hxxps://s3[.]ap-southeast-2[.]amazonaws[.]com/cdn[.]fxdms[.]com/Telexcopy[.]pdf[.]jar

Resubmissions

27/03/2024, 07:18

240327-h48nyaac7x 7

27/03/2024, 07:09

240327-hywgesfb49 7

Analysis

max time kernel
235s
max time network
238s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 07:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://s3.ap-southeast-2.amazonaws.com/cdn.fxdms.com/Telexcopy.pdf.jar

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
6024	icacls.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133559975345368719"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4636	chrome.exe
4636	chrome.exe
4984	chrome.exe
4984	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4636	chrome.exe
4636	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5496	AcroRd32.exe
5496	AcroRd32.exe
5496	AcroRd32.exe
5496	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 2620	4636	chrome.exe	95
PID 4636 wrote to memory of 2620	4636	chrome.exe	95
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1676	4636	chrome.exe	97
PID 4636 wrote to memory of 1952	4636	chrome.exe	98
PID 4636 wrote to memory of 1952	4636	chrome.exe	98
PID 4636 wrote to memory of 1084	4636	chrome.exe	99
PID 4636 wrote to memory of 1084	4636	chrome.exe	99
PID 4636 wrote to memory of 1084	4636	chrome.exe	99
PID 4636 wrote to memory of 1084	4636	chrome.exe	99
PID 4636 wrote to memory of 1084	4636	chrome.exe	99
PID 4636 wrote to memory of 1084	4636	chrome.exe	99
PID 4636 wrote to memory of 1084	4636	chrome.exe	99
PID 4636 wrote to memory of 1084	4636	chrome.exe	99
PID 4636 wrote to memory of 1084	4636	chrome.exe	99
PID 4636 wrote to memory of 1084	4636	chrome.exe	99
PID 4636 wrote to memory of 1084	4636	chrome.exe	99
PID 4636 wrote to memory of 1084	4636	chrome.exe	99
PID 4636 wrote to memory of 1084	4636	chrome.exe	99
PID 4636 wrote to memory of 1084	4636	chrome.exe	99
PID 4636 wrote to memory of 1084	4636	chrome.exe	99
PID 4636 wrote to memory of 1084	4636	chrome.exe	99
PID 4636 wrote to memory of 1084	4636	chrome.exe	99
PID 4636 wrote to memory of 1084	4636	chrome.exe	99
PID 4636 wrote to memory of 1084	4636	chrome.exe	99
PID 4636 wrote to memory of 1084	4636	chrome.exe	99
PID 4636 wrote to memory of 1084	4636	chrome.exe	99
PID 4636 wrote to memory of 1084	4636	chrome.exe	99

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://s3.ap-southeast-2.amazonaws.com/cdn.fxdms.com/Telexcopy.pdf.jar
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa5729758,0x7fffa5729768,0x7fffa5729778
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1776,i,1731285635586765975,2549613537502773025,131072 /prefetch:2
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1776,i,1731285635586765975,2549613537502773025,131072 /prefetch:8
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1776,i,1731285635586765975,2549613537502773025,131072 /prefetch:8
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1776,i,1731285635586765975,2549613537502773025,131072 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1776,i,1731285635586765975,2549613537502773025,131072 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1776,i,1731285635586765975,2549613537502773025,131072 /prefetch:8
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 --field-trial-handle=1776,i,1731285635586765975,2549613537502773025,131072 /prefetch:8
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1776,i,1731285635586765975,2549613537502773025,131072 /prefetch:8
  2⤵
  PID:1248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4648 --field-trial-handle=1776,i,1731285635586765975,2549613537502773025,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4984

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4396

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\Telexcopy.pdf.jar"
1⤵
PID:5620
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:6024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3964 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:5596

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\Telexcopy.pdf.jar"
1⤵
- Drops file in Program Files directory
PID:6008

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\7633d7aead5048a8a5ecddc9e25ca1c7 /t 208 /p 3240
1⤵
PID:3764

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Telexcopy.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5496
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  PID:6080
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B99D161DD64CF867C3FA515B1C0B492C --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5988
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=60A84BED6B606B51BD03C3DA6B310939 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=60A84BED6B606B51BD03C3DA6B310939 --renderer-client-id=2 --mojo-platform-channel-handle=1772 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:6084
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  PID:5976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
4416057c129eefcaadc63edf18ad86ae

SHA1
3b676fe4abe85800fc409e5748bcfc8a7c30b0ea

SHA256
ba15bd98b7193d62afa8116b2141d419804d30f77028f61b712b08cca362b6a9

SHA512
0416e6bfede9acfc70cb75ce5cb8d26b4dc9c12ae1ec0a7cd1a1a0e25b72c918da58fad1e9b7f906f43ad3fc175e8e9d189e79a2e7edec7d459d1d959d074159

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
986B

MD5
906dbaffcf574496a0428db2bb1c7848

SHA1
03a3be58b33abcf3cdb2a2377934f809a99fe7ba

SHA256
e476c0580157af37be78572e7c42fa9c56797e7b52de40bda7c59ebdbf4a2938

SHA512
4737666888d06895163b7c088d3a7f90e36d067f5c7aa593a140120cbfb2036428a7c2a710df79248227da5ae0236897165661195474744ef47a240728b04026

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
17c770cf636563b4f9b394ac4e4ceeea

SHA1
494ec53b469d3519dd91e8a41498a6540a347b6b

SHA256
bc2ac1d1cde7b3e1bb04687a10acaf98934d745cb22a75ff361ede5f6a9450c0

SHA512
63b4b196f8b25d2fbe34a4d26daea6dcae98e0b57879d01e4aba78971262ef5fe02ca8c1ae01493bb379af7bd421d5d5675c925d4ee5f0955a77ae5a2dadb0a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7b570e5381782d0349933200b4d6a98e

SHA1
95df15c2c293820606535530b296d31a8e876592

SHA256
ef8aa39988a951c595e32121bc8e0c2d6c7774fc99db72275d4d0f2eefe6e3fc

SHA512
c9b029e4ec48998e20da490c625b28f5f0feb110eed9d58cb86b4a6fe9f282576b0875e9bbf4581114040efe9648929198d1872765b336eee13a7456949e3501

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
2af6f89085a99ecfbafe50751aa9516b

SHA1
813994a2e7a900967b4497ff211acb57bd780223

SHA256
e75c18ec2b0fd4dc0c08d4d346e60e187edf95517666959a0302c927b48d7847

SHA512
97098a3f80145d86664b4da8ac460d0234dc1961dfebc38f306672e7d3b55fffd5449fdb2e61337f1acebdfe6ef4d7ffc7ba42daec48ae362c01f35d5979c084

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1d0ee9fe9dc219e1a05e233b035d1ea4

SHA1
0739793b1721d8d99e3b01f0a89ced25fbe513ee

SHA256
8f2ba322760e1f650c2b639724ab81c39c02d5b4a811eb1706b667e6e28604c0

SHA512
059707b762ae0c1e8e62ff921571b09c72b2c70d8c88016708b98a9579367e691ad19b2ba35805d32941024ac2e9e6ab2b95a757512d9e2c2aabbbdf7b2a3da2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
dc9b2e3f8ff10556ea70396f2cb0fb3e

SHA1
089f93948bd68addc979d5cad2bc792f430a3159

SHA256
2086cfbd902b613b43837077391babd706cbb4f5f4c8f855d46ff01f3b704305

SHA512
246e41f9db23bc6526fe1c582e6ea4f2eec0321ea07a3dd7d51b1b7f992b5ab7881bf83624aa35e07ba59469f020d75a3dfbcd9e02fbdbd2f7c4a4e7b3149902

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\Telexcopy.pdf.jar

Filesize
395KB

MD5
81e621517a407ae36da0a767b960c88c

SHA1
421f3489d10b803e2dd64d0b47ce619da2da448a

SHA256
ca438598c383fab834c5e52369032e30c657f8f70cbb095f181ea7779d34bba1

SHA512
cd0510723447c5ace63f4ec9eb1aa0aa7d9d56b70f08b16c92c71b9825351122e59c1b5173e1e7288f59a8d732be122e90be397521f80e71328d743ad172788c

Download Submit
memory/5620-139-0x00000194002A0000-0x00000194002B0000-memory.dmp

Filesize
64KB

Download
memory/5620-149-0x00000194002E0000-0x00000194002F0000-memory.dmp

Filesize
64KB

Download
memory/5620-87-0x0000019400000000-0x0000019401000000-memory.dmp

Filesize
16.0MB

Download
memory/5620-107-0x0000019400000000-0x0000019401000000-memory.dmp

Filesize
16.0MB

Download
memory/5620-78-0x0000019400000000-0x0000019401000000-memory.dmp

Filesize
16.0MB

Download
memory/5620-62-0x000001946F740000-0x000001946F741000-memory.dmp

Filesize
4KB

Download
memory/5620-176-0x0000019400000000-0x0000019401000000-memory.dmp

Filesize
16.0MB

Download
memory/5620-137-0x0000019400280000-0x0000019400290000-memory.dmp

Filesize
64KB

Download
memory/5620-138-0x0000019400000000-0x0000019401000000-memory.dmp

Filesize
16.0MB

Download
memory/5620-140-0x00000194002F0000-0x0000019400300000-memory.dmp

Filesize
64KB

Download
memory/5620-51-0x0000019400000000-0x0000019401000000-memory.dmp

Filesize
16.0MB

Download
memory/5620-142-0x0000019400310000-0x0000019400320000-memory.dmp

Filesize
64KB

Download
memory/5620-144-0x0000019400370000-0x0000019400380000-memory.dmp

Filesize
64KB

Download
memory/5620-143-0x0000019400350000-0x0000019400360000-memory.dmp

Filesize
64KB

Download
memory/5620-148-0x00000194002D0000-0x00000194002E0000-memory.dmp

Filesize
64KB

Download
memory/5620-89-0x000001946F740000-0x000001946F741000-memory.dmp

Filesize
4KB

Download
memory/5620-150-0x0000019400300000-0x0000019400310000-memory.dmp

Filesize
64KB

Download
memory/5620-155-0x0000019400330000-0x0000019400340000-memory.dmp

Filesize
64KB

Download
memory/5620-154-0x0000019400320000-0x0000019400330000-memory.dmp

Filesize
64KB

Download
memory/5620-157-0x0000019400340000-0x0000019400350000-memory.dmp

Filesize
64KB

Download
memory/5620-158-0x0000019400360000-0x0000019400370000-memory.dmp

Filesize
64KB

Download
memory/5620-159-0x0000019400380000-0x0000019400390000-memory.dmp

Filesize
64KB

Download
memory/6008-163-0x000001CDEB080000-0x000001CDEC080000-memory.dmp

Filesize
16.0MB

Download
memory/6008-172-0x000001CDEB310000-0x000001CDEB320000-memory.dmp

Filesize
64KB

Download
memory/6008-170-0x000001CDEB2F0000-0x000001CDEB300000-memory.dmp

Filesize
64KB

Download
memory/6008-171-0x000001CDEB300000-0x000001CDEB310000-memory.dmp

Filesize
64KB

Download
memory/6008-173-0x000001CDEB330000-0x000001CDEB340000-memory.dmp

Filesize
64KB

Download
memory/6008-174-0x000001CDEB340000-0x000001CDEB350000-memory.dmp

Filesize
64KB

Download
memory/6008-175-0x000001CDEB080000-0x000001CDEC080000-memory.dmp

Filesize
16.0MB

Download
memory/6008-135-0x000001CDEB060000-0x000001CDEB061000-memory.dmp

Filesize
4KB

Download
memory/6008-177-0x000001CDEB080000-0x000001CDEC080000-memory.dmp

Filesize
16.0MB

Download