to memory of 1120 876 cmd.exe attrib.exe PID 5116 wrote to memory of 5100 5116 cmd.exe attrib.exe PID 5116 wrote to memory of 5100 5116 cmd.exe attrib.exe PID 5116 wrote to memory of 5100 5116 cmd.exe attrib.exe PID 1220 wrote to memory of 4864 1220 INSTALL.EXE FQO.exe PID 1220 wrote to memory of 4864 1220 INSTALL.EXE FQO.exe PID 1220 wrote to memory of 4864 1220 INSTALL.EXE FQO.exe PID 3940 wrote to memory of 1368 3940 HKCMB.exe msdcsc.exe PID 3940 wrote to memory of 1368 3940 HKCMB.exe msdcsc.exe PID 3940 wrote to memory of 1368 3940 HKCMB.exe msdcsc.exe PID 3708 wrote to memory of 1088 3708 AcroRd32.exe RdrCEF.exe PID 3708 wrote to memory of 1088 3708 AcroRd32.exe RdrCEF.exe PID 3708 wrote to memory of 1088 3708 AcroRd32.exe RdrCEF.exe PID 1088 wrote to memory of 3508 1088 RdrCEF.exe RdrCEF.exe PID 1088 wrote to memory of 3508 1088 RdrCEF.exe RdrCEF.exe PID 1088 wrote to memory of 3508 1088 RdrCEF.exe RdrCEF.exe PID 1088 wrote to memory of 3508 1088 RdrCEF.exe RdrCEF.exe PID 1088 wrote to memory of 3508 1088 RdrCEF.exe RdrCEF.exe PID 1088 wrote to memory of 3508 1088 RdrCEF.exe RdrCEF.exe PID 1088 wrote to memory of 3508 1088 RdrCEF.exe RdrCEF.exe PID 1088 wrote to memory of 3508 1088 RdrCEF.exe RdrCEF.exe PID 1088 wrote to memory of 3508 1088 RdrCEF.exe RdrCEF.exe PID 1088 wrote to memory of 3508 1088 RdrCEF.exe RdrCEF.exe PID 1088 wrote to memory of 3508 1088 RdrCEF.exe RdrCEF.exe PID 1088 wrote to memory of 3508 1088 RdrCEF.exe RdrCEF.exe PID 1088 wrote to memory of 3508 1088 RdrCEF.exe RdrCEF.exe PID 1088 wrote to memory of 3508 1088 RdrCEF.exe RdrCEF.exe PID 1088 wrote to memory of 3508 1088 RdrCEF.exe RdrCEF.exe PID 1088 wrote to memory of 3508 1088 RdrCEF.exe RdrCEF.exe PID 1088 wrote to memory of 3508 1088 RdrCEF.exe RdrCEF.exe PID 1088 wrote to memory of 3508 1088 RdrCEF.exe RdrCEF.exe PID 1088 wrote to memory of 3508 1088 RdrCEF.exe RdrCEF.exe PID 1088 wrote to memory of 3508 1088 RdrCEF.exe RdrCEF.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1120 attrib.exe 5100 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\68288c29d8546aadc301eda4436def32.exe"C:\Users\Admin\AppData\Local\Temp\68288c29d8546aadc301eda4436def32.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe"C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe3⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h5⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:5100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h5⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE"C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\JHPMIJ\FQO.exe"C:\Windows\system32\JHPMIJ\FQO.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4864 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"4⤵
- Executes dropped EXE
PID:1368 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Transaction_mangement.pdf"2⤵
- Loads dropped DLL
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=85340AD4C11A02DA1B6D36C623A90319 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=85340AD4C11A02DA1B6D36C623A90319 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:14⤵PID:4564
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5C7622C5E1F07C5F48786BF0BBF11347 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:3508
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2772703EBFB8628EA6113825C968FF58 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:3732
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A6FF96F05B876190CCC176DA1436CB03 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:1604
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=93D4C9705B246535359ECD58320FFC6E --mojo-platform-channel-handle=2408 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:1736
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A4ADE1607807ED08AC9C227EC6C44B62 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A4ADE1607807ED08AC9C227EC6C44B62 --renderer-client-id=7 --mojo-platform-channel-handle=2532 --allow-no-sandbox-job /prefetch:14⤵PID:2436
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4280
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD54a0e0d232ff8ced817d90772e691bc31
SHA18ba2c91a7e547cf5ca3e7d5eddabbae491d1623f
SHA256981ac6a0ebcf07be43459955800daacd309dcb4619e32df16d0d5dbd31b780de
SHA51299771023229afc86bf4bc7364e6bffcd39e2f575934a6bdaec5362fccb5ef8ff2121481b929b099b3755625a5f09ef00e30cf35006bfedcfab656035b64a4050
-
Filesize
417KB
MD546ba14c15ef3a6587e010e6de77aa161
SHA192b618981ae4bbd3ff0f4ff1b5b179ecffe65a52
SHA256ab9bc601048db186963e3858a4fd58c8572e1a18ef59239863e3c4dc3c8e548e
SHA5121f905922105c24f43d66fdfa80d819c7c246a1813b56e553e9998cc7baac80e9b11a1472406d942769c01b9f3adf3f20507b451370326b81ee1bc613b572a10b
-
Filesize
608KB
MD58f1f35ebd6d8a23d95614fc173fae640
SHA1d3a92ca9fb040322cbe316976c4f4caf5db8b867
SHA256b3aba174d32a10d58408acde596470c1328da50401e817ece9c53ec697bf6cbc
SHA51242711c108e23b965a69c74953353c6058bb6b970b5b394676484583d87df32032f9ddf0a003aa245ca8ee10d2ca7fb59d4c3285e43db45b54d81d49a0037bfd2
-
Filesize
911KB
MD583036a6442d3e5a1b25196b214cb6986
SHA141a02628607b914e2c8dcc844fe88398260228a1
SHA25683bbca140ce724f0217f245eef7d17e8d0e1e574ff210b7bf92c56beef55cfe5
SHA5120d451555a5d376d1f80049cb08e4e98e7d63f8334b20933ee9ca011794ea8b075c4f7645cac8fcf5d1d74a94b3c9e649b673ead3f08c9b56bdfa35874988744b
-
Filesize
1.5MB
MD5009fd709361f51148155eacfef69856f
SHA1482a8c72bf1d212bf0b6f7645ac35c247fcf14b6
SHA25624fefa2f793911625e7fea6a74d829b9fbc1cca14c73f0a00df8f4591e3aa73e
SHA512561ede300274abbef1af9607a73b30af93fbabf01081b048d157906e029438db8c37831d31b8061753a97f519c6c68419bd83e26dc8832b3961dd481026274ca
-
Filesize
1.1MB
MD5c28b3d4c70515403f5bb588464f4eeb1
SHA1a410f952eb24324e7051a3f8d075ca5b86efe903
SHA256c7ebbe42703666f219bb8143c6bc90f99aec38dce5df656f562e9c05122323e7
SHA512a9b3d1f51212686e48a5e97d13194691b25b910c5dcac4aa8351d1c5d8bb69f72bb0c4f8eaec1d01f6d3d95b537f25a4e336c0fa611f5bdfba8a150cc62b2654
-
Filesize
1.8MB
MD56c58047349d13f37471744ad30af5539
SHA17e69840ae228e8f1029d6089105639f8ccec3f56
SHA25623d1c8b8f6f7db5b69dc499a8de082400f5f3809928d03f2c24e801a802ff280
SHA51245545337ecf3225074e18c3dbb3d68fa0ef4c3c8bf73dd833340fb2f34cddf7fea767415fe3ed030ebec20f3bce897f0b5c9fdfe3d7abc6edec5698f1ae2d2fd
-
Filesize
194KB
MD58764991d86c925a5f8bbe847cd0f3cb3
SHA119e3f30d0baabc7c457fd61fecee8d1e8ab28d0e
SHA2565e75cc26bca0932a6685e42e07d32b9e55c3eb3a4b4af5e2b80f0a48a4116f79
SHA512f3f6f31f21935be78af1a792f45c481563a9653e624194588ff99e378cf7b0633fce7042e0b6dc01f04c14b4fa285964915e1b7ede8f29ae094b97cc15d11bdc
-
Filesize
62B
MD5c6abd7a109bb37ab773b9e79b91b7741
SHA17933b8795914b27483d2afed35b3830e8bf5bdb6
SHA2568bc84b3ddfd9c295f555926bf1c311be423732423c585ca90796cdee7a245629
SHA51235d14c9b7366a4737e3685223d55d85c583c7fbe73274577424dc8d9960cc78c79a80a8b42a62f6d9d9962ddd60cf2a332411d4ac18196258dc9d5b0b575e3dc
-
Filesize
709KB
MD5ee9e5392c1cce16262c6db98feab3ab0
SHA15f21604d761b21e3c16fad01de54736612ec1477
SHA2561ce6b25307e1bb4ca75cf44c92958cd95773462331b66a5ab8240e1d570a24b4
SHA512eebf3249c1b7014f454841b975a5fc5e22dcf69e120ac0ff16f875eff7b0ee27886b8af523f59d75b6f223989d6999acfa6eec3ad99ff2cc53cea3ad5581fdeb
-
Filesize
378KB
MD5ce620d1884d571ed9835cde11dac40e1
SHA13cc5f239c812dbdad7a2bd2a3b5774bb09ed806f
SHA2567576490f0ab71953d0e78d17e4c3590a404924bfe3b41fb048ccdae967b48333
SHA5126a14e0ee9a9575ab1226a21f53902cb5b0302e072c086250eac09e0bc6ec097a861edb4d02ef29451f1dc022683419f5f0ca4068aa73fdf8e3926d87d3375ce0
-
Filesize
389KB
MD552d00c57abcec3235a283ddeb8cd4b71
SHA1e8c21e1628ec749da790085522d4e499d4466729
SHA25695fb0178ba32c157e92c60c3d562ffc99dab661577b8844839d1f3a3e5e76703
SHA5126c0cba5f60faffa7df934d5f442feb54b596728e60a49e8f30e21f0fb165f4a2021d36fbaa6244473c8cbdcb13a9eaca159cafb4a414157c3c795c910da2d65c
-
Filesize
61KB
MD5383d5f5d4240d590e7dec3f7312a4ac7
SHA1f6bcade8d37afb80cf52a89b3e84683f4643fbce
SHA2567e87f6817b17a75106d34ce9884c40ddfb381bf8f2013930916498d1df0a6422
SHA512e652c41ec95d653940b869426bc2cbd8e5b3159110ffaab7d623e23eebe1f34ca65be6a9a9cdcd5f41aec7567469d6b4d6362d24ae92267cddb8940e1265806a
-
Filesize
43KB
MD593df156c4bd9d7341f4c4a4847616a69
