12affb37160cf0bb5fe284c7f65ddeea23a788f4d35fbf158a4877c99640e8c3

Analysis

max time kernel
66s
max time network
73s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup (SLINKY).exe
Size

687KB
MD5

5bfdbb28cc7fed82bf415edac9c9eb83
SHA1

c04b108edbb95b75dc1496bed342b937f37fa17a
SHA256

12affb37160cf0bb5fe284c7f65ddeea23a788f4d35fbf158a4877c99640e8c3
SHA512

ff52df5c58fbee9dd555f373bb1a4b520e36f6a76e1b6ed345015cbd0adf1a3927dd79afe1b92e76b439d1221865b72a34a9023fad3c0c1f849e6a90e4352ae3
SSDEEP

12288:XeamasPpcOQZTOK7AXIfaNpcAlZwKXKCzNCFQpZGtK8HtDdoA/LQXvU7gkXeNV:uamasBcVOK75JKo0EtFHt+yQXvU7ze

Score

7^/10

link pdf

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

setup (SLINKY).exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation setup (SLINKY).exe
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
pdf link

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\Slinky.pdf pdf_with_link_action
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1496 4120 WerFault.exe AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	setup (SLINKY).exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Slinky.pdf	pdf_with_link_action

pid	pid_target	process	target process
1496	4120	WerFault.exe	AcroRd32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

AcroRd32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe
Modifies registry class 1 IoCs

Processes:

setup (SLINKY).exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings setup (SLINKY).exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

setup (SLINKY).exe

pid process

224 setup (SLINKY).exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

setup (SLINKY).exeAcroRd32.exe

pid process

224 setup (SLINKY).exe
4120 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

4120 AcroRd32.exe
4120 AcroRd32.exe
4120 AcroRd32.exe
4120 AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	setup (SLINKY).exe

pid	process
224	setup (SLINKY).exe

pid	process
224	setup (SLINKY).exe
4120	AcroRd32.exe

pid	process
4120	AcroRd32.exe
4120	AcroRd32.exe
4120	AcroRd32.exe
4120	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup (SLINKY).exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 224 wrote to memory of 4120	224	setup (SLINKY).exe	AcroRd32.exe
PID 224 wrote to memory of 4120	224	setup (SLINKY).exe	AcroRd32.exe
PID 224 wrote to memory of 4120	224	setup (SLINKY).exe	AcroRd32.exe
PID 4120 wrote to memory of 3124	4120	AcroRd32.exe	RdrCEF.exe
PID 4120 wrote to memory of 3124	4120	AcroRd32.exe	RdrCEF.exe
PID 4120 wrote to memory of 3124	4120	AcroRd32.exe	RdrCEF.exe
PID 4120 wrote to memory of 4304	4120	AcroRd32.exe	RdrCEF.exe
PID 4120 wrote to memory of 4304	4120	AcroRd32.exe	RdrCEF.exe
PID 4120 wrote to memory of 4304	4120	AcroRd32.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 1724	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 4864	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 4864	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 4864	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 4864	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 4864	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 4864	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 4864	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 4864	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 4864	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 4864	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 4864	3124	RdrCEF.exe	RdrCEF.exe
PID 3124 wrote to memory of 4864	3124	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\setup (SLINKY).exe
"C:\Users\Admin\AppData\Local\Temp\setup (SLINKY).exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:224

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Slinky.pdf"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4120

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- Suspicious use of WriteProcessMemory
PID:3124

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=82E5266B045A886400DBE47194500489 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=82E5266B045A886400DBE47194500489 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
4⤵
PID:1724

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=ED2359959717B9BC8F6AD59A2DABBA07 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4864

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B3AEC67374BFAA7E3E97B88576E36DA5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B3AEC67374BFAA7E3E97B88576E36DA5 --renderer-client-id=4 --mojo-platform-channel-handle=2152 --allow-no-sandbox-job /prefetch:1
4⤵
PID:3196

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FC19662FEF10375252C3D3404E6B2A09 --mojo-platform-channel-handle=2556 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:440

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7583F9FFA1211FD140D692845114192E --mojo-platform-channel-handle=1976 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2300

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D75146584BC4C4C6C05D8273DC68EC4B --mojo-platform-channel-handle=2716 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4432

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1400
3⤵
- Program crash
PID:1496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4120 -ip 4120
1⤵
PID:912

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
36KB

MD5
3a6c4d4c70ad87eeec864a6825fcf669

SHA1
b45ca5804ddc1f747b8f4e80ac2a69db2e40f304

SHA256
c317e350d80df62e0a7d5d9b2b9c1d39d584c31a3a2d6d618908c03ad08d7b7f

SHA512
59447a0fa4d930ae19ab5f2652f75952336385d0e76d4d79fc8fe707a5de0d040a6a24fa9db01649d5a8b2a28fe96fc43339f0410d8d1581548b729c27dc725a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Slinky.pdf
Filesize
285KB

MD5
8a651d3c642d4da38c54124b8a045804

SHA1
8006c155846f5a7a422a84eebd4ac175fc895da5

SHA256
ce7e7f6efec617fd75d599ec48a2a162cf2f520dd982d168c6caf596a74567bb

SHA512
6a9a40511b8cf13a0f8c147c0cd503bb1584a6178cbeb91a58b6ae1f28ce9fb54f396fd0faeb7cd2c0d369fe349c4e54c27c32252f40092f0391e63fd68ac62b

Download Submit
C:\Users\Admin\AppData\Local\Temp\slinky.dat
Filesize
7B

MD5
b3784fac61fe08d892731cb64f25174d

SHA1
09d1ae1fd9288dfde5f1554700297b2199f9dab8

SHA256
07af3494e1734c5081b23bd34f26a9aa81e063f16035fe6c2e65f527a8b5d330

SHA512
49080b940375fc63831120a6d63d5966672ef7e7d2003e983a61edc1151ae10b626123c3bc4a227696ac3a67f22e0decb52fbbe2a4458b76db143497130e585c

Download Submit
memory/224-0-0x00007FF643A00000-0x00007FF643B81000-memory.dmp

Filesize
1.5MB

Download
memory/224-53-0x00007FF643A00000-0x00007FF643B81000-memory.dmp

Filesize
1.5MB

Download