1c3d30d7637b1a6fb648b1cf1de6c7a8375337327cd243f87d525c109554db7d

General

Target

PO570943.exe
Size

850KB
MD5

15b8b9017505c2a13e8a513e9a92b3e0
SHA1

587304393a857e9f8feef26b5f44ac9d4cac5827
SHA256

1c3d30d7637b1a6fb648b1cf1de6c7a8375337327cd243f87d525c109554db7d
SHA512

7379421656a6640668399d8edb46bb34f6bbe386c50abc6fa07cf6c485dcba928a2a9a679234c6cecde34c7852ebb5698172caba6d0c7eb327872e417c28b84a

Score

8^/10

evasion spyware trojan

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

AcroRd32.exeWerFault.exe

pid	process
1000	AcroRd32.exe
1000	AcroRd32.exe
1000	AcroRd32.exe
1000	AcroRd32.exe
1000	AcroRd32.exe
1000	AcroRd32.exe
1000	AcroRd32.exe
1000	AcroRd32.exe
1000	AcroRd32.exe
1000	AcroRd32.exe
1000	AcroRd32.exe
1000	AcroRd32.exe
1000	AcroRd32.exe
1000	AcroRd32.exe
1000	AcroRd32.exe
1000	AcroRd32.exe
1000	AcroRd32.exe
1000	AcroRd32.exe
1000	AcroRd32.exe
1000	AcroRd32.exe
428	WerFault.exe
428	WerFault.exe
428	WerFault.exe
428	WerFault.exe
428	WerFault.exe
428	WerFault.exe
428	WerFault.exe
428	WerFault.exe
428	WerFault.exe
428	WerFault.exe
428	WerFault.exe
428	WerFault.exe
428	WerFault.exe
428	WerFault.exe
428	WerFault.exe
428	WerFault.exe
428	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 428 WerFault.exe
Token: SeBackupPrivilege 428 WerFault.exe
Token: SeDebugPrivilege 428 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	428	WerFault.exe
Token: SeBackupPrivilege	428	WerFault.exe
Token: SeDebugPrivilege	428	WerFault.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

PO570943.exeAcroRd32.exe

pid process

2536 PO570943.exe
2536 PO570943.exe
2536 PO570943.exe
2536 PO570943.exe
2536 PO570943.exe
1000 AcroRd32.exe
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

PO570943.exe

pid process

2536 PO570943.exe
2536 PO570943.exe
2536 PO570943.exe
2536 PO570943.exe
2536 PO570943.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AcroRd32.exe

pid process

1000 AcroRd32.exe
1000 AcroRd32.exe
1000 AcroRd32.exe
1000 AcroRd32.exe
1000 AcroRd32.exe

pid	process
2536	PO570943.exe
2536	PO570943.exe
2536	PO570943.exe
2536	PO570943.exe
2536	PO570943.exe
1000	AcroRd32.exe

pid	process
2536	PO570943.exe
2536	PO570943.exe
2536	PO570943.exe
2536	PO570943.exe
2536	PO570943.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

PO570943.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	PO570943.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030106082b0601050507030706082b0601050507030206082b0601050507030406082b0601050507030353000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	PO570943.exe

Modifies registry class 1 IoCs

Processes:

PO570943.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings PO570943.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings	PO570943.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Suspicious use of WriteProcessMemory 259 IoCs

Processes:

PO570943.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2536 wrote to memory of 1000	2536	PO570943.exe	AcroRd32.exe
PID 2536 wrote to memory of 1000	2536	PO570943.exe	AcroRd32.exe
PID 2536 wrote to memory of 1000	2536	PO570943.exe	AcroRd32.exe
PID 2536 wrote to memory of 1216	2536	PO570943.exe	Temp5900785.exe
PID 2536 wrote to memory of 1216	2536	PO570943.exe	Temp5900785.exe
PID 2536 wrote to memory of 1216	2536	PO570943.exe	Temp5900785.exe
PID 1000 wrote to memory of 1836	1000	AcroRd32.exe	RdrCEF.exe
PID 1000 wrote to memory of 1836	1000	AcroRd32.exe	RdrCEF.exe
PID 1000 wrote to memory of 1836	1000	AcroRd32.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 2980	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 3696	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 3696	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 3696	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 3696	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 3696	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 3696	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 3696	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 3696	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 3696	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 3696	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 3696	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 3696	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 3696	1836	RdrCEF.exe	RdrCEF.exe
PID 1836 wrote to memory of 3696	1836	RdrCEF.exe	RdrCEF.exe

