Analysis
-
max time kernel
123s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
31/01/2025, 07:59 UTC
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_68288c29d8546aadc301eda4436def32.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_68288c29d8546aadc301eda4436def32.exe
Resource
win10v2004-20250129-en
General
-
Target
JaffaCakes118_68288c29d8546aadc301eda4436def32.exe
-
Size
2.4MB
-
MD5
68288c29d8546aadc301eda4436def32
-
SHA1
b2f25aa72549ab250213e20850aa3e5beab1928f
-
SHA256
a5c263a5bf6522fcaaab2cf772e5d257644734d78a7149ae511fe338da350325
-
SHA512
d6b17aea77d4df88af97cebc0ecc40ec5bdb4e79f3ed44378c47438216eb03082544375327a93551c92ebe9e8003814781194983d88c12c525c95104bfa0b369
-
SSDEEP
49152:gX5TvrVpRCDhBeEJl+KVR/PKaF42Nt3XET4LTE7j5CS:gXxvrZeeEJRHa24sE71p
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023cc7-52.dat family_ardamax -
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" HKCMB.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts HKCMB.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 3688 attrib.exe 4936 attrib.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation HKCMB.exe Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation INSTALL.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JaffaCakes118_68288c29d8546aadc301eda4436def32.exe -
Executes dropped EXE 5 IoCs
pid Process 1116 Transaction mangement.exe 3160 HKCMB.exe 5096 INSTALL.EXE 540 FQO.exe 380 msdcsc.exe -
Loads dropped DLL 3 IoCs
pid Process 540 FQO.exe 2832 AcroRd32.exe 2832 AcroRd32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" HKCMB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FQO Start = "C:\\Windows\\SysWOW64\\JHPMIJ\\FQO.exe" FQO.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\MSDCSC\ HKCMB.exe File created C:\Windows\SysWOW64\JHPMIJ\FQO.004 INSTALL.EXE File created C:\Windows\SysWOW64\JHPMIJ\FQO.002 INSTALL.EXE File created C:\Windows\SysWOW64\JHPMIJ\FQO.exe INSTALL.EXE File opened for modification C:\Windows\SysWOW64\JHPMIJ\ FQO.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe HKCMB.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe HKCMB.exe File created C:\Windows\SysWOW64\JHPMIJ\FQO.001 INSTALL.EXE File created C:\Windows\SysWOW64\JHPMIJ\AKV.exe INSTALL.EXE -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1116 set thread context of 3160 1116 Transaction mangement.exe 88 -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe Transaction mangement.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe Transaction mangement.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HKCMB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language INSTALL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_68288c29d8546aadc301eda4436def32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Transaction mangement.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FQO.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JaffaCakes118_68288c29d8546aadc301eda4436def32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ HKCMB.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2832 AcroRd32.exe 2832 AcroRd32.exe 2832 AcroRd32.exe 2832 AcroRd32.exe 2832 AcroRd32.exe 2832 AcroRd32.exe 2832 AcroRd32.exe 2832 AcroRd32.exe 2832 AcroRd32.exe 2832 AcroRd32.exe 2832 AcroRd32.exe 2832 AcroRd32.exe 2832 AcroRd32.exe 2832 AcroRd32.exe 2832 AcroRd32.exe 2832 AcroRd32.exe 2832 AcroRd32.exe 2832 AcroRd32.exe 2832 AcroRd32.exe 2832 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3160 HKCMB.exe Token: SeSecurityPrivilege 3160 HKCMB.exe Token: SeTakeOwnershipPrivilege 3160 HKCMB.exe Token: SeLoadDriverPrivilege 3160 HKCMB.exe Token: SeSystemProfilePrivilege 3160 HKCMB.exe Token: SeSystemtimePrivilege 3160 HKCMB.exe Token: SeProfSingleProcessPrivilege 3160 HKCMB.exe Token: SeIncBasePriorityPrivilege 3160 HKCMB.exe Token: SeCreatePagefilePrivilege 3160 HKCMB.exe Token: SeBackupPrivilege 3160 HKCMB.exe Token: SeRestorePrivilege 3160 HKCMB.exe Token: SeShutdownPrivilege 3160 HKCMB.exe Token: SeDebugPrivilege 3160 HKCMB.exe Token: SeSystemEnvironmentPrivilege 3160 HKCMB.exe Token: SeChangeNotifyPrivilege 3160 HKCMB.exe Token: SeRemoteShutdownPrivilege 3160 HKCMB.exe Token: SeUndockPrivilege 3160 HKCMB.exe Token: SeManageVolumePrivilege 3160 HKCMB.exe Token: SeImpersonatePrivilege 3160 HKCMB.exe Token: SeCreateGlobalPrivilege 3160 HKCMB.exe Token: 33 3160 HKCMB.exe Token: 34 3160 HKCMB.exe Token: 35 3160 HKCMB.exe Token: 36 3160 HKCMB.exe Token: 33 540 FQO.exe Token: SeIncBasePriorityPrivilege 540 FQO.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2832 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 2832 AcroRd32.exe 2832 AcroRd32.exe 2832 AcroRd32.exe 2832 AcroRd32.exe 540 FQO.exe 540 FQO.exe 540 FQO.exe 540 FQO.exe 2832 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1904 wrote to memory of 1116 1904 JaffaCakes118_68288c29d8546aadc301eda4436def32.exe 86 PID 1904 wrote to memory of 1116 1904 JaffaCakes118_68288c29d8546aadc301eda4436def32.exe 86 PID 1904 wrote to memory of 1116 1904 JaffaCakes118_68288c29d8546aadc301eda4436def32.exe 86 PID 1904 wrote to memory of 2832 1904 JaffaCakes118_68288c29d8546aadc301eda4436def32.exe 87 PID 1904 wrote to memory of 2832 1904 JaffaCakes118_68288c29d8546aadc301eda4436def32.exe 87 PID 1904 wrote to memory of 2832 1904 JaffaCakes118_68288c29d8546aadc301eda4436def32.exe 87 PID 1116 wrote to memory of 3160 1116 Transaction mangement.exe 88 PID 1116 wrote to memory of 3160 1116 Transaction mangement.exe 88 PID 1116 wrote to memory of 3160 1116 Transaction mangement.exe 88 PID 1116 wrote to memory of 3160 1116 Transaction mangement.exe 88 PID 1116 wrote to memory of 3160 1116 Transaction mangement.exe 88 PID 1116 wrote to memory of 3160 1116 Transaction mangement.exe 88 PID 1116 wrote to memory of 3160 1116 Transaction mangement.exe 88 PID 1116 wrote to memory of 3160 1116 Transaction mangement.exe 88 PID 1116 wrote to memory of 3160 1116 Transaction mangement.exe 88 PID 1116 wrote to memory of 3160 1116 Transaction mangement.exe 88 PID 1116 wrote to memory of 3160 1116 Transaction mangement.exe 88 PID 1116 wrote to memory of 3160 1116 Transaction mangement.exe 88 PID 1116 wrote to memory of 3160 1116 Transaction mangement.exe 88 PID 1116 wrote to memory of 3160 1116 Transaction mangement.exe 88 PID 3160 wrote to memory of 4660 3160 HKCMB.exe 89 PID 3160 wrote to memory of 4660 3160 HKCMB.exe 89 PID 3160 wrote to memory of 4660 3160 HKCMB.exe 89 PID 3160 wrote to memory of 5036 3160 HKCMB.exe 91 PID 3160 wrote to memory of 5036 3160 HKCMB.exe 91 PID 3160 wrote to memory of 5036 3160 HKCMB.exe 91 PID 3160 wrote to memory of 5096 3160 HKCMB.exe 93 PID 3160 wrote to memory of 5096 3160 HKCMB.exe 93 PID 3160 wrote to memory of 5096 3160 HKCMB.exe 93 PID 4660 wrote to memory of 3688 4660 cmd.exe 94 PID 4660 wrote to memory of 3688 4660 cmd.exe 94 PID 4660 wrote to memory of 3688 4660 cmd.exe 94 PID 5036 wrote to memory of 4936 5036 cmd.exe 95 PID 5036 wrote to memory of 4936 5036 cmd.exe 95 PID 5036 wrote to memory of 4936 5036 cmd.exe 95 PID 5096 wrote to memory of 540 5096 INSTALL.EXE 96 PID 5096 wrote to memory of 540 5096 INSTALL.EXE 96 PID 5096 wrote to memory of 540 5096 INSTALL.EXE 96 PID 3160 wrote to memory of 380 3160 HKCMB.exe 97 PID 3160 wrote to memory of 380 3160 HKCMB.exe 97 PID 3160 wrote to memory of 380 3160 HKCMB.exe 97 PID 2832 wrote to memory of 3884 2832 AcroRd32.exe 99 PID 2832 wrote to memory of 3884 2832 AcroRd32.exe 99 PID 2832 wrote to memory of 3884 2832 AcroRd32.exe 99 PID 3884 wrote to memory of 3668 3884 RdrCEF.exe 100 PID 3884 wrote to memory of 3668 3884 RdrCEF.exe 100 PID 3884 wrote to memory of 3668 3884 RdrCEF.exe 100 PID 3884 wrote to memory of 3668 3884 RdrCEF.exe 100 PID 3884 wrote to memory of 3668 3884 RdrCEF.exe 100 PID 3884 wrote to memory of 3668 3884 RdrCEF.exe 100 PID 3884 wrote to memory of 3668 3884 RdrCEF.exe 100 PID 3884 wrote to memory of 3668 3884 RdrCEF.exe 100 PID 3884 wrote to memory of 3668 3884 RdrCEF.exe 100 PID 3884 wrote to memory of 3668 3884 RdrCEF.exe 100 PID 3884 wrote to memory of 3668 3884 RdrCEF.exe 100 PID 3884 wrote to memory of 3668 3884 RdrCEF.exe 100 PID 3884 wrote to memory of 3668 3884 RdrCEF.exe 100 PID 3884 wrote to memory of 3668 3884 RdrCEF.exe 100 PID 3884 wrote to memory of 3668 3884 RdrCEF.exe 100 PID 3884 wrote to memory of 3668 3884 RdrCEF.exe 100 PID 3884 wrote to memory of 3668 3884 RdrCEF.exe 100 PID 3884 wrote to memory of 3668 3884 RdrCEF.exe 100 PID 3884 wrote to memory of 3668 3884 RdrCEF.exe 100 PID 3884 wrote to memory of 3668 3884 RdrCEF.exe 100 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 3688 attrib.exe 4936 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68288c29d8546aadc301eda4436def32.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68288c29d8546aadc301eda4436def32.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe"C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe3⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h5⤵
- Sets file to hidden
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3688
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h5⤵
- Sets file to hidden
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4936
-
-
-
C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE"C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\JHPMIJ\FQO.exe"C:\Windows\system32\JHPMIJ\FQO.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:540
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:380
-
-
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Transaction_mangement.pdf"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=58DAAB7F001085031BBD043AE4147EDD --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:3668
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F56128D45C28008B65F6EADA717F43F8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F56128D45C28008B65F6EADA717F43F8 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:14⤵
- System Location Discovery: System Language Discovery
PID:1868
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8B4322355B4FF7939B3DAA50488E53E8 --mojo-platform-channel-handle=1804 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:4076
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B4BE7F4DF333B7EF39FDDA2DD680B37B --mojo-platform-channel-handle=2348 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:264
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D8AB7A5A5591F67CBF8764CD4D78AC6A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D8AB7A5A5591F67CBF8764CD4D78AC6A --renderer-client-id=6 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job /prefetch:14⤵
- System Location Discovery: System Language Discovery
PID:2788
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1024CB97477349511771CA06A48E26D2 --mojo-platform-channel-handle=1932 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:1116
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3768
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request13.153.16.2.in-addr.arpaIN PTRResponse13.153.16.2.in-addr.arpaIN PTRa2-16-153-13deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request65.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.58.199.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request135.244.100.95.in-addr.arpaIN PTRResponse135.244.100.95.in-addr.arpaIN PTRa95-100-244-135deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request179.190.18.2.in-addr.arpaIN PTRResponse179.190.18.2.in-addr.arpaIN PTRa2-18-190-179deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request200.163.202.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request30.243.111.52.in-addr.arpaIN PTRResponse
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
13.153.16.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
65.160.190.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
43.58.199.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
135.244.100.95.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
179.190.18.2.in-addr.arpa
-
74 B 160 B 1 1
DNS Request
200.163.202.172.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
30.243.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD5e2953ed0cafd081ae7a33508a97c7468
SHA1e7a8b9d42ffc5e7e54fbe9f28c2abcac18cfadd7
SHA2563bf8ab2f77eb02278c107e9b5d4223f1a9bbc40e133155cd7a1ba0d8dc95d06e
SHA51236680a23df341b6332d9b13d78036a6c74638f1842d7a4fec7743dc06406e9fee601f1b72bab5410129f7cc3348a53361aa9746734aec277d9435b1a421a52f0
-
Filesize
1.1MB
MD54766452f3b2d1952a671143d9b813585
SHA1169ba313c0ccc234e2a227a97c05976f968ad3e6
SHA256064a538b07c4722cdcec11bc6d04b8fecc44061c8d6472d9bb39d1a1848a0160
SHA5120a1e5d3841e3cadaefae31653069b8add53d096bb938b83c6a4fc9c50815ac65fcefe5e2218ee6297440ca09f52d72394a2956fe5990387408d39ca3dbfbc2c8
-
Filesize
2.2MB
MD59a540f97fb137ff20426f30e8db62dc8
SHA11cd77f98dc2797cceb083e6b949261e2ea49fe4e
SHA256d19447e7601934db1ce2038f15ad1a57835df5330d1f8780941b127fbde7cc59
SHA512467bdac8408f6e1b66b7075f5b9ff09ba141782209d90ff6570187e41f52e38bfb0c1dfd08b8b5366f9a25257090cd28f187506b6d2e823afcde74539fe6ba0d
-
Filesize
194KB
MD58764991d86c925a5f8bbe847cd0f3cb3
SHA119e3f30d0baabc7c457fd61fecee8d1e8ab28d0e
SHA2565e75cc26bca0932a6685e42e07d32b9e55c3eb3a4b4af5e2b80f0a48a4116f79
SHA512f3f6f31f21935be78af1a792f45c481563a9653e624194588ff99e378cf7b0633fce7042e0b6dc01f04c14b4fa285964915e1b7ede8f29ae094b97cc15d11bdc
-
Filesize
62B
MD5c6abd7a109bb37ab773b9e79b91b7741
SHA17933b8795914b27483d2afed35b3830e8bf5bdb6
SHA2568bc84b3ddfd9c295f555926bf1c311be423732423c585ca90796cdee7a245629
SHA51235d14c9b7366a4737e3685223d55d85c583c7fbe73274577424dc8d9960cc78c79a80a8b42a62f6d9d9962ddd60cf2a332411d4ac18196258dc9d5b0b575e3dc
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
Filesize
456KB
MD551507d91d43683b9c4b8fafeb4d888f8
SHA1ead2f68338da7af4720378cd46133589fc9405ba
SHA25671b3aecefd36e4855a369019ac5871c544d39f8889d23cd455466a24cdecce6b
SHA512a5a7ff3f8ffb72719b7e2c9dc2719c99ea32bd68994918ea027c0d7d54cfe0c80bfd34486dd8d3cdd390376bc4c8d1f7d97de4b98b7d39a3e10c3e2682c07d1c
-
Filesize
61KB
MD5383d5f5d4240d590e7dec3f7312a4ac7
SHA1f6bcade8d37afb80cf52a89b3e84683f4643fbce
SHA2567e87f6817b17a75106d34ce9884c40ddfb381bf8f2013930916498d1df0a6422
SHA512e652c41ec95d653940b869426bc2cbd8e5b3159110ffaab7d623e23eebe1f34ca65be6a9a9cdcd5f41aec7567469d6b4d6362d24ae92267cddb8940e1265806a
-
Filesize
43KB
MD593df156c4bd9d7341f4c4a4847616a69
SHA1c7663b32c3c8e247bc16b51aff87b45484652dc1
SHA256e55b6eabf0f99b90bd4cf3777c25813bded7b6fc5c9955188c8aa5224d299c3e
SHA512ed2e98c5fd1f0d49e5bac8baa515d489c89f8d42772ae05e4b7a32da8f06d511adad27867034ca0865beae9f78223e95c7d0f826154fc663f2fab9bd61e36e35
-
Filesize
1KB
MD5c419eadafd70c55f88b6235ccf3d14a0
SHA1e04856391e275bfe54fdc6dfabdfe798f80d2afb
SHA25676f3de81ac5a57b368786feffd51e82c49527298bd6ed554ae2cdac118043968
SHA5124b3e1e8d94f7e8bd9a32758fab27b2fed6299882a092fea578e1107655e9d5a7d9480eca2c205b3a85e897a1ae3ffd92587b7c4b9ccd3722bb84bfb45a30f683
-
Filesize
1.7MB
MD53cd29c0df98a7aeb69a9692843ca3edb
SHA17c86aea093f1979d18901bd1b89a2b02a60ac3e2
SHA2565a37cd66508fa3fc85ae547de3498e709bd45167cb57f5e9b271dc3a1cb71a32
SHA512e78f3206b1878e8db1766d4038a375bbebcbcdb8d1b0a0cb9b0dc72c54881392b9c27e2864ad9118702da58f203f13e0ad5d230980ad1ef2370391a2c4acffc9
-
Filesize
1KB
MD5ea1a1fb9ccfd94175ac7949b7c0937fd
SHA119f49e082f0bfbe697a30a283a8d96e5f2c96f97
SHA2562f741dca98c6bb003b57a004523cd3ed6fc1d9c629ba27bb9ae065da2691e904
SHA512b79bc17c026c5bb9804252fd09ef05f3c1400b5a81c3776c812de832e13d251adfa5ba9b301c9fb1126d9e55fb348f69978e2397cb9dcfc29bdfda89ba2461c8