78a5d2678edba94c2d9e05cc4385087ef5e0027ce1f03ec215d9f80c82a5cead

General

Target

78a5d2678edba94c2d9e05cc4385087ef5e0027ce1f03ec215d9f80c82a5cead.pdf
Size

765KB
MD5

7a016c37fa50989e082b7f1ca2826f04
SHA1

5899a60848e73f616b777e93b42e8f6925c3a3fc
SHA256

78a5d2678edba94c2d9e05cc4385087ef5e0027ce1f03ec215d9f80c82a5cead
SHA512

bcd458a0ee35f47febadca84ddf2040fde76a9ac5cc5ce03872f6541fcb1ffe04afaf940f6d0cf34c3129d3c339e9b749489f05097aae857ec39a5e217fe460d

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

AcroRd32.exe

pid	process
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	2196	svchost.exe
Token: SeCreatePagefilePrivilege	2196	svchost.exe
Token: SeShutdownPrivilege	2196	svchost.exe
Token: SeCreatePagefilePrivilege	2196	svchost.exe
Token: SeShutdownPrivilege	2196	svchost.exe
Token: SeCreatePagefilePrivilege	2196	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3636 AcroRd32.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

AcroRd32.exeAdobeARM.exe

pid	process
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
5084	AdobeARM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 3636 wrote to memory of 3924	3636	AcroRd32.exe	RdrCEF.exe
PID 3636 wrote to memory of 3924	3636	AcroRd32.exe	RdrCEF.exe
PID 3636 wrote to memory of 3924	3636	AcroRd32.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 2176	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 3544	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 3544	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 3544	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 3544	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 3544	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 3544	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 3544	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 3544	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 3544	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 3544	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 3544	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 3544	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 3544	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 3544	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 3544	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 3544	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 3544	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 3544	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 3544	3924	RdrCEF.exe	RdrCEF.exe
PID 3924 wrote to memory of 3544	3924	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\78a5d2678edba94c2d9e05cc4385087ef5e0027ce1f03ec215d9f80c82a5cead.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3636

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:3924

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FBF958ED2758121ECFF64E2E1352439C --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2176

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7B64DD72F03249FC4AE24C98DB9E0090 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7B64DD72F03249FC4AE24C98DB9E0090 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3544

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=53C9845BFD3792339B1FD69694BCF57B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=53C9845BFD3792339B1FD69694BCF57B --renderer-client-id=4 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4132

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5F187CC387E1732EAB24BB2EBBB49F7D --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4152

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=385044B8C381D8A501C5DFC2FD88F5B1 --mojo-platform-channel-handle=2568 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4296

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=61C5344AFF4899C60506694BA0F698A8 --mojo-platform-channel-handle=2760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4384

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=29C8F2A143B3CC2C2AB38472A2D5F8E7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=29C8F2A143B3CC2C2AB38472A2D5F8E7 --renderer-client-id=10 --mojo-platform-channel-handle=2776 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4460

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
2⤵
- Suspicious use of SetWindowsHookEx
PID:5084

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
3⤵
PID:2192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:4816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
MD5
e99469397627c41aef00f99f82cf1a7b

SHA1
06a3117b721df53ccd80f9857a2378efd7bef92c

SHA256
ad985aba0f0ef656cde462832d0ae8205c43e39b5ecaa7908589d91411f66ca0

SHA512
e70501169037f1a3ada990a18551d4153b9e3e34b0171a0367bfec25920a38e89d7352ca2eb2dc4832bf2308b69fd939aef13425c65afddf9d476885a6ecb9bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
MD5
a506b66b42e60b9bb8e59cd211fcb64b

SHA1
73a298f529c41d143a662f5389d222dea8d78cab

SHA256
29f61c2983ceaab5a44a7b9ad822ff5e3b233727bc1fb4a437a0120a0af06655

SHA512
38a29c883de7188ba4bedf4a59a85652e3a2f8809aee92640f36eb54a1221d6477ec55c42ea3bf73b1309397034cda05645bad267ae72d45f45d8e7f15e14669

Download Submit
memory/2196-134-0x00000223FF5E0000-0x00000223FF5F0000-memory.dmp

Filesize
64KB

Download
memory/2196-133-0x00000223FED50000-0x00000223FED60000-memory.dmp

Filesize
64KB

Download
memory/2196-135-0x00000223FFAD0000-0x00000223FFAD4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads