Analysis
-
max time kernel
165s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:54
Behavioral task
behavioral1
Sample
Discover All About Small Single Story Extension in The Netherlandstjsgrbezkp.pdf
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Discover All About Small Single Story Extension in The Netherlandstjsgrbezkp.pdf
Resource
win10v2004-en-20220113
General
-
Target
Discover All About Small Single Story Extension in The Netherlandstjsgrbezkp.pdf
-
Size
8KB
-
MD5
485c36dd99e7ab1e5d0269493eb59c75
-
SHA1
0db850c2e228569de74fde89ba36cfe58ddffa6e
-
SHA256
ba254d4194ac2027c4be2aab8563faac95482f83050d4bf0fecc3bb849b9f0ac
-
SHA512
868de573ea9ac5f9529c3bb30d0feeb4893048a101a245b962834068d23b0883a889245902ba7bf86dd54cd59a6018c6de0b43f365c5e3211bb5a84ec8d74a6d
Malware Config
Signatures
-
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
AcroRd32.exeAdobeARM.exepid process 1152 AcroRd32.exe 1152 AcroRd32.exe 1152 AcroRd32.exe 1152 AcroRd32.exe 1152 AcroRd32.exe 1152 AcroRd32.exe 1152 AcroRd32.exe 1152 AcroRd32.exe 1152 AcroRd32.exe 1152 AcroRd32.exe 1152 AcroRd32.exe 1152 AcroRd32.exe 1152 AcroRd32.exe 1152 AcroRd32.exe 1152 AcroRd32.exe 1152 AcroRd32.exe 1152 AcroRd32.exe 1152 AcroRd32.exe 1152 AcroRd32.exe 1152 AcroRd32.exe 1268 AdobeARM.exe 1268 AdobeARM.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2376 svchost.exe Token: SeCreatePagefilePrivilege 2376 svchost.exe Token: SeShutdownPrivilege 2376 svchost.exe Token: SeCreatePagefilePrivilege 2376 svchost.exe Token: SeShutdownPrivilege 2376 svchost.exe Token: SeCreatePagefilePrivilege 2376 svchost.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 1152 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
AcroRd32.exeAdobeARM.exepid process 1152 AcroRd32.exe 1152 AcroRd32.exe 1152 AcroRd32.exe 1152 AcroRd32.exe 1152 AcroRd32.exe 1152 AcroRd32.exe 1268 AdobeARM.exe 1152 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 1152 wrote to memory of 1348 1152 AcroRd32.exe RdrCEF.exe PID 1152 wrote to memory of 1348 1152 AcroRd32.exe RdrCEF.exe PID 1152 wrote to memory of 1348 1152 AcroRd32.exe RdrCEF.exe PID 1152 wrote to memory of 3680 1152 AcroRd32.exe RdrCEF.exe PID 1152 wrote to memory of 3680 1152 AcroRd32.exe RdrCEF.exe PID 1152 wrote to memory of 3680 1152 AcroRd32.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4920 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4960 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4960 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4960 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4960 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4960 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4960 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4960 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4960 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4960 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4960 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4960 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4960 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4960 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4960 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4960 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4960 1348 RdrCEF.exe RdrCEF.exe PID 1348 wrote to memory of 4960 1348 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Discover All About Small Single Story Extension in The Netherlandstjsgrbezkp.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1DD48632425CCCC475C3FE5325398889 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:4920
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D5E3AD98D9C8DC2AA1E61DF558342AED --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D5E3AD98D9C8DC2AA1E61DF558342AED --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:13⤵PID:4960
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=87A0ECF08E68262F65C32BA25B2F61EC --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:2900
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6CED6456F0790DA928814AFA7E920D48 --mojo-platform-channel-handle=1772 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:2304
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4EDB8CD265FD2F70847464D9882B45C0 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:3940
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=CA388FA041EA62BBE4FC81067B4EFD52 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=CA388FA041EA62BBE4FC81067B4EFD52 --renderer-client-id=8 --mojo-platform-channel-handle=2436 --allow-no-sandbox-job /prefetch:13⤵PID:620
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=891261317880256F4A7F86F54B8976F6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=891261317880256F4A7F86F54B8976F6 --renderer-client-id=10 --mojo-platform-channel-handle=2632 --allow-no-sandbox-job /prefetch:13⤵PID:3956
-
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵PID:3680
-
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:32⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1268 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"3⤵PID:3060
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
PID:3660
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:540
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3404522672187ad49ad74aec689075c0
SHA1af6b91326f443b04088cd3718b93334a7247ce1a
SHA2560ef813051b890501283103fb2999aaa01438227b681dcf711d09c10c5846d72d
SHA51235d47d228977ae3e77b1510e67fc082da37a39f346a23d4d5f65d91ac46ae51581ccb3c507efe6b33a8ac26af11e58ee2128f98a16ba4b1f2bf9b14e70389f18
-
MD5
6f014505b038aa70695dc6557662df8b
SHA125607777270af2b0a38da97d8d98ab9bc7926980
SHA25652040d7492e91856c658e4779bdc2de38a81f47e5136d9a772f4559178fbe7fc
SHA51225c53e4b7c273b3699be727e5a6688dbfad7b6633d78d29e753bc3446b8e2b5e8c752a8842870264fe10a2b3a0246c335bea7457daa289faec67f7ca7c2aaac0
-
MD5
daef9610629678de57c4567339f6e52c
SHA13c2f60cce0d017c9f93fe0d09c80a7ca0dc63d0f
SHA2569aebffc9bb8192c5ba7e51bf7b47246d53837fab2b435d71ccaeaee1cd74c701
SHA5129a550ec8cb373b6ab488750aa9c679e419b8dfeddf3ccb02593c044553b5bb447516ceebc18e73db2b8c848b79f124ed6764484795b8f4a6d58d954b77f0b4a5
-
MD5
9143aa55d6501307e953cb70ef371d95
SHA1caf0709471745e9fe777e72f14b76dec9323feb7
SHA2567b28c43870421a07e46dbcc29b6f5d3fa4d0656328c318eeabd3780464502827
SHA5121edd5df07c7894fed273d959ac62f64a9c82135d6ab5a151d5fccf72cec0b3e282a1ee4e5baa4037925ab30451b700c565777da2cf3d29dfa5d7ea8c2a3ac9df