397afb74746b2fe01abc63789412b38f44ceb234a278a04b85b2bb5b4e64cc8c

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

397afb74746b2fe01abc63789412b38f44ceb234a278a04b85b2bb5b4e64cc8c.msc
Size

85KB
MD5

026a6ed068b12ea1447ca20d4f82452f
SHA1

9bfd0e7ec77143943e56da46d6baee7d74cc8757
SHA256

397afb74746b2fe01abc63789412b38f44ceb234a278a04b85b2bb5b4e64cc8c
SHA512

4735e86f6493ee67292a4eaa375c0e016987128643e3d2bb8b19cb66fb0b79e61a93ced9554bf7fb4a934bd8697e2529bc34349aad81954e2ab4e0e00b2de940
SSDEEP

192:f0lAswM0m+kz8J0fD1dasPPPPWmxWqWPPPPP5/PPPB9Ef/Hk95vPPPPPPPNdJt/U:O6JJ0BdaxmGnE3Ert2jWe

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	LDeviceDetectionHelper.exe

Executes dropped EXE 2 IoCs

pid	Process
1960	LDeviceDetectionHelper.exe
5108	LDeviceDetectionHelper.exe

Loads dropped DLL 2 IoCs

pid	Process
1960	LDeviceDetectionHelper.exe
5108	LDeviceDetectionHelper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SetPoint Update = "\"C:\\ProgramData\\VirtualFile\\LDeviceDetectionHelper.exe\" 114 489"	LDeviceDetectionHelper.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	4448	msiexec.exe
20	4448	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD88.tmp	msiexec.exe
File created	C:\Windows\Installer\e57ad5a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9B07.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA7DA.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDeviceDetectionHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDeviceDetectionHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	mmc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	mmc.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\IESettingSync	mmc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	mmc.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Version Vector	LDeviceDetectionHelper.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\ms-pu	LDeviceDetectionHelper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu\CLSID = 42003500450032004400460038004100330043003300380046003800450031000000	LDeviceDetectionHelper.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	LDeviceDetectionHelper.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu	LDeviceDetectionHelper.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4448	msiexec.exe
4448	msiexec.exe
4448	msiexec.exe
4800	AcroRd32.exe
4800	AcroRd32.exe
4800	AcroRd32.exe
4800	AcroRd32.exe
4800	AcroRd32.exe
4800	AcroRd32.exe
4800	AcroRd32.exe
4800	AcroRd32.exe
4800	AcroRd32.exe
4800	AcroRd32.exe
4800	AcroRd32.exe
4800	AcroRd32.exe
4800	AcroRd32.exe
4800	AcroRd32.exe
4800	AcroRd32.exe
4800	AcroRd32.exe
4800	AcroRd32.exe
4800	AcroRd32.exe
4800	AcroRd32.exe
4800	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	3916	mmc.exe
Token: SeIncBasePriorityPrivilege	3916	mmc.exe
Token: 33	3916	mmc.exe
Token: SeIncBasePriorityPrivilege	3916	mmc.exe
Token: SeShutdownPrivilege	3916	mmc.exe
Token: SeIncreaseQuotaPrivilege	3916	mmc.exe
Token: SeSecurityPrivilege	4448	msiexec.exe
Token: SeCreateTokenPrivilege	3916	mmc.exe
Token: SeAssignPrimaryTokenPrivilege	3916	mmc.exe
Token: SeLockMemoryPrivilege	3916	mmc.exe
Token: SeIncreaseQuotaPrivilege	3916	mmc.exe
Token: SeMachineAccountPrivilege	3916	mmc.exe
Token: SeTcbPrivilege	3916	mmc.exe
Token: SeSecurityPrivilege	3916	mmc.exe
Token: SeTakeOwnershipPrivilege	3916	mmc.exe
Token: SeLoadDriverPrivilege	3916	mmc.exe
Token: SeSystemProfilePrivilege	3916	mmc.exe
Token: SeSystemtimePrivilege	3916	mmc.exe
Token: SeProfSingleProcessPrivilege	3916	mmc.exe
Token: SeIncBasePriorityPrivilege	3916	mmc.exe
Token: SeCreatePagefilePrivilege	3916	mmc.exe
Token: SeCreatePermanentPrivilege	3916	mmc.exe
Token: SeBackupPrivilege	3916	mmc.exe
Token: SeRestorePrivilege	3916	mmc.exe
Token: SeShutdownPrivilege	3916	mmc.exe
Token: SeDebugPrivilege	3916	mmc.exe
Token: SeAuditPrivilege	3916	mmc.exe
Token: SeSystemEnvironmentPrivilege	3916	mmc.exe
Token: SeChangeNotifyPrivilege	3916	mmc.exe
Token: SeRemoteShutdownPrivilege	3916	mmc.exe
Token: SeUndockPrivilege	3916	mmc.exe
Token: SeSyncAgentPrivilege	3916	mmc.exe
Token: SeEnableDelegationPrivilege	3916	mmc.exe
Token: SeManageVolumePrivilege	3916	mmc.exe
Token: SeImpersonatePrivilege	3916	mmc.exe
Token: SeCreateGlobalPrivilege	3916	mmc.exe
Token: SeRestorePrivilege	4448	msiexec.exe
Token: SeTakeOwnershipPrivilege	4448	msiexec.exe
Token: SeShutdownPrivilege	3916	mmc.exe
Token: SeIncreaseQuotaPrivilege	3916	mmc.exe
Token: SeCreateTokenPrivilege	3916	mmc.exe
Token: SeAssignPrimaryTokenPrivilege	3916	mmc.exe
Token: SeLockMemoryPrivilege	3916	mmc.exe
Token: SeIncreaseQuotaPrivilege	3916	mmc.exe
Token: SeMachineAccountPrivilege	3916	mmc.exe
Token: SeTcbPrivilege	3916	mmc.exe
Token: SeSecurityPrivilege	3916	mmc.exe
Token: SeTakeOwnershipPrivilege	3916	mmc.exe
Token: SeLoadDriverPrivilege	3916	mmc.exe
Token: SeSystemProfilePrivilege	3916	mmc.exe
Token: SeSystemtimePrivilege	3916	mmc.exe
Token: SeProfSingleProcessPrivilege	3916	mmc.exe
Token: SeIncBasePriorityPrivilege	3916	mmc.exe
Token: SeCreatePagefilePrivilege	3916	mmc.exe
Token: SeCreatePermanentPrivilege	3916	mmc.exe
Token: SeBackupPrivilege	3916	mmc.exe
Token: SeRestorePrivilege	3916	mmc.exe
Token: SeShutdownPrivilege	3916	mmc.exe
Token: SeDebugPrivilege	3916	mmc.exe
Token: SeAuditPrivilege	3916	mmc.exe
Token: SeSystemEnvironmentPrivilege	3916	mmc.exe
Token: SeChangeNotifyPrivilege	3916	mmc.exe
Token: SeRemoteShutdownPrivilege	3916	mmc.exe
Token: SeUndockPrivilege	3916	mmc.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3916	mmc.exe
3916	mmc.exe
3916	mmc.exe
3916	mmc.exe
4800	AcroRd32.exe
4800	AcroRd32.exe
4800	AcroRd32.exe
4800	AcroRd32.exe
4800	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 1960	4448	msiexec.exe	89
PID 4448 wrote to memory of 1960	4448	msiexec.exe	89
PID 4448 wrote to memory of 1960	4448	msiexec.exe	89
PID 1960 wrote to memory of 4800	1960	LDeviceDetectionHelper.exe	92
PID 1960 wrote to memory of 4800	1960	LDeviceDetectionHelper.exe	92
PID 1960 wrote to memory of 4800	1960	LDeviceDetectionHelper.exe	92
PID 1960 wrote to memory of 5108	1960	LDeviceDetectionHelper.exe	93
PID 1960 wrote to memory of 5108	1960	LDeviceDetectionHelper.exe	93
PID 1960 wrote to memory of 5108	1960	LDeviceDetectionHelper.exe	93
PID 4800 wrote to memory of 3308	4800	AcroRd32.exe	94
PID 4800 wrote to memory of 3308	4800	AcroRd32.exe	94
PID 4800 wrote to memory of 3308	4800	AcroRd32.exe	94
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3960	3308	RdrCEF.exe	95
PID 3308 wrote to memory of 3816	3308	RdrCEF.exe	96
PID 3308 wrote to memory of 3816	3308	RdrCEF.exe	96
PID 3308 wrote to memory of 3816	3308	RdrCEF.exe	96
PID 3308 wrote to memory of 3816	3308	RdrCEF.exe	96
PID 3308 wrote to memory of 3816	3308	RdrCEF.exe	96
PID 3308 wrote to memory of 3816	3308	RdrCEF.exe	96
PID 3308 wrote to memory of 3816	3308	RdrCEF.exe	96
PID 3308 wrote to memory of 3816	3308	RdrCEF.exe	96
PID 3308 wrote to memory of 3816	3308	RdrCEF.exe	96
PID 3308 wrote to memory of 3816	3308	RdrCEF.exe	96
PID 3308 wrote to memory of 3816	3308	RdrCEF.exe	96

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe "C:\Users\Admin\AppData\Local\Temp\397afb74746b2fe01abc63789412b38f44ceb234a278a04b85b2bb5b4e64cc8c.msc"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3916

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Users\Admin\AppData\Local\DIdifFGM\LDeviceDetectionHelper.exe
  C:\Users\Admin\AppData\Local\DIdifFGM\LDeviceDetectionHelper.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Meeting Invitation.PDF"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3308
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3971B307AE605EAC191A3653001B64C7 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3960
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=40082791301F5DA246A304909EBD144C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=40082791301F5DA246A304909EBD144C --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3816
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6B35FA9C9298AFF981A2D630A0CB84BA --mojo-platform-channel-handle=2272 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1116
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B961A11D5A7D990977A2F8EF990F775D --mojo-platform-channel-handle=2376 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:448
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=82C034D1C399E2A71DF2AD860D6F0987 --mojo-platform-channel-handle=2412 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4040
- - C:\ProgramData\VirtualFile\LDeviceDetectionHelper.exe
    C:\ProgramData\VirtualFile\LDeviceDetectionHelper.exe 744 108
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57ad59.rbs

