847cc7dffaa79555394b900f70167d5f68846711cdee212ee16d8553f0a4e312

General

Target

847cc7dffaa79555394b900f70167d5f68846711cdee212ee16d8553f0a4e312.pdf
Size

768KB
MD5

c4380b4cd776bbe06528e70d5554ff63
SHA1

1fd9fda7c2f7887d3e31e8ad9c1ce8ca90bbaea4
SHA256

847cc7dffaa79555394b900f70167d5f68846711cdee212ee16d8553f0a4e312
SHA512

5ca7b6e17dde2be994dfbfe2e3241a2ac00e0c8a1cb88a892729b88921f2211457489bfc1bfe8205957273e0736635f4313592254132d54c9003796bd6f9a97b

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

AcroRd32.exeAdobeARM.exe

pid	process
4456	AcroRd32.exe
4456	AcroRd32.exe
4456	AcroRd32.exe
4456	AcroRd32.exe
4456	AcroRd32.exe
4456	AcroRd32.exe
4456	AcroRd32.exe
4456	AcroRd32.exe
4456	AcroRd32.exe
4456	AcroRd32.exe
4456	AcroRd32.exe
4456	AcroRd32.exe
4456	AcroRd32.exe
4456	AcroRd32.exe
4456	AcroRd32.exe
4456	AcroRd32.exe
4456	AcroRd32.exe
4456	AcroRd32.exe
4808	AdobeARM.exe
4808	AdobeARM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	2324	svchost.exe
Token: SeCreatePagefilePrivilege	2324	svchost.exe
Token: SeShutdownPrivilege	2324	svchost.exe
Token: SeCreatePagefilePrivilege	2324	svchost.exe
Token: SeShutdownPrivilege	2324	svchost.exe
Token: SeCreatePagefilePrivilege	2324	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4456 AcroRd32.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

AcroRd32.exeAdobeARM.exe

pid	process
4456	AcroRd32.exe
4456	AcroRd32.exe
4456	AcroRd32.exe
4456	AcroRd32.exe
4456	AcroRd32.exe
4456	AcroRd32.exe
4456	AcroRd32.exe
4456	AcroRd32.exe
4808	AdobeARM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4456 wrote to memory of 112	4456	AcroRd32.exe	RdrCEF.exe
PID 4456 wrote to memory of 112	4456	AcroRd32.exe	RdrCEF.exe
PID 4456 wrote to memory of 112	4456	AcroRd32.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 5060	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 3176	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 3176	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 3176	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 3176	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 3176	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 3176	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 3176	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 3176	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 3176	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 3176	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 3176	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 3176	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 3176	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 3176	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 3176	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 3176	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 3176	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 3176	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 3176	112	RdrCEF.exe	RdrCEF.exe
PID 112 wrote to memory of 3176	112	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\847cc7dffaa79555394b900f70167d5f68846711cdee212ee16d8553f0a4e312.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=01399B99EA69C60A33273BC616398979 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5060
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=591804C5851585903CEC6E8DA35679C9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=591804C5851585903CEC6E8DA35679C9 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3176
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=996A7B2FB63424C913CB2B6416D77B00 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=996A7B2FB63424C913CB2B6416D77B00 --renderer-client-id=4 --mojo-platform-channel-handle=2172 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:752
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B8526E7D13CA2412FF8D25EC2DF2563C --mojo-platform-channel-handle=2432 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2880
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DFDBCFAE46B5B78AD34117981B4A4671 --mojo-platform-channel-handle=2660 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1520
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F1A2288BAA964A1CD674D1CD261D3C8C --mojo-platform-channel-handle=2504 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2596
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C641AFE3E4626DB806920AF8D02BF02C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C641AFE3E4626DB806920AF8D02BF02C --renderer-client-id=10 --mojo-platform-channel-handle=2464 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3992
- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
  "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4808
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
    3⤵
    PID:2272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2324-130-0x000001A7C7560000-0x000001A7C7570000-memory.dmp

Filesize
64KB

Download
memory/2324-131-0x000001A7C7C20000-0x000001A7C7C30000-memory.dmp

Filesize
64KB

Download
memory/2324-132-0x000001A7CA2E0000-0x000001A7CA2E4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads