Analysis
-
max time kernel
16s -
max time network
21s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
08-02-2024 18:24
Behavioral task
behavioral1
Sample
Voicemail (1).pdf
Resource
win10-20231215-en
General
-
Target
Voicemail (1).pdf
-
Size
2.1MB
-
MD5
aebe18c641f295f19d1aa8ade0c606cc
-
SHA1
406324520d884fb3310e353b31c7ae313f605ce8
-
SHA256
e704e7847f7776014173bf9867c92dfe2eac710ac67a840cb3b675580cdb1ab4
-
SHA512
5fffa67146808f08ce296d3e1001503ffde2358317117b070ee4faf47531b17dcef1d1a9f3908f17f8e4d22be18b0a679746a6c09e69ada92c255fe0deb3b675
-
SSDEEP
49152:rzQT2lrEJrXpkO34gvGt4T7wKA5+SnohnKm9lScNmEngmUF9wWsFLGuY1K:rDlwPeWIcNRUFaWsFyuF
Malware Config
Signatures
-
Drops file in Windows directory 2 IoCs
Processes:
MicrosoftEdge.exedescription ioc process File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 28 IoCs
Processes:
MicrosoftEdge.exeAdobeCollabSync.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{6702B5D2-0028-48C0-81AB-956A3ED35DC0} = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\MuiCache AdobeCollabSync.exe Set value (int) \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
AcroRd32.exepid process 4616 AcroRd32.exe 4616 AcroRd32.exe 4616 AcroRd32.exe 4616 AcroRd32.exe 4616 AcroRd32.exe 4616 AcroRd32.exe 4616 AcroRd32.exe 4616 AcroRd32.exe 4616 AcroRd32.exe 4616 AcroRd32.exe 4616 AcroRd32.exe 4616 AcroRd32.exe 4616 AcroRd32.exe 4616 AcroRd32.exe 4616 AcroRd32.exe 4616 AcroRd32.exe 4616 AcroRd32.exe 4616 AcroRd32.exe 4616 AcroRd32.exe 4616 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 4616 AcroRd32.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
AcroRd32.exepid process 4616 AcroRd32.exe 4616 AcroRd32.exe 4616 AcroRd32.exe 4616 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
AcroRd32.exeMicrosoftEdge.exepid process 4616 AcroRd32.exe 4616 AcroRd32.exe 4616 AcroRd32.exe 4616 AcroRd32.exe 4616 AcroRd32.exe 4616 AcroRd32.exe 3752 MicrosoftEdge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeAdobeCollabSync.exeAdobeCollabSync.exeRdrCEF.exedescription pid process target process PID 4616 wrote to memory of 3768 4616 AcroRd32.exe AdobeCollabSync.exe PID 4616 wrote to memory of 3768 4616 AcroRd32.exe AdobeCollabSync.exe PID 4616 wrote to memory of 3768 4616 AcroRd32.exe AdobeCollabSync.exe PID 3768 wrote to memory of 4992 3768 AdobeCollabSync.exe AdobeCollabSync.exe PID 3768 wrote to memory of 4992 3768 AdobeCollabSync.exe AdobeCollabSync.exe PID 3768 wrote to memory of 4992 3768 AdobeCollabSync.exe AdobeCollabSync.exe PID 4992 wrote to memory of 4120 4992 AdobeCollabSync.exe FullTrustNotifier.exe PID 4992 wrote to memory of 4120 4992 AdobeCollabSync.exe FullTrustNotifier.exe PID 4992 wrote to memory of 4120 4992 AdobeCollabSync.exe FullTrustNotifier.exe PID 4616 wrote to memory of 3096 4616 AcroRd32.exe RdrCEF.exe PID 4616 wrote to memory of 3096 4616 AcroRd32.exe RdrCEF.exe PID 4616 wrote to memory of 3096 4616 AcroRd32.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 2192 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 788 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 788 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 788 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 788 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 788 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 788 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 788 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 788 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 788 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 788 3096 RdrCEF.exe RdrCEF.exe PID 3096 wrote to memory of 788 3096 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Voicemail (1).pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c2⤵
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=37683⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" GetChannelUri4⤵PID:4120
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AE4261AD697EFA7B3C0DC53B6CD8D2BA --mojo-platform-channel-handle=1500 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:2192
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2F194197CC781ED28143F96E5D0E9582 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2F194197CC781ED28143F96E5D0E9582 --renderer-client-id=2 --mojo-platform-channel-handle=1652 --allow-no-sandbox-job /prefetch:13⤵PID:788
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F143CAD1D0090A853A2B51F22E3BE898 --mojo-platform-channel-handle=2236 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:3108
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6CFBF610E515160B4E3217AB05AD2CB2 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6CFBF610E515160B4E3217AB05AD2CB2 --renderer-client-id=5 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job /prefetch:13⤵PID:3048