Filesize
8KB

MD5
010f852abd8b09693eca9443a01f51b7

SHA1
45662e6c6f83ec2b78f55044614c5db4e1da9abf

SHA256
76ffe65798e06551032aa619cd0eba3c0804daa5984244ef502c795ee7986139

SHA512
5d7af2436045b0ead76eab403066d682b36ba9770cff12d001a92145228f2927603e12697d21466ede59e0a19342fc88251613fe12eaf1d875ae5d11a272e2e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
38363c14ee33dd067ca68945c2171b93

SHA1
a7b66268086196dbf506ae6489c00d7a2183301f

SHA256
52a5724acebbd105cd8e2d12734d29158fc9923e9ab2cea0ea6aa835443f0f18

SHA512
08b932b4dc82c0d4f8ba910dd3334a408358d1093c57904e925a6caf58a93c412362429d4bee2a54e4d83f3c3ed03054a94aeaae7137c111c5d4b85b849a4156

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\Local\DIdifFGM\LDevice.dat

Filesize
631KB

MD5
acab249833bb8bc88222fa758c8ef3dd

SHA1
088559e9a3d8d993eb9e5ecd22b84a6fb6dac2f0

SHA256
70c8f33b1d18d4b1ad9379d2285ae0cce6f1c53ea9395d0767470c932bf5d49f

SHA512
73eb195fbc1764c2e9203059e5d1d30539a8224f70452ec6b2fc182032eedb37adc60158377a7c42b5a54c116f7679c443f9a8792229c0c1f79e25e9603b43d1

Download Submit
C:\Users\Admin\AppData\Local\DIdifFGM\LDeviceDetectionHelper.exe

Filesize
1.7MB

MD5
084fe5e54dbf4d7287b48c5695d02d17

SHA1
58a2693e67491569e9c8f17730159c64ffb5e6dd

SHA256
282fc12e4f36b6e2558f5dd33320385f41e72d3a90d0d3777a31ef1ba40722d6

SHA512
15fdad9fcebb45cce0c45fe82b387cd2f2602884f9b7f85d9805e26e7edd442b8ee814f5cdce12d207a74c3b38d524ec61738d45f72d2523d4fad31dabb1e154

Download Submit
C:\Users\Admin\AppData\Local\DIdifFGM\hid.dll

Filesize
108KB

MD5
1fdae36641f385b30541331611105598

SHA1
5a71752cf9ecf8909cf953c96328080a45a77736

SHA256
1bde2b050117d7f27e55a71b4795476decace1850587a17d6cf6fd3fc030ff1a

SHA512
e87549cce121c0b1f3232ed5d2b3eafee27ebe27aa7a076591f3482baaa0963e652f3410abc2a77003c5ff87cb74d1c3fa49986569027c5de834c911b245c6f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Meeting Invitation.PDF

Filesize
9KB

MD5
84b2f648e3dc75a8bd46b3c2d9290747

SHA1
041f39a09dab4a6b7b3295d278e3c81e4ce52fc9

SHA256
f71c4507d9c89935886461d41495d72b0a316b45bce9872af640d33df57e9349

SHA512
be5cff9e115183b3dc1476aa722c17df2fcc0091b011ec9bf70ca08896a52efd60e254a80a38fa7595e87a7d39047f4c3999e6274746ac66ab694dda33085b87

Download Submit
C:\Windows\Installer\MSI9B07.tmp

Filesize
1.1MB

MD5
7c23b3eb95d4f5be3dae181c2c473573

SHA1
aee1cbe5eaf585bec5225cff4663ac39e858f0eb

SHA256
976ffe00ca06a4e3d2482815c2770086e7283025eeecad0a750001dedaa2d16a

SHA512
98ea9e5394b675616f42dd0fe8729d8a7b1994ef1ccea2be4f19961f7270c144209b3e140d3dec771092bd7dfe57e661b3fd51f64eaf7e660e9cc5f1779fd414

Download Submit
memory/1960-55-0x0000000004E90000-0x0000000008B36000-memory.dmp

Filesize
60.6MB

Download
memory/1960-43-0x0000000004E90000-0x0000000008B36000-memory.dmp

Filesize
60.6MB

Download
memory/1960-42-0x0000000004E90000-0x0000000008B36000-memory.dmp

Filesize
60.6MB

Download
memory/1960-41-0x0000000004DF0000-0x0000000004E8E000-memory.dmp

Filesize
632KB

Download
memory/5108-81-0x00000000055C0000-0x0000000009266000-memory.dmp

Filesize
60.6MB

Download
memory/5108-82-0x00000000055C0000-0x0000000009266000-memory.dmp

Filesize
60.6MB

Download
memory/5108-86-0x00000000055C0000-0x0000000009266000-memory.dmp

Filesize
60.6MB

Download