8afac92bec7a136bbcf18b8cb36a5c7b14d920fd908eee745efb66539491c7d8

General

Target

8afac92bec7a136bbcf18b8cb36a5c7b14d920fd908eee745efb66539491c7d8.pdf
Size

766KB
MD5

fe928252d87b18cb0d0820eca3bf047a
SHA1

c942292a7c9c8efd8d8ecdfde6a91c9b75d9ae9a
SHA256

8afac92bec7a136bbcf18b8cb36a5c7b14d920fd908eee745efb66539491c7d8
SHA512

88b1084d4e94db8a4591675f7d0babcbf11970a0c03c83f8817265f5178b41d6fc726f780f02a1ac916c35eabbfef2e377e3f20f7e580054b713ca541875bd24

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

AcroRd32.exeAdobeARM.exe

pid	process
2520	AcroRd32.exe
2520	AcroRd32.exe
2520	AcroRd32.exe
2520	AcroRd32.exe
2520	AcroRd32.exe
2520	AcroRd32.exe
2520	AcroRd32.exe
2520	AcroRd32.exe
2520	AcroRd32.exe
2520	AcroRd32.exe
2520	AcroRd32.exe
2520	AcroRd32.exe
2520	AcroRd32.exe
2520	AcroRd32.exe
2520	AcroRd32.exe
2520	AcroRd32.exe
2520	AcroRd32.exe
2520	AcroRd32.exe
2520	AcroRd32.exe
2520	AcroRd32.exe
2756	AdobeARM.exe
2756	AdobeARM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	844	svchost.exe
Token: SeCreatePagefilePrivilege	844	svchost.exe
Token: SeShutdownPrivilege	844	svchost.exe
Token: SeCreatePagefilePrivilege	844	svchost.exe
Token: SeShutdownPrivilege	844	svchost.exe
Token: SeCreatePagefilePrivilege	844	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

2520 AcroRd32.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

AcroRd32.exeAdobeARM.exe

pid	process
2520	AcroRd32.exe
2520	AcroRd32.exe
2520	AcroRd32.exe
2520	AcroRd32.exe
2520	AcroRd32.exe
2520	AcroRd32.exe
2520	AcroRd32.exe
2520	AcroRd32.exe
2756	AdobeARM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2520 wrote to memory of 2644	2520	AcroRd32.exe	RdrCEF.exe
PID 2520 wrote to memory of 2644	2520	AcroRd32.exe	RdrCEF.exe
PID 2520 wrote to memory of 2644	2520	AcroRd32.exe	RdrCEF.exe
PID 2520 wrote to memory of 3196	2520	AcroRd32.exe	RdrCEF.exe
PID 2520 wrote to memory of 3196	2520	AcroRd32.exe	RdrCEF.exe
PID 2520 wrote to memory of 3196	2520	AcroRd32.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 4912	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 3300	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 3300	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 3300	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 3300	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 3300	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 3300	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 3300	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 3300	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 3300	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 3300	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 3300	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 3300	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 3300	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 3300	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 3300	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 3300	2644	RdrCEF.exe	RdrCEF.exe
PID 2644 wrote to memory of 3300	2644	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\8afac92bec7a136bbcf18b8cb36a5c7b14d920fd908eee745efb66539491c7d8.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F84CD4AF811B7CDAEE3E79C9635C2484 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4912
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=ADF5D78D3F7CE8991F8DC95D8D26059C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=ADF5D78D3F7CE8991F8DC95D8D26059C --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3300
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E905BDACE3A9DD3F8E2192F5660B6646 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E905BDACE3A9DD3F8E2192F5660B6646 --renderer-client-id=4 --mojo-platform-channel-handle=2180 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2444
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=184536DDC07525A77BE9573B6C9548DF --mojo-platform-channel-handle=2572 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4020
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=71A228B743CDB8E58BC6BAD49E58F1EA --mojo-platform-channel-handle=1816 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4900
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D2B3B139E64A57E8E43E433F103D99F3 --mojo-platform-channel-handle=1988 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:176
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D22813F69ED3B1C305A09A6DB1E5650C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D22813F69ED3B1C305A09A6DB1E5650C --renderer-client-id=8 --mojo-platform-channel-handle=1864 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:220
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  PID:3196
- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
  "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2756
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
    3⤵
    PID:4252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/844-150-0x000002B555360000-0x000002B555370000-memory.dmp

Filesize
64KB

Download
memory/844-151-0x000002B555920000-0x000002B555930000-memory.dmp

Filesize
64KB

Download
memory/844-152-0x000002B557F90000-0x000002B557F94000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads