Analysis
-
max time kernel
102s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2025, 09:10
Static task
static1
Behavioral task
behavioral1
Sample
5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe
Resource
win10v2004-20250314-en
General
-
Target
5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe
-
Size
865KB
-
MD5
427e8565cb7c4bbff0ff3c07205f517a
-
SHA1
833a20dd03e1e5aed3d4284fde3d6a8208a97c88
-
SHA256
5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777
-
SHA512
59240e826ed5c265cc06f89b4826fc0de56e71ae46e19657b88976e89290c01a7320448e5aa82124fcaa88c534d99cee941cc986f57954da6dffc75faadebfeb
-
SSDEEP
12288:tWEauBVmKa8mdBBh4bgSZuG2U6uKEmaN0:UEaXB3WuIhN
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation 5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5076 set thread context of 3936 5076 5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe 94 -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\Users\Admin\AppData\Roaming\Fol\grxv.exe:Zone.Identifier cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings 5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Fol\grxv.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 5076 5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe 5076 5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe 5076 5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe 3524 AcroRd32.exe 3524 AcroRd32.exe 3524 AcroRd32.exe 3524 AcroRd32.exe 3524 AcroRd32.exe 3524 AcroRd32.exe 3524 AcroRd32.exe 3524 AcroRd32.exe 3524 AcroRd32.exe 3524 AcroRd32.exe 3524 AcroRd32.exe 3524 AcroRd32.exe 3524 AcroRd32.exe 3524 AcroRd32.exe 3524 AcroRd32.exe 3524 AcroRd32.exe 3524 AcroRd32.exe 3524 AcroRd32.exe 3524 AcroRd32.exe 3524 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5076 5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3524 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3524 AcroRd32.exe 3524 AcroRd32.exe 3524 AcroRd32.exe 3524 AcroRd32.exe 3524 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5076 wrote to memory of 3524 5076 5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe 90 PID 5076 wrote to memory of 3524 5076 5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe 90 PID 5076 wrote to memory of 3524 5076 5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe 90 PID 5076 wrote to memory of 4008 5076 5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe 91 PID 5076 wrote to memory of 4008 5076 5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe 91 PID 5076 wrote to memory of 4008 5076 5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe 91 PID 4008 wrote to memory of 3928 4008 cmd.exe 93 PID 4008 wrote to memory of 3928 4008 cmd.exe 93 PID 4008 wrote to memory of 3928 4008 cmd.exe 93 PID 5076 wrote to memory of 3936 5076 5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe 94 PID 5076 wrote to memory of 3936 5076 5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe 94 PID 5076 wrote to memory of 3936 5076 5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe 94 PID 5076 wrote to memory of 3936 5076 5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe 94 PID 5076 wrote to memory of 3936 5076 5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe 94 PID 5076 wrote to memory of 3936 5076 5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe 94 PID 5076 wrote to memory of 3936 5076 5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe 94 PID 5076 wrote to memory of 3936 5076 5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe 94 PID 3524 wrote to memory of 1348 3524 AcroRd32.exe 102 PID 3524 wrote to memory of 1348 3524 AcroRd32.exe 102 PID 3524 wrote to memory of 1348 3524 AcroRd32.exe 102 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 2752 1348 RdrCEF.exe 103 PID 1348 wrote to memory of 4116 1348 RdrCEF.exe 104 PID 1348 wrote to memory of 4116 1348 RdrCEF.exe 104 PID 1348 wrote to memory of 4116 1348 RdrCEF.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe"C:\Users\Admin\AppData\Local\Temp\5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\File.pdf"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0E55D241C5CB3213019C1BDA34F6F52F --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:2752
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=28A41357F82562C8D469969A2EA22732 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=28A41357F82562C8D469969A2EA22732 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:14⤵
- System Location Discovery: System Language Discovery
PID:4116
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F511793A19B21EA1CA89FD5608118269 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:456
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=09881C0EF14A1FDD7193EFA7A3091E61 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=09881C0EF14A1FDD7193EFA7A3091E61 --renderer-client-id=5 --mojo-platform-channel-handle=1940 --allow-no-sandbox-job /prefetch:14⤵
- System Location Discovery: System Language Discovery
PID:4364
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4C676E145E4ED45FCC037464C5D549C1 --mojo-platform-channel-handle=2536 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:1932
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A28AF87DEB24F4B6229EA32977700E5B --mojo-platform-channel-handle=2348 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:1696
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Fol\grxv.exe.lnk" /f3⤵
- System Location Discovery: System Language Discovery
PID:3928
-
-
-
C:\Users\Admin\AppData\Local\Temp\5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe"C:\Users\Admin\AppData\Local\Temp\5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe"2⤵PID:3936
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5776bc815f08315106383e896a110337d
SHA13119ad89886dc4ef0afc302e1ef1569ef31b5bb7
SHA256a05e0868c187c6f140db397d81da9da58c655fcebf10790ff4742fd6d756ad71
SHA512246f7f777cd5278198913afc923f0f97126d9a58fe27f340d941647dab1c4e7c9f4317b1a2e636531e4cc9b82ad440bdc795cf5d2734f3130ea678ea3ce41581
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
29KB
MD57c95c654ab8ee6241a26db29af165ddb
SHA1f8acedba5bc48273138e7b1df59f3ecce869503b
SHA256f576c01a7b5e8fb5a1cfd3ead4e8c28b27ab80d2b856c20701f7aa039613ab3c
SHA512add97a2471d7f5df79451c5cbce10ea8dfa8a16fff397bf8b628376dd4b7365342b8222db5fa6e715b95c35e8ec39c28193d5435a435fb016eb6e378371413ba