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6C2C974355D01931BAC17C9BFF697994 --mojo-platform-channel-handle=2596 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:1464
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E4B5ADD5FEEFAB28C8F911BA9C657872 --mojo-platform-channel-handle=2740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:768
-
C:\Windows\SysWOW64\LaunchWinApp.exe"C:\Windows\system32\LaunchWinApp.exe" "https://voicemail247central.com/"2⤵PID:424
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3752
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵PID:3588
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:2492
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:4584
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:4424
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD592c363ed98e9f861490fda5c416ba73c
SHA17da97a1349cbe31245e7e8e17e5c96fa1317eae7
SHA256892ed9d6bfa7754444c0b728814e1095f8e8db8b44ed72dadb744afeba7931e6
SHA5123ebdda7668f54e3aa3b7e326a9122aebb7f7ca1e61c66b3bea19d8b540a787306c9f4327d56d8a5ddc69dfc69e5ff03e52e965132042ea246b0cc5b0342e0d28
-
Filesize
92KB
MD5aebe0d2eb7a2077a55e57a955e62406a
SHA13f811b8148f12220f4b45699135e6d21c9847d8a
SHA25687aa4c64348b534771f03919b5bdca09596e89f6e0cca0a992bb3d290ec4155a
SHA512efa1b082925a4e478fcea74764bbacb91d43da8c01c4b360a34e6f7402af23f91c93b5e91c6266120e144b5300e8dae73a62a7b6d7c4328410128f6a72a7baed
-
Filesize
92KB
MD58ea85d649407312a8dce327ce513006f
SHA19973fd15393421356006032bc669468c3b0512e6
SHA2560153d11c846f4dbc522fed70b95c421728e85180fae0cf26e5d75cd2ebfea3df
SHA512378b90cbff9c04a2d97a435bfde94c4d15a70b14916b19a95da1401674e40818d7f917f7cc6b6f10f0c65c2283ea6296bc4c08ba4f24438ad33fc859d8431d34
-
Filesize
92KB
MD5d44b8bb248cf57af3145a9b8aed89199
SHA19d56340ca9ebb06fefc393e4a35db4f8c344df3a
SHA256c1b62e18e7d2ea738e76ba273cd00262720a1a921e8cf267e113eba94d192239
SHA512377a9f7ec594eecd49a90a4c458770fee1f47dae24f8bea139f405c9a2ed4bb6353ae181270925a0dead392ed8ae1a0d150799a6e1a7e525c1df96659abcdef6
-
Filesize
92KB
MD5245950c48f668cf2fcb3c64778e64089
SHA13a5a14c820f58e35a3fc6f5de29669f0840587d8
SHA256a027cf12f2055635a3020f08e0448b2f0314791260ccd25570426088c5b0e307
SHA5124fc8448536663b551cc716d78715f06d4ed217fbdf755924f0b30aebbb6212798a61c6638f919d5c14bdb6998d6a12f0ca37281f3c7f484c1821fbfc98d4a24d
-
Filesize
3.5MB
MD517b8abba81aa32dc79778a6305717ac0
SHA1e661e0d2247fd7333bd49391b5d66194e845cc2d
SHA256a0c4a82ac8f55627773a23f421a50a033ece9bc8898fa1d4d5b29a8563dba12b
SHA512df9381f37f77922aee95e18271ae15fb3c1b46146311a593c10c7113ee5dc3c4ecea2fafee0d466e8d352255f80e0baded36ca4c769d780cbf4f1ca086f1d354
-
Filesize
4KB
MD51bfe591a4fe3d91b03cdf26eaacd8f89
SHA1719c37c320f518ac168c86723724891950911cea
SHA2569cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA51202f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize471B
MD54b38e0e0da3abefefc07e667f95ce50b
SHA1384ccef46a2a1d8146a932edb619ae7cf034ed6e
SHA256145f1c0d6d4cf854c974b0e9d9a84e9a4763ca50dec97f903cb360c595b99510
SHA512818e58d1c4b1b2b3d4e92c84a9171a2ebc1a30a4c507d15b52b97ccd596de39ff6aeba87cfaab8848f0f4dbbc6db4fee4dc282d780a0950d4030bfc8b549789c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize338B
MD518a59a60ffb247c2bf17379851036a5d
SHA1852b04846083aa3df483ce622d2b0c5dfe21be42
SHA2563e5579ea04e3bc683aadab7f04251f762ab923eb605a733515bf7b0f3313485a
SHA512b612541ea4702200b81d9aad566f4200ca64d4fd727ded92c0fedddb8e2188c6b2d047651fef3c6e8a5f37cb3cac41d72880fa3c9bcf4b9d1a6cc2bd94025655
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize400B
MD57e265d1c11a54b73c3347fd2e2e575f4
SHA1c8c26c95762a0ee8e2e60dade247fcf87b0644c6
SHA256947e2ac8666182517b8d2bb4e975a23e91273a6a622cc3a7e9d117fe05cb2a94
SHA512cacd8457cba3ff0b4eb3d3d5c0ee84a723051e319eac78942b93c6f1858fbac5feb12a102dfccadcf9d60fc707d4ce5ca57852784a106facdaba1ccd33f7e489
-
Filesize
12KB
MD54fa881662206943c7816d3e72b2a2e09
SHA1fc9510407aafb0fc6117e5dfccc0486381c9f87b
SHA25617815f30796fa107d3854f81a3fca3874f77e45fa1d94b12279d33385a1cb466
SHA512a13ebd78beb17d280ee21eb8401e274e3044c60792ebdfab3511ad4640f441d6f2e877539564a54ecf43400d695b0432ca0c51c5c52a52141d4f4fbbc4628c49
-
Filesize
5.2MB
MD5141f3b448cc8d3054ccdad1334616583
SHA10e48b93c00c7c83f36782aaa0b9b902a2e03d935
SHA256e37ac866c10edfceae178fb0c41757142ba2a6ccaa19a7749f2cc6b243491b95
SHA512077d467dca91a9603c481e0183f45c7f87e354a4d8ca5847e5120c952ff6e2665ded9bfc68090916c942b8ed4044067016dd1c75b89bbb45e7e0b6ec3ccd9a78
-
Filesize
14KB
MD5947f93fe0eed44767626846f28cfde05
SHA1f6276d2a2b4a9d8a8e23c84019cd3961e9d60e88
SHA25606a576fc14e995c437b26c0d150b4e84cd745e7cedfd972a84b42b51c842fc9b
SHA512f97739eb0d22a99b06ef340aefb0d5a5b45b679d28accff3de2565166392c7d2fabaa33f945696f7d456ba2ef323f48e43eb26578f71c8b2e8ed32fb4dc69bc9