Executes dropped EXE 1 IoCs

Processes:

Temp5900785.exe

pid process

1216 Temp5900785.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

428 1216 WerFault.exe Temp5900785.exe

pid	process
1216	Temp5900785.exe

pid	pid_target	process	target process
428	1216	WerFault.exe	Temp5900785.exe

C:\Users\Admin\AppData\Local\Temp\PO570943.exe
"C:\Users\Admin\AppData\Local\Temp\PO570943.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Modifies system certificate store
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2536

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp200423-2020501-pds-ostrichoo-ffp2-rdy.pdf"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1000

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B13C574ABE60F10C87335B4C1DAC88EC --mojo-platform-channel-handle=1628 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2980

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A809CD9A22CB1A6F97796243EE80633D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A809CD9A22CB1A6F97796243EE80633D --renderer-client-id=2 --mojo-platform-channel-handle=1636 --allow-no-sandbox-job /prefetch:1
4⤵
PID:3696

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E64C7787462DAACDB444CA814D0F40EE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E64C7787462DAACDB444CA814D0F40EE --renderer-client-id=4 --mojo-platform-channel-handle=2080 --allow-no-sandbox-job /prefetch:1
4⤵
PID:3888

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DE689C3FF5B21D292DC3D2F49CA10397 --mojo-platform-channel-handle=2468 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3548

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=385139A102E9C72003BC6A99C7DD5C50 --mojo-platform-channel-handle=1840 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2204

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E7AF13EC7E8BDCD6061AE668841E9B2A --mojo-platform-channel-handle=2500 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:428

C:\Users\Admin\AppData\Local\Temp5900785.exe
"C:\Users\Admin\AppData\Local\Temp5900785.exe"
2⤵
- Executes dropped EXE
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 848
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Program crash
PID:428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp200423-2020501-pds-ostrichoo-ffp2-rdy.pdf

Download Submit
C:\Users\Admin\AppData\Local\Temp5900785.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp5900785.exe

Download Submit
memory/428-66-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/428-82-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/428-72-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/428-70-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/428-68-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/428-26-0x00000000770B2000-0x00000000770B200C-memory.dmp

Filesize
12B

Download
memory/428-64-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/428-62-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/428-60-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/428-47-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/428-37-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/428-27-0x0000000000000000-mapping.dmp

Download
memory/1000-0-0x0000000000000000-mapping.dmp

Download
memory/1216-41-0x0000000000000000-mapping.dmp

Download
memory/1216-74-0x0000000000000000-mapping.dmp

Download
memory/1216-1-0x0000000000000000-mapping.dmp

Download
memory/1216-38-0x0000000000000000-mapping.dmp

Download
memory/1216-40-0x0000000000000000-mapping.dmp

Download
memory/1216-39-0x0000000000000000-mapping.dmp

Download
memory/1216-81-0x0000000000000000-mapping.dmp

Download
memory/1216-42-0x0000000000000000-mapping.dmp

Download
memory/1216-43-0x0000000000000000-mapping.dmp

Download
memory/1216-44-0x0000000000000000-mapping.dmp

Download
memory/1216-45-0x0000000000000000-mapping.dmp

Download
memory/1216-80-0x0000000000000000-mapping.dmp

Download
memory/1216-79-0x0000000000000000-mapping.dmp

Download
memory/1216-78-0x0000000000000000-mapping.dmp

Download
memory/1216-77-0x0000000000000000-mapping.dmp

Download
memory/1216-76-0x0000000000000000-mapping.dmp

Download
memory/1216-75-0x0000000000000000-mapping.dmp

Download
memory/1836-5-0x0000000000000000-mapping.dmp

Download
memory/2204-24-0x0000000000000000-mapping.dmp

Download
memory/2204-23-0x00000000770B2000-0x00000000770B200C-memory.dmp

Filesize
12B

Download
memory/2980-7-0x00000000770B2000-0x00000000770B200C-memory.dmp

Filesize
12B

Download
memory/2980-8-0x0000000000000000-mapping.dmp

Download
memory/3548-20-0x00000000770B2000-0x00000000770B200C-memory.dmp

Filesize
12B

Download
memory/3548-21-0x0000000000000000-mapping.dmp

Download
memory/3696-10-0x00000000770B2000-0x00000000770B200C-memory.dmp

Filesize
12B

Download
memory/3696-11-0x0000000000000000-mapping.dmp

Download
memory/3888-15-0x00000000770B2000-0x00000000770B200C-memory.dmp

Filesize
12B

Download
memory/3888-16-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads