Analysis
-
max time kernel
77s -
max time network
74s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
14-02-2022 11:29
Behavioral task
behavioral1
Sample
EnimerotikoForeon2022.pdf
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
EnimerotikoForeon2022.pdf
-
Size
162KB
-
MD5
ec8f622a3cfae8c9883eb8bb440aaffb
-
SHA1
c75c88fca5aa0ee80657326307fdbaf529cf0d5f
-
SHA256
195fa2781235fbff1ee52d2b7cef7540a8dd076149586372876ccdb9a69d81f1
-
SHA512
051e79c33ef1243f3a7e96f59d05b315d56d6cfdd3c3bf63059fd2079d0d4116ce3a18f3dd041fe00ab26148d5be9036c3dc7e0c71ffc9690a7149c5b8342eed
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3972 created 2180 3972 WerFault.exe backgroundTaskHost.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3276 2180 WerFault.exe backgroundTaskHost.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exeMusNotifyIcon.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies data under HKEY_USERS 53 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4380" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132894882061059532" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "9.999738" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "33.333476" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "10.607046" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4192" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1040 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
AcroRd32.exeWerFault.exepid process 4008 AcroRd32.exe 4008 AcroRd32.exe 4008 AcroRd32.exe 4008 AcroRd32.exe 4008 AcroRd32.exe 4008 AcroRd32.exe 4008 AcroRd32.exe 4008 AcroRd32.exe 4008 AcroRd32.exe 4008 AcroRd32.exe 4008 AcroRd32.exe 4008 AcroRd32.exe 4008 AcroRd32.exe 4008 AcroRd32.exe 4008 AcroRd32.exe 4008 AcroRd32.exe 4008 AcroRd32.exe 4008 AcroRd32.exe 3276 WerFault.exe 3276 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exedescription pid process Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 4008 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 4008 AcroRd32.exe 4008 AcroRd32.exe 4008 AcroRd32.exe 4008 AcroRd32.exe 4008 AcroRd32.exe 4008 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 4008 wrote to memory of 3252 4008 AcroRd32.exe RdrCEF.exe PID 4008 wrote to memory of 3252 4008 AcroRd32.exe RdrCEF.exe PID 4008 wrote to memory of 3252 4008 AcroRd32.exe RdrCEF.exe PID 4008 wrote to memory of 316 4008 AcroRd32.exe RdrCEF.exe PID 4008 wrote to memory of 316 4008 AcroRd32.exe RdrCEF.exe PID 4008 wrote to memory of 316 4008 AcroRd32.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 2508 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 3424 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 3424 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 3424 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 3424 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 3424 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 3424 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 3424 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 3424 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 3424 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 3424 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 3424 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 3424 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 3424 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 3424 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 3424 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 3424 3252 RdrCEF.exe RdrCEF.exe PID 3252 wrote to memory of 3424 3252 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca1⤵PID:2180
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2180 -s 20522⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3276
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\EnimerotikoForeon2022.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FC26D16BCF4319B71863146B7D488144 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:2508
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6BDC6824ED63085EFEE4CF0DC10FB15F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6BDC6824ED63085EFEE4CF0DC10FB15F --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:13⤵PID:3424
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0A45686B33BE11709C649D8163A7ED85 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0A45686B33BE11709C649D8163A7ED85 --renderer-client-id=4 --mojo-platform-channel-handle=2184 --allow-no-sandbox-job /prefetch:13⤵PID:3880
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8BFFE12AC9D176558602A93814E96DC4 --mojo-platform-channel-handle=1816 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:3156
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=077B3E323B4A6F86A6AC15E2EC88B458 --mojo-platform-channel-handle=1908 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:2248
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4D1F348CBF6B7E06BE8DDC83803CDDB9 --mojo-platform-channel-handle=2684 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:3984
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵PID:316
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1284
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3448
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3412
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 2180 -ip 21801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3972
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ExitEdit.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1040
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:980