87904f0d8a76ca68a802faa3987df9490b8bd213937c9028afe6089f036a864c

Analysis

max time kernel
150s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 04:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

FFbd.dll
Size

10KB
MD5

ff70a29ec9361ec5c5107788dfa3fcb3
SHA1

3a8206eba21c66c2955f970dbb8ceac36dbab917
SHA256

87904f0d8a76ca68a802faa3987df9490b8bd213937c9028afe6089f036a864c
SHA512

3b8b43f54332027a7dd56283a13dd998793a9ca2b32df6d128708e813b01d02ceccf77c4ad23449ad62b0bd5d5aa4fe7123afee6c1aba74d5b86a78833e6a1ee
SSDEEP

192:OECWJBPHhqt33bXvFQWyjOvp/C2j3WzMVft4L:O0hwt3btsj4p/rj3WCfu

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
9	768	rundll32.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	rkn.exe

Executes dropped EXE 3 IoCs

pid	Process
4836	rkn.exe
224	apt66ext.exe
2412	staged_out.exe

Loads dropped DLL 64 IoCs

pid	Process
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe
2412	staged_out.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings	rkn.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3080	AcroRd32.exe
3080	AcroRd32.exe
3080	AcroRd32.exe
3080	AcroRd32.exe
3080	AcroRd32.exe
3080	AcroRd32.exe
3080	AcroRd32.exe
3080	AcroRd32.exe
3080	AcroRd32.exe
3080	AcroRd32.exe
3080	AcroRd32.exe
3080	AcroRd32.exe
3080	AcroRd32.exe
3080	AcroRd32.exe
3080	AcroRd32.exe
3080	AcroRd32.exe
3080	AcroRd32.exe
3080	AcroRd32.exe
3080	AcroRd32.exe
3080	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: 35	2412	staged_out.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3080	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3080	AcroRd32.exe
3080	AcroRd32.exe
3080	AcroRd32.exe
3080	AcroRd32.exe
3080	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3288 wrote to memory of 768	3288	rundll32.exe	79
PID 3288 wrote to memory of 768	3288	rundll32.exe	79
PID 3288 wrote to memory of 768	3288	rundll32.exe	79
PID 768 wrote to memory of 4836	768	rundll32.exe	83
PID 768 wrote to memory of 4836	768	rundll32.exe	83
PID 768 wrote to memory of 4836	768	rundll32.exe	83
PID 4836 wrote to memory of 3080	4836	rkn.exe	84
PID 4836 wrote to memory of 3080	4836	rkn.exe	84
PID 4836 wrote to memory of 3080	4836	rkn.exe	84
PID 4836 wrote to memory of 224	4836	rkn.exe	85
PID 4836 wrote to memory of 224	4836	rkn.exe	85
PID 224 wrote to memory of 2412	224	apt66ext.exe	87
PID 224 wrote to memory of 2412	224	apt66ext.exe	87
PID 3080 wrote to memory of 4228	3080	AcroRd32.exe	88
PID 3080 wrote to memory of 4228	3080	AcroRd32.exe	88
PID 3080 wrote to memory of 4228	3080	AcroRd32.exe	88
PID 3080 wrote to memory of 4088	3080	AcroRd32.exe	89
PID 3080 wrote to memory of 4088	3080	AcroRd32.exe	89
PID 3080 wrote to memory of 4088	3080	AcroRd32.exe	89
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 4208	4228	RdrCEF.exe	90
PID 4228 wrote to memory of 824	4228	RdrCEF.exe	91
PID 4228 wrote to memory of 824	4228	RdrCEF.exe	91
PID 4228 wrote to memory of 824	4228	RdrCEF.exe	91
PID 4228 wrote to memory of 824	4228	RdrCEF.exe	91

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\FFbd.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\FFbd.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Users\Admin\AppData\Local\Temp\rkn.exe
    "C:\Users\Admin\AppData\Local\Temp\rkn.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\unity.pdf"
      4⤵
      Checks processor information in registry
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3080
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4228
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B78207A3D18A2A1D11DBE5666DCB2BF4 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:4208
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A7B5345914BDB1166054FDCC67F370BF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A7B5345914BDB1166054FDCC67F370BF --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
        6⤵
        