SHA1c7663b32c3c8e247bc16b51aff87b45484652dc1
SHA256e55b6eabf0f99b90bd4cf3777c25813bded7b6fc5c9955188c8aa5224d299c3e
SHA512ed2e98c5fd1f0d49e5bac8baa515d489c89f8d42772ae05e4b7a32da8f06d511adad27867034ca0865beae9f78223e95c7d0f826154fc663f2fab9bd61e36e35
-
Filesize
1KB
MD5c419eadafd70c55f88b6235ccf3d14a0
SHA1e04856391e275bfe54fdc6dfabdfe798f80d2afb
SHA25676f3de81ac5a57b368786feffd51e82c49527298bd6ed554ae2cdac118043968
SHA5124b3e1e8d94f7e8bd9a32758fab27b2fed6299882a092fea578e1107655e9d5a7d9480eca2c205b3a85e897a1ae3ffd92587b7c4b9ccd3722bb84bfb45a30f683
-
Filesize
649KB
MD5c3bd8843e0b1026ff63f0bd11cda5535
SHA191f9027410a1d6c5ab28db5493a380fc30e20990
SHA2564e5983b0c7e7e532880384dfd4ccd7441a1655dea3327c74d6f6507d444fee5d
SHA51248ccab3d7a7108a8793c5b4e05a83fcae4927a246a6410e216f5484d0b3c9b4ef993b21164fc4acd9681e5258d160a91bb7c4aecd5b08fad19132454d165aec9
-
Filesize
363KB
MD5b13698c8ad363eba26a2ce14c6f42dd7
SHA10a9a81549d82cfdd86d311807593492d512d1a17
SHA25656f251ba6a2f44fce7978bbff27f5c2ffa966283d7095f9d7da58f48d9d8dc33
SHA512d4f06b280856cfd29c17f048f0595b0e5960eedea584bcdf188797584282f60b12bf63c3b7cba07cc7caccda28f3e4d8599ced3f7b110c5ab489aad4fd7504b0
-
Filesize
565KB
MD570b8a9881f9f80ebc4d1194d5e018916
SHA118860f479ce8c3905eaa56c648071cfee1ed3085
SHA2565d5b61340f8f838eebbafb97c137a3d8d8152bdb59f3ff2dcfc73e55d3b5dbc4
SHA512317d5df27894a90284ef0bdf05626568ce38561117d094230aa6b102bc1073041f2ea7164dac7e14ec875b32f047d2411b2d438c6b5604e86b37087abb2ba1ea
-
Filesize
436KB
MD5e3c70284d42ac664e5da7899e32c8ac2
SHA1df65ec95135cc617a71e2bb260120b2e9c8b66ac
SHA256e8ddcc11c89717129a68efa88b40d8eae202ab992b2d6896391f0fb086fa2d29
SHA512798217a22b299acbe87a7bf0346bf9b3c1aa351338af5c6c1c1d584e14eaa72cbebf4811f43d673f7569544b2fd7b39acd432c31d5fa982bafd2dcbea34870aa
-
Filesize
364KB
MD54e0e7263a352f0499720c8ead0181f5e
SHA1a7809630466217cc40ac4935062ba59d4f3864b3
SHA256f24165ed94589e65a32653ff32d80263326a01df5840c6f22643dabac4e7748c
SHA512a05c25c56d3641575602fc893b4135d7dac9f46ff623aae7185fd530fdeb82645a8760b959befe3351d4ae0fb4c694dd7d3359ac5232499755d27216cc3dc2cc
-
Filesize
297KB
MD55e5f53c95487752cf30844f55dc7d8a2
SHA1b267a1ba15b7dc079c4ad70b43700d120e8bfc95
SHA25665539e73e3465270358d77325207c1171ee64e8c5ad475c9772dda775b00f69f
SHA512859fc67be296439d9537a98bcf449514d378a78332203a6975d1de89818f9e58b29e17e9a5e150c3bd5ae6f99f4b28ca82b3daeeece17e8671fc3be411ccbab3
-
Filesize
1KB
MD5ea1a1fb9ccfd94175ac7949b7c0937fd
SHA119f49e082f0bfbe697a30a283a8d96e5f2c96f97
SHA2562f741dca98c6bb003b57a004523cd3ed6fc1d9c629ba27bb9ae065da2691e904
SHA512b79bc17c026c5bb9804252fd09ef05f3c1400b5a81c3776c812de832e13d251adfa5ba9b301c9fb1126d9e55fb348f69978e2397cb9dcfc29bdfda89ba2461c8