Malware Analysis Report

2024-12-07 22:33

Sample ID 240411-aw7snsae6s
Target 16520114153.zip
SHA256 2e392a0fddd485b24600022bd5a5b99aa50d4104f7947afcd766f3627e06fc62
Tags
remcos remotehost rat pdf evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e392a0fddd485b24600022bd5a5b99aa50d4104f7947afcd766f3627e06fc62

Threat Level: Known bad

The file 16520114153.zip was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat pdf evasion

Remcos

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Malformed or missing cross-reference table in PDF

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Checks processor information in registry

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-11 00:36

Signatures

Malformed or missing cross-reference table in PDF

pdf evasion

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-11 00:34

Reported

2024-04-11 00:46

Platform

win10v2004-20240226-en

Max time kernel

599s

Max time network

594s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\g2m.dll

Signatures

Remcos

rat remcos

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4276 wrote to memory of 3316 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4276 wrote to memory of 3316 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4276 wrote to memory of 3316 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3316 wrote to memory of 5020 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3316 wrote to memory of 5020 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3316 wrote to memory of 5020 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3316 wrote to memory of 5020 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3316 wrote to memory of 5020 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5020 wrote to memory of 2620 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\WScript.exe
PID 5020 wrote to memory of 2620 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\WScript.exe
PID 5020 wrote to memory of 2620 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\WScript.exe
PID 2620 wrote to memory of 4936 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 4936 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 4936 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 3208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 3208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 3208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3208 wrote to memory of 1360 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 1360 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 1360 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 3848 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 3848 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 3848 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 3848 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 3848 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 3848 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 3848 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 3848 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 3848 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 3848 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 3848 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 3848 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 2984 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 2984 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 2984 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 3760 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 3760 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 3760 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 3760 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 3760 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 3760 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 3760 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 3760 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 3760 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 3760 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 3760 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3208 wrote to memory of 3760 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3848 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\WScript.exe
PID 3848 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\WScript.exe
PID 3848 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\WScript.exe
PID 3200 wrote to memory of 3736 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3200 wrote to memory of 3736 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3200 wrote to memory of 3736 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3736 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 1948 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2084 wrote to memory of 1948 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2084 wrote to memory of 1948 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2084 wrote to memory of 1948 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2084 wrote to memory of 1948 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2084 wrote to memory of 1948 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2084 wrote to memory of 1948 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2084 wrote to memory of 1948 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\g2m.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\g2m.dll

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Holding130rd.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WindowsServices\UNAQP.cmd" "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\AppData\Roaming\WindowsServices\UUTGX.ps1

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Holding130rd.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WindowsServices\UNAQP.cmd" "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\AppData\Roaming\WindowsServices\UUTGX.ps1

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 clepdhunt.duckdns.org udp
RS 45.89.55.130:4047 clepdhunt.duckdns.org tcp
RS 45.89.55.130:4047 clepdhunt.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 130.55.89.45.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 textbin.net udp
US 148.72.177.212:443 textbin.net tcp
US 8.8.8.8:53 212.177.72.148.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 170.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
RS 45.89.55.130:4047 clepdhunt.duckdns.org tcp
RS 45.89.55.130:4047 clepdhunt.duckdns.org tcp
NL 178.237.33.50:80 geoplugin.net tcp
US 148.72.177.212:443 textbin.net tcp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 193.98.74.40.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp

Files

memory/3316-1-0x0000000010000000-0x0000000012DB3000-memory.dmp

memory/3316-2-0x0000000010000000-0x0000000012DB3000-memory.dmp

memory/5020-3-0x0000000000A70000-0x0000000000AF2000-memory.dmp

memory/5020-4-0x0000000000A70000-0x0000000000AF2000-memory.dmp

memory/5020-5-0x0000000000A70000-0x0000000000AF2000-memory.dmp

memory/3316-7-0x0000000010000000-0x0000000012DB3000-memory.dmp

memory/5020-8-0x0000000000A70000-0x0000000000AF2000-memory.dmp

memory/5020-9-0x0000000000A70000-0x0000000000AF2000-memory.dmp

memory/5020-10-0x0000000000A70000-0x0000000000AF2000-memory.dmp

memory/5020-11-0x0000000000A70000-0x0000000000AF2000-memory.dmp

memory/5020-12-0x0000000000A70000-0x0000000000AF2000-memory.dmp

memory/5020-13-0x0000000000A70000-0x0000000000AF2000-memory.dmp

memory/5020-14-0x0000000000A70000-0x0000000000AF2000-memory.dmp

memory/5020-18-0x0000000000A70000-0x0000000000AF2000-memory.dmp

memory/5020-17-0x0000000000A70000-0x0000000000AF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Holding130rd.vbs

MD5 23d7b25f8233971afe7801edb6615eaa
SHA1 dd3e2f1fecc1d18af047045dcba2a73359b7019f
SHA256 ecac17cda633793bbe91741f4e8ec371000d82ba9cfeab0ee79c9a84d9a0a62c
SHA512 090e4e3bb0cfdbda4f40c3ab76d3d11cb95c26e2069a4a05628875eb794f1b48904d353865c51b68c93b9c57d497abcb2a0f837e6611d3fc955511685cc0f3f1

memory/5020-23-0x0000000000A70000-0x0000000000AF2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FPBMA.vbs

MD5 08573053b297406719cdb275f62815c8
SHA1 0d82ae88fc747cfacd3a7fd80cb52d9e7f0eaa2f
SHA256 b89ba728b322bff609cc24052896f31c11091a82296e0351769543437b0788bb
SHA512 6feb1b5a0fee7f3e5d1fb2c76a8a4565e6d6f5441e2e156fbd88ef5324c823a95b2e767f8e2948e899793ba3edcc438f9afdc03fdca8dddb3d7a6537f621505d

C:\Users\Admin\AppData\Roaming\WindowsServices\UNAQP.cmd

MD5 190bb5d0398a86cffba0566aad524749
SHA1 cfb0913a6a8ca4404fc94f0875a3e1b7ae222d60
SHA256 bf6b4681cb1ea2e7d4e4571a7f80c3a50c8788618cf6437616aefa93b491423b
SHA512 d4be5e0fff7f05ad1730908181e8e1889772a03ae72d5c691bdfa4bab584c1e3dd62124b59222c110d74f3884d73bfdeaf316618a3be05a6ffde4fc3ccefbdaf

memory/3208-49-0x0000000002E10000-0x0000000002E46000-memory.dmp

memory/3208-51-0x0000000003310000-0x0000000003320000-memory.dmp

memory/3208-50-0x0000000072CA0000-0x0000000073450000-memory.dmp

memory/3208-52-0x0000000003310000-0x0000000003320000-memory.dmp

memory/3208-53-0x0000000005980000-0x0000000005FA8000-memory.dmp

memory/3208-54-0x0000000005870000-0x0000000005892000-memory.dmp

memory/3208-55-0x0000000006060000-0x00000000060C6000-memory.dmp

memory/3208-56-0x00000000060D0000-0x0000000006136000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_etej0ey4.xc2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3208-66-0x0000000006330000-0x0000000006684000-memory.dmp

memory/3208-67-0x0000000006710000-0x000000000672E000-memory.dmp

memory/3208-68-0x0000000006740000-0x000000000678C000-memory.dmp

C:\Users\Admin\AppData\Roaming\WindowsServices\UUTGX.ps1

MD5 a77c5e1a90d97c8c16ff8748fc668b3c
SHA1 611679d8a5e1e5bcaf5cdf3148947f0aa0650af8
SHA256 9dadb75e08649354b0e891ed8c3a0fb0cc515dbcc79c38f8da0abacd016cbae1
SHA512 90669e3a22af8603d754d6bd52c9065e190126e98d41f52a4d729a29afe09e2e4559256a87f3d3715c55087e4c2e61e50ad3f2f314624ff64b83072aa1582bab

memory/3208-71-0x0000000006C60000-0x0000000006C7A000-memory.dmp

memory/3208-70-0x0000000007F40000-0x00000000085BA000-memory.dmp

memory/3208-72-0x0000000007970000-0x0000000007A06000-memory.dmp

memory/3208-73-0x00000000078D0000-0x00000000078F2000-memory.dmp

memory/3208-74-0x0000000008B70000-0x0000000009114000-memory.dmp

memory/3208-76-0x00000000014E0000-0x00000000014F0000-memory.dmp

memory/3208-77-0x0000000007BB0000-0x0000000007C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/3848-81-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3848-83-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3848-88-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3848-91-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3760-90-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3760-93-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3848-92-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3760-95-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3208-97-0x0000000072CA0000-0x0000000073450000-memory.dmp

memory/3848-98-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3848-99-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3848-100-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3848-101-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3848-108-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5020-109-0x0000000000A70000-0x0000000000AF2000-memory.dmp

memory/3848-110-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3848-112-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5020-111-0x0000000000A70000-0x0000000000AF2000-memory.dmp

C:\Users\Admin\Start Menu\Programs\Startup\WindowsServices-QCEFU.lnk

MD5 ba94bb345c24a99c07babfcd399f1e06
SHA1 b32601d93fccb9d1254b32f30ba3603abc6b9b3e
SHA256 45b60007f0a3217739ea128330dd5838ef88d34de0135ccf228fd1714dc6823e
SHA512 0d61439cf183e66c67e1a854ffea80e120952990e1fd65b48592dd4e2ace5d7a2e8e4d11e26ca3322361498a4166e925696355155b93356bcc8b2db6f1b06992

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 18476bf2c6a14941d249c0bfbe2049bc
SHA1 9a35a7b51bcafcb8a3ccfa90e5c3dddffcc37041
SHA256 a9a13a561eb86d6962774d4164c422319b4b099bac6987f7c79e33edf86f8339
SHA512 9e8adca58b8a57cb1e16bc121394158d583c369b9bca87353392ed45acad4832721afcfcda7ad7f66b434cb2104bde1dd97b88d3de6a93e716a794aa6d58ba83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFF36071456820AC60FD568DDF18F256

MD5 5d3fff1b9b0b50c2d1b978b5e26fe28d
SHA1 8c382cb42267ee979a412bc0a950e67b91822fc3
SHA256 02a302fb8ae7cdd340de1726f1e89bd67b012dc311e7f1e555be28bdae3f3ca7
SHA512 3848ba48b10eeee832fe18d3d8a5645ccbf0ce294e05fbcdacae19285a12524d1c246fbce6507345a987f5998ab6361169aa4f0977afbc5c57249c9a350f101c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFF36071456820AC60FD568DDF18F256

MD5 c25cc2154d0638dcfb9196cdbad6488a
SHA1 b85b53141e99a7573c4b4226b129959727b86ebe
SHA256 0fae37c9933ef1f05283ad41bad93e56f54786248bc00ab271e3bc7032b4bcfc
SHA512 3664639ce3646df3c46842be34545de87a6f8ae8d1304a72d85fd719974321cb375458ec0d9a9bcf060700403067bcc4f7b48495bab416b920a496399a5c12e6

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 e3d77fe9c961841ae8c7c3ed37d6b1e6
SHA1 44f16e0827eb01c293bcc1fe1e5f19bd9ecc3058
SHA256 df4d0c62c8152b380b58341f3236b73a45303b5b36c57f0cee26203d1f75cd21
SHA512 147dc8bd8e3e8a75577bc1323c61314f218195c3faf8b2e9e10e7c2ebe13608df778a54e23f463013710d8b4edc1ca60325893d77be55485c6597431089515f0

memory/2084-139-0x0000000072CA0000-0x0000000073450000-memory.dmp

memory/3848-141-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2084-140-0x00000000045E0000-0x00000000045F0000-memory.dmp

memory/2084-142-0x00000000045E0000-0x00000000045F0000-memory.dmp

memory/2084-152-0x0000000005580000-0x00000000058D4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4251795e1752134065dccf1c1029241f
SHA1 025d125fd2927c746c3f72497957c7de7c7aa2c1
SHA256 cbdf5ced4620e16e5ff8b5d927bf58a45c1c6b7b8bf1254791b2503223798da0
SHA512 d7befa0fe6c5429ac46ec168e732b60de3d1b3ef30a878fc1e5fa9665c208f8614b8199f93f97dbb7147243df88d54dd73f87a1ad93cb6b113358a4355e4822b

memory/3760-155-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1948-164-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1948-166-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-168-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-165-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-163-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1948-161-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2084-169-0x0000000072CA0000-0x0000000073450000-memory.dmp

memory/5020-170-0x0000000000A70000-0x0000000000AF2000-memory.dmp

memory/5020-171-0x0000000000A70000-0x0000000000AF2000-memory.dmp

memory/3848-172-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3848-173-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5020-174-0x0000000000A70000-0x0000000000AF2000-memory.dmp

memory/5020-176-0x0000000000A70000-0x0000000000AF2000-memory.dmp

memory/5020-178-0x0000000000A70000-0x0000000000AF2000-memory.dmp

memory/5020-179-0x0000000000A70000-0x0000000000AF2000-memory.dmp

memory/3848-180-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3848-181-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5020-182-0x0000000000A70000-0x0000000000AF2000-memory.dmp

memory/3848-183-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3848-185-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5020-184-0x0000000000A70000-0x0000000000AF2000-memory.dmp

memory/5020-186-0x0000000000A70000-0x0000000000AF2000-memory.dmp

memory/3848-187-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5020-188-0x0000000000A70000-0x0000000000AF2000-memory.dmp

memory/3848-189-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5020-190-0x0000000000A70000-0x0000000000AF2000-memory.dmp

memory/5020-191-0x0000000000A70000-0x0000000000AF2000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-11 00:34

Reported

2024-04-11 00:46

Platform

win7-20231129-en

Max time kernel

360s

Max time network

365s

Command Line

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\1099Misc.pdf"

Signatures

Processes

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\1099Misc.pdf"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 ae8d827f8fe5081d95533baa7a68ca5e
SHA1 1b8ab096c26eff31f2a72204e03e164b609fa979
SHA256 33ae40aa9d0c699cd775d5c0d22049e7c8ad78fe65845663a6e3145d8476943a
SHA512 56b68cb2c44c807064caf6b028624fafd3c6bb1185c84468940b91523691f05373e1f46d8ddff73cd98bbf3f64c9651b9fedbf716b55064732d3741e710294a8

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-11 00:34

Reported

2024-04-11 00:46

Platform

win10v2004-20240226-en

Max time kernel

591s

Max time network

574s

Command Line

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\1099Misc.pdf"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 3832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1704 wrote to memory of 3832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1704 wrote to memory of 3832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 2008 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 1952 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 1952 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 1952 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 1952 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 1952 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 1952 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 1952 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 1952 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 1952 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 1952 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 1952 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 1952 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 1952 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 1952 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 1952 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 1952 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 1952 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 1952 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 1952 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3832 wrote to memory of 1952 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Processes

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\1099Misc.pdf"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4D4BE001D2DDBCFF51FCBDA0B1AEF20C --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9E0E9EAAE4413A9C691F5A71304B8B50 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9E0E9EAAE4413A9C691F5A71304B8B50 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1F168A80BE7875C8E51370F805422541 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D3C54EE156224F740AB60C8E9200393F --mojo-platform-channel-handle=1956 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A38749AC1C5D7B07CB2497FF6A3669D3 --mojo-platform-channel-handle=1956 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A19282E0B057A573B904934E6F1B2D0F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A19282E0B057A573B904934E6F1B2D0F --renderer-client-id=7 --mojo-platform-channel-handle=2404 --allow-no-sandbox-job /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 152.172.246.72.in-addr.arpa udp
US 8.8.8.8:53 133.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 b30d3becc8731792523d599d949e63f5
SHA1 19350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256 b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 752a1f26b18748311b691c7d8fc20633
SHA1 c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512 a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 ff1fb05a07408017338f209ceb1ebe45
SHA1 ff473d30b61e2b769a055ff81be8017d9c4a0f5d
SHA256 e15eb7fefc3daa6a61009879ed31beb6383f8593667fe0dd5508227adec89bba
SHA512 4be222cc3063c75c61a01016505c36a126c063d5c259ad32b73b8dcf758c8efb529f30abd7c1fc85dffc36613fbd27a3d71658d3537bcf9750acf594596861a8

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-11 00:34

Reported

2024-04-11 00:47

Platform

win7-20240319-en

Max time kernel

601s

Max time network

604s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe

"C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe"

C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe

"C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 clepdhunt.duckdns.org udp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 8.8.8.8:53 clepdhunt.duckdns.org udp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 8.8.8.8:53 clepdhunt.duckdns.org udp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 8.8.8.8:53 clepdhunt.duckdns.org udp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 8.8.8.8:53 clepdhunt.duckdns.org udp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 8.8.8.8:53 clepdhunt.duckdns.org udp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 8.8.8.8:53 clepdhunt.duckdns.org udp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 8.8.8.8:53 clepdhunt.duckdns.org udp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 8.8.8.8:53 clepdhunt.duckdns.org udp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp

Files

memory/2056-0-0x0000000010000000-0x0000000012DB3000-memory.dmp

memory/2056-1-0x0000000010000000-0x0000000012DB3000-memory.dmp

memory/2056-2-0x0000000010000000-0x0000000012DB3000-memory.dmp

memory/2712-3-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-5-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2712-7-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2056-9-0x0000000010000000-0x0000000012DB3000-memory.dmp

memory/2712-10-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-11-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-12-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-13-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-14-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-15-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-16-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-17-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-18-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-19-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-20-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-21-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-22-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-23-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-24-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-25-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-26-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-27-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-28-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-29-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-30-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-31-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-32-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-33-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-34-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-35-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-36-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-37-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-38-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-39-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-40-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-41-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-42-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-43-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-44-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-45-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-46-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-47-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-48-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-49-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-50-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-51-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-52-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-53-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-54-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-55-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-56-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-57-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-58-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-59-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-60-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-61-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-62-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-63-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-64-0x00000000001C0000-0x0000000000242000-memory.dmp

memory/2712-65-0x00000000001C0000-0x0000000000242000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-11 00:34

Reported

2024-04-11 00:48

Platform

win10v2004-20240226-en

Max time kernel

602s

Max time network

615s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe

"C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe"

C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe

"C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5084 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3612 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 clepdhunt.duckdns.org udp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.212.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 clepdhunt.duckdns.org udp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 udp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 8.8.8.8:53 clepdhunt.duckdns.org udp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 8.8.8.8:53 clepdhunt.duckdns.org udp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 8.8.8.8:53 clepdhunt.duckdns.org udp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 8.8.8.8:53 clepdhunt.duckdns.org udp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 8.8.8.8:53 clepdhunt.duckdns.org udp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 8.8.8.8:53 clepdhunt.duckdns.org udp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp
US 52.161.137.125:4047 clepdhunt.duckdns.org tcp

Files

memory/4168-1-0x0000000010000000-0x0000000012DB3000-memory.dmp

memory/4168-2-0x0000000010000000-0x0000000012DB3000-memory.dmp

memory/4336-3-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-4-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-5-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-6-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-8-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4168-7-0x0000000010000000-0x0000000012DB3000-memory.dmp

memory/4168-9-0x0000000010000000-0x0000000012DB3000-memory.dmp

memory/4336-10-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-11-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-12-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-13-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-14-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-15-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-16-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-17-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-18-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-19-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-20-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-21-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-22-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-23-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-24-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-25-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-26-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-27-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-28-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-29-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-30-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-31-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-32-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-33-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-34-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-35-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-36-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-37-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-38-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-39-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-40-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-41-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-42-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-43-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-44-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-45-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-46-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-47-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-48-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-49-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-50-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-51-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-52-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-53-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-54-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-55-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-56-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-57-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-58-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-59-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-60-0x0000000000410000-0x0000000000492000-memory.dmp

memory/4336-61-0x0000000000410000-0x0000000000492000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-11 00:34

Reported

2024-04-11 00:46

Platform

win7-20231129-en

Max time kernel

359s

Max time network

363s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\g2m.dll

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 2332 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2368 wrote to memory of 2332 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2368 wrote to memory of 2332 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2368 wrote to memory of 2332 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2368 wrote to memory of 2332 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2368 wrote to memory of 2332 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2368 wrote to memory of 2332 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\g2m.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\g2m.dll

Network

N/A

Files

memory/2332-0-0x0000000010000000-0x0000000012DB3000-memory.dmp

memory/2332-1-0x0000000010000000-0x0000000012DB3000-memory.dmp

memory/2332-2-0x0000000010000000-0x0000000012DB3000-memory.dmp