        PID:824
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F0DB78EAA6DE62ACFC96CC791D25C453 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F0DB78EAA6DE62ACFC96CC791D25C453 --renderer-client-id=4 --mojo-platform-channel-handle=2160 --allow-no-sandbox-job /prefetch:1
        6⤵
        
        PID:1868
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=50DD1D6009D28D0E8519E8794BE0C771 --mojo-platform-channel-handle=1804 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:1560
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=53E06DB35D2A3BFDFEAE1FD31B2C76F5 --mojo-platform-channel-handle=1888 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:1624
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=25DF374A9F648D18E399DB3FF18F83FD --mojo-platform-channel-handle=1928 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:4616
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        5⤵
        
        PID:4088
  - - C:\Users\Admin\AppData\Local\Temp\apt66ext.exe
      "C:\Users\Admin\AppData\Local\Temp\apt66ext.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:224
    - - C:\Users\Admin\AppData\Local\Temp\onefile_224_133646284886163863\staged_out.exe
        
        "C:\Users\Admin\AppData\Local\Temp\apt66ext.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
a814efba85e3bc527eb6e1ba256b3ae1

SHA1
f432e11ab60b21a4355fdd3fc8bc0d89fc1694b6

SHA256
334e915486a9d5c0b94a2ff5dd15d72c072eab43e0be101e25ff34a9bdf57a6c

SHA512
eb07c818aa6f5dc7e379336c5ec151abf2a78ddd67df9902b8fcf31f2cc35614d0592f3b86410d0ccc080a125b71c3c7539039ff3667bfa549f2cd455c663e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\SDL2.dll

Filesize
2.1MB

MD5
2f4a57e7a4ff7f6ee01bb07d77d89ebc

SHA1
a03de0dfd9c94170559097c5d15ef10e1e1ad8c7

SHA256
f34cd90b131ceb45b7f32d41680a13fd4b13e5f48f0d1649cbf441833105310c

SHA512
4633e946f6cbea72b3dd4280be44279565ed50c36ddd5cef1498975a3fbda51fd4ee5a6f54c2d249520af3b8f4161daa890c90dc831678b2b6c4bb1a969e91fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\pygame\constants.pyd

Filesize
48KB

MD5
a04ff6997a13de095ba1c3cf4dd9103e

SHA1
f7f9ca2c202162774fe86f93b09acd2ebf2f5601

SHA256
0449fc696397091d4ab7119a4f40a118c022c6f0736a3ba79dd896a7111e7a7b

SHA512
4e0af59dc1b0d758a7a810d37854522b0b219e425a48690451320f4d60b3ad5a71817b2874b368d252ec9fa107d9d32b78342707d0f3858a9ee79b2181008828

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\pygame\draw.pyd

Filesize
47KB

MD5
6c3aad01782cfb0a31a752e40f2010c8

SHA1
fa72b534991202c7aa17fab4b7a13cd7a0d07c65

SHA256
33e7e6ece451c0762d174e843aef5b05147ec09dff6684eaa7801c0ee86831b6

SHA512
7d6fca733d18ce6bf1bdcbaedcfd3f34376644a63ca0b29eadece7cd428d50f0699696a049ae0d5aa0310b9e566ca0e6eacf6be33bec4eb0aa32ec1a52117646

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\pygame\pixelcopy.pyd

Filesize
25KB

MD5
49477e3298a73eca10dfd1f48aae8758

SHA1
501f2d4ebef4200a637504478787d3bb5007a08d

SHA256
f933c41e923d885d2af0368960db3b814eb15ccc3dc9560e8796d4292cdefe25

SHA512
34ef9aea9d5e571a4a96bbc47074ea2e612ffaa74be0d1c661174854a58f740e1c9a77e6a57831a7e3dfd6bc01ea6412f21de6f934a417e6cd8c944d705c523e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\pygame\rect.pyd

Filesize
36KB

MD5
002124478cd478c6492c3eeb4e3d598c

SHA1
0729e154ba55a45b02393b8ee3cd1e287b721ddb

SHA256
d2bfc8563bb5c1d7c73e727f13d3a8b5a41b32415087ee60bdd70a9945428d2b

SHA512
4e56d49ed824b9b9fa02ab40017805b4f38e62e2a04998fcf79043b6600a2de2905beac10cb1d8e810376ba7ef10e491894e247c4510fbd7924e484c7e050adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\pygame\surface.pyd

Filesize
215KB

MD5
844ff6f5fe453c45e01c922241a9efc0

SHA1
4f888af9ce2ba63286434439a9f275260199f1f6

SHA256
4730d706d887dbb74ce835b8c8ead47ae7cfe1a5eb8d29f50a8d63e9cffa5cd1

SHA512
8d9694d6202289a6566bc83c2df0ec6abf855ee23313a73008002bb570d89aee3be3a3a0f9318690efb3081fdb50a16bfea984979cd76aed95b66c19a51774e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\pygame\surflock.pyd

Filesize
13KB

MD5
fe35671133b52a43c9a4e3466115cd4a

SHA1
5f28bcb373fda9b2ec3edbc32a0b04e1c41faeed

SHA256
afae791424c4b124fba2f47971ffbda06ce234cc768ef70e9d91bd3e50792a7a

SHA512
23d2c69366fd17ce43d84d5c98c11dbcccb7b923d9d364a7672fa5de8e3c1e0591be5e9bb7481017382218160327d6ab77eb0646887879484338e0c962e73116

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\zlib1.dll

Filesize
106KB

MD5
5eac41b641e813f2a887c25e7c87a02e

SHA1
ec3f6cf88711ef8cfb3cc439cb75471a2bb9e1b5

SHA256
b1f58a17f3bfd55523e7bef685acf5b32d1c2a6f25abdcd442681266fd26ab08

SHA512
cad34a495f1d67c4d79ed88c5c52cf9f2d724a1748ee92518b8ece4e8f2fe1d443dfe93fb9dba8959c0e44c7973af41eb1471507ab8a5b1200a25d75287d5de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_224_133646284886163863\_queue.pyd

Filesize
27KB

MD5
c0a70188685e44e73576e3cd63fc1f68

SHA1
36f88ca5c1dda929b932d656368515e851aeb175

SHA256
e499824d58570c3130ba8ef1ac2d503e71f916c634b2708cc22e95c223f83d0a

SHA512
b9168bf1b98da4a9dfd7b1b040e1214fd69e8dfc2019774890291703ab48075c791cc27af5d735220bd25c47643f098820563dc537748471765aff164b00a4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_224_133646284886163863\libjpeg-9.dll

Filesize
238KB

MD5
c540308d4a8e6289c40753fdd3e1c960

SHA1
1b84170212ca51970f794c967465ca7e84000d0e

SHA256
3a224af540c96574800f5e9acf64b2cdfb9060e727919ec14fbd187a9b5bfe69

SHA512
1dadc6b92de9af998f83faf216d2ab6483b2dea7cdea3387ac846e924adbf624f36f8093daf5cee6010fea7f3556a5e2fcac494dbc87b5a55ce564c9cd76f92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_224_133646284886163863\libpng16-16.dll

Filesize
206KB

MD5
3a26cd3f92436747d2285dcef1fae67f

SHA1
e3d1403be06beb32fc8dc7e8a58c31e18b586a70

SHA256
e688b4a4d18f4b6ccc99c6ca4980f51218cb825610775192d9b60b2f05eff2d5

SHA512
73d651f063246723807d837811ead30e3faca8cb0581603f264c28fea1b2bdb6d874a73c1288c7770e95463786d6945b065d4ca1cf553e08220aea4e78a6f37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_224_133646284886163863\pygame\base.pyd

Filesize
29KB

MD5
6957dffaaecdd72d6104c2927aa58b48

SHA1
6acad377363be0cc8f7f01115800004a59c9edae

SHA256
649355ab92fd24b53cd93c032d82acd8cd4db0e34828fcef727b7b088986096f

SHA512
f2a01faddcdc2ae617ccccd7e6070f277165929826716e6bdb6038494943d7dd9778aa12cb5abce41c1f70d779557ab28b3bb49d2d45d0fc99e8a0d9fca33121

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_224_133646284886163863\pygame\bufferproxy.pyd

Filesize
18KB

MD5
8135ac817358f25e5cfb4339fbcb1f48

SHA1
c275aa3339f64c8b4ffb3910b786d1cb293fb51b

SHA256
33db4178156a6ea158cda0ef3292b331747bfc198556151a4b0581113debd5f0

SHA512
f125ce9e56351ac3b0ba5fd25669afa12ae5592f6dc716899599b77e4c0f90e9f2a77d59c54c0e78d78e1d1f7b441b0479813f86ddd58fda1727ee381d49cecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_224_133646284886163863\pygame\color.pyd

Filesize
35KB

MD5
0b4838db9b4e3ae820f25cc9da70a4d2

SHA1
253c3d775610d361747dcde71cac6d03d6074965

SHA256
b6c633094f99fd261f48f9ca9d4addb538ea159d0d8bf16089d304402f5bba4c

SHA512
16b73f564e5744938ce9775ad8c5e63b48bdb0609cb54b39a65b030ff1b373c4ff6d05afcb268d100501969fe4ff9773c1780edd85f4b5bb581da4da4e6b73fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_224_133646284886163863\pygame\display.pyd

Filesize
43KB

MD5
580e19c9a9d58b9edc2722402cce4974

SHA1
7d153fd0eaec9c3549effde38e9f26f54ee64774

SHA256
1a5d2c1379855466463586b49bc61b78c2e2f7c6b3e8aba2af99d149bcbcfdb2

SHA512
c3081a8b4f54c7d54918f01ae76616ddb3110c90884de2561630c4387012db5ba09a928349492ace525687568c13bcb0d0770cd86ee187315301493925d810a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_224_133646284886163863\pygame\event.pyd

Filesize
39KB

MD5
49837839686bbc2e230a216454a76a56

SHA1
f4d34957bb75b12acc778299b193fe2e8eef789f

SHA256
bc14621b41528937c5aa5f5400874a3af581578709323db04884a622826ec849

SHA512
814ab72985175f48f886c1ef3d6f82be1b8fc9f3a0c88cc9792ab1bd3d14575df760ff96e6de56047d5a6679a9f58155a7e4c41f9f5ee4b1bd2332fe4c6376e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_224_133646284886163863\pygame\image.pyd

Filesize
27KB

MD5
6f33f326ba1f9a076c5b0a29b4356438

SHA1
7a5f6924de9385ee1dcc23ff1d790f1d700f9496

SHA256
e136586b6fa61e6f734ef130c8eaf3e1c133a438f2f32816d05037bb682961d0

SHA512
d03a811455ad36893600d9fadbb468808667b17ae615f4154be707be579abdf7c3cbce19c1871f069e290abf0c48869eafb9e565316207d2086692f46110b446

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_224_133646284886163863\pygame\imageext.pyd

Filesize
19KB

MD5
bbcbee70ad4c438cb6340ced73883521

SHA1
e31a352986963affe0e7dfa754f0ed87b9908f53

SHA256
75fd74bea42276db6bb468851098a96ee0c76379003f0c9cc7a13c0c9df07122

SHA512
7554a258f9c19c56d53d52bad7cb07ea5c1a3cd9771301e9854c47d46f981d9d64351483a5ff3b9aa2b28f74cfc806c99218ddb074de29dbb85bfeca6547e0c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_224_133646284886163863\pygame\joystick.pyd

Filesize
20KB

MD5
3366202c1eef51f56e5c26ce31304fa2

SHA1
413f6ad2e7beb4823045952961a93f1837b04b2a

SHA256
9ec6e0a077bcad6e67ef9cf0d465749ffd714248ece25a48bab065781d11e5ac

SHA512
f89a3ce5ba6a40d464317c9b3b72f9342c99b2331aa9ec23cf0d12990a7b847d2f4a9cd7faa8e945adf492d85df39315b58b605c2026f744137b1779bc43b76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_224_133646284886163863\pygame\key.pyd

Filesize
26KB

MD5
066a526cb1d816664c2b6a40ae437d72

SHA1
8899390e5fb6490813c3af2e3754a213190e3e3d

SHA256
e89fbec8bd486d708a49725c5158c2a748d24bbca673cb3c906439806777718e

SHA512
f2d7dc9303402b83458c47d858e27060da5933dea194a1421ccf39ac41de8afe877f2dd86aebc2f4b175c15b7a8db1e136b116b417341c06f99254e86cdd495f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_224_133646284886163863\pygame\mask.pyd

Filesize
55KB

MD5
15852767aab165a1c8fb77abf6c02f3f

SHA1
a581aa0338a6d3f4d8301fb3a7c7d3edf2fca980

SHA256
059142e9690ef8319e27cdf0ef1377d7c7940c83fb6eeeb3d77f6f44919c80db

SHA512
61db1eae69b8af304dec528a95e56b598fd343184ea112487ba4268722a13a2d17adcfca58e33ff2c9fed2a4b69fdd10aee2d4ef7a41522091005154923b8cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_224_133646284886163863\pygame\math.pyd

Filesize
65KB

MD5
94d6d00b92a6c8bb7fc7a967b189b0f6

SHA1
d9c2cabb073cd26a0bb59fed9dafa84c9cd00044

SHA256
01ce02ede8dbbd5bb9665fe9a01a3f25f1b560e745b13bea6044e93f728fcb9d

SHA512
6b0505210489980335015ef925d82a42c87f5c71092c2399e58ece1b12b24c89778b4864d3c8cc7cfa0359f976b8c394d8f3eee0744eda94567dd7b8f769171d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_224_133646284886163863\pygame\mouse.pyd

Filesize
19KB

MD5
4b8c2db25033f681ba99a5cdfe218e97

SHA1
c201863728e1be3199e3eb5c7eb5591fa1472240

SHA256
3098b2d9b751f6f5ad2a91eec9d8c82f32f37a69c168a2e2c384b30633da1289

SHA512
01d0aa4377921f613f59078da238c9d66749134715d7d1a57b73faa744493e9b0d5270484f17d6ccb2695f235f3c5e5271b4ef7f627d69a674b5cbae9b6b3b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_224_133646284886163863\pygame\pixelarray.pyd

Filesize
44KB

MD5
6e769e1ea4700a57ca598447072416cb

SHA1
3419de4c948a983aceb93cac20c5a9ec6dd2a809

SHA256
80d0e26c4555617cd346ad50072277d3451376ff6ab02f0980004e3db21e41c5

SHA512
c5c3ea5617f75b23a96355849ae7799f8a3c8865bd27a33d14e79d2aba0754d29524630b2c16b4599699c927f9f32c795dd151e0b0cfcee0b1e9e1369afc0c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_224_133646284886163863\pygame\rwobject.pyd

Filesize
19KB

MD5
dc1bc1aabf560371d7e5ba827cf8cdbe

SHA1
7c565b88c20f0bfd1c6410a14feae1676251f2bb

SHA256
21641f109d40187a0d4eb83ae170034f7186f8c3329df09ebae9cc7c1c465078

SHA512
098616473f13b98abff65d32abda83f601fc3e65cbf673ec4518eaa383ce199f4bc5f45e026582c83d5de4c400cfb5eec0ed58cd6a424634e27528d6fe0378d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_224_133646284886163863\pygame\time.pyd

Filesize
18KB

MD5
6c6b3f80bd877d5dc8e8ba5655c39602

SHA1
7876923ae8a02d8343d12f85f8489a02343260db

SHA256
ae3d2ad95169fc0b9fcbff4f631752fe7753cd85d0b1b29bcc71090f04d56ed0

SHA512
5817dddc3ae2b2695197722cc9fa4c0e70f1dfd1ca224c6a3b67527abdae760aa9891b50fd8e4f3950d16eb8ab1f4b4d374cd9be020a1a40c17cb3b166160232

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_224_133646284886163863\python37.dll

Filesize
3.6MB

MD5
c4709f84e6cf6e082b80c80b87abe551

SHA1
c0c55b229722f7f2010d34e26857df640182f796

SHA256
ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3

SHA512
e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_224_133646284886163863\sdl2_image.dll

Filesize
122KB

MD5
b8d249a5e394b4e6a954c557af1b80e6

SHA1
b03bb9d09447114a018110bfb91d56ef8d5ec3bb

SHA256
1e364af75fee0c83506fbdfd4d5b0e386c4e9c6a33ddbddac61ddb131e360194

SHA512
2f2e248c3963711f1a9f5d8baea5b8527d1df1748cd7e33bf898a380ae748f7a65629438711ff9a5343e64762ec0b5dc478cdf19fbf7111dac9d11a8427e0007

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_224_133646284886163863\staged_out.exe

Filesize
21.6MB

MD5
d735279b3606f59aad13fab2aa9e9cd5

SHA1
1dda8fa756c9a706cc2cd7b72593302346094529

SHA256
e19e7629baced5112011c8700999901db780083da2bcd4d35c946bf43cc19474

SHA512
a8c91e67651b82b3148280d60cf47cf823323a15ef4d5376efe0abd18f650ecef1e599a1214452a55ed9529ee3666128c57606d13fa9e28e7c1411e741eb162f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_224_133646284886163863\vcruntime140.dll

Filesize
85KB

MD5
89a24c66e7a522f1e0016b1d0b4316dc

SHA1
5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42

SHA256
3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6

SHA512
e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkn.exe

Filesize
46KB

MD5
4b683807246fc18189d63dd9a4e9429f

SHA1
1ded192558723ebe1de20b099343da06d6a215c5

SHA256
ba77b5949ca2198459c7f2f260c1b57af93f4b3466f8278bfcab114c9e0b2d79

SHA512
7b177de3adb54fe049e5a4d927957008f4829a46fc6c8206657f5bc6435f079a6e47fd3ffccfd03d6f40f125855659b3380e9c33c1eda0e7e5d14180ca761377

Download Submit
C:\Users\Admin\AppData\Local\Temp\unity.pdf

Filesize
84KB

MD5
cc4676ef08e8aecbe22b9232f27b2141

SHA1
03bb3a2cb2c8a5cf7b93cf7c666c470144cfd724

SHA256
48331ea4e205e07525f47149d19c8f78dba24ee63147a74f7d0a443008e4587d

SHA512
a27daef2db426114f9b45f9ead7c0cf5e6c84389570e51c749c9ce9bad8ab6d2c866c54a291fa5a6d83ab7b476a00e9ad4729c92ed53b5371af7e2382ccbec96

Download Submit
memory/2412-198-0x00007FFA9FFA0000-0x00007FFAA01C9000-memory.dmp

Filesize
2.2MB

Download
memory/2412-202-0x0000000062E80000-0x0000000062EA4000-memory.dmp

Filesize
144KB

Download
memory/2412-205-0x0000000067880000-0x00000000678A8000-memory.dmp

Filesize
160KB

Download
memory/2412-204-0x000000006AE80000-0x000000006AF17000-memory.dmp

Filesize
604KB

Download
memory/2412-203-0x0000000071000000-0x0000000071011000-memory.dmp

Filesize
68KB

Download
memory/2412-200-0x0000000068B40000-0x0000000068B7C000-memory.dmp

Filesize
240KB

Download
memory/2412-206-0x00000000006F0000-0x0000000002481000-memory.dmp

Filesize
29.6MB

Download
memory/2412-207-0x00000175E3E10000-0x00000175E9410000-memory.dmp

Filesize
86.0MB

Download
memory/2412-201-0x0000000069A00000-0x0000000069A44000-memory.dmp

Filesize
272KB

Download
memory/2412-199-0x000000006A880000-0x000000006A8A7000-memory.dmp

Filesize
156KB

Download
memory/2412-197-0x00000000006F0000-0x0000000002481000-memory.dmp

Filesize
29.6MB

Download