727b21d3161c37d2e70a9f367d72d41fac891153540bbebbe9cac7c13367b9b6

General

Target

d959b480824d3f572e43bfdc6662d177353443bac3210448c8b02c9a01a3bec0.pdf
Size

339KB
MD5

80a1c58f87a5546e12d09e5cbbac80e9
SHA1

4e92f9231b72fd64588e07428f84463941ae7355
SHA256

d959b480824d3f572e43bfdc6662d177353443bac3210448c8b02c9a01a3bec0
SHA512

b1bd2df11b6c83aee5aabd7cd2650f9f9bb0b5979501befa478aea8a16c18e6a52fc856c834b2173565c4cf190e644ad82e750f5ca2c94456e21dd9b23a54260

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exeWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

AcroRd32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings AcroRd32.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1016 WINWORD.EXE
1016 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings	AcroRd32.exe

pid	process
1016	WINWORD.EXE
1016	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

AcroRd32.exe

pid	process
1068	AcroRd32.exe
1068	AcroRd32.exe
1068	AcroRd32.exe
1068	AcroRd32.exe
1068	AcroRd32.exe
1068	AcroRd32.exe
1068	AcroRd32.exe
1068	AcroRd32.exe
1068	AcroRd32.exe
1068	AcroRd32.exe
1068	AcroRd32.exe
1068	AcroRd32.exe
1068	AcroRd32.exe
1068	AcroRd32.exe
1068	AcroRd32.exe
1068	AcroRd32.exe
1068	AcroRd32.exe
1068	AcroRd32.exe
1068	AcroRd32.exe
1068	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 1016 WINWORD.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

1068 AcroRd32.exe

description	pid	process
Token: SeAuditPrivilege	1016	WINWORD.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

AcroRd32.exeWINWORD.EXE

pid	process
1068	AcroRd32.exe
1068	AcroRd32.exe
1068	AcroRd32.exe
1068	AcroRd32.exe
1068	AcroRd32.exe
1068	AcroRd32.exe
1016	WINWORD.EXE
1016	WINWORD.EXE
1016	WINWORD.EXE
1068	AcroRd32.exe
1016	WINWORD.EXE
1016	WINWORD.EXE
1016	WINWORD.EXE
1016	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 1068 wrote to memory of 1076	1068	AcroRd32.exe	RdrCEF.exe
PID 1068 wrote to memory of 1076	1068	AcroRd32.exe	RdrCEF.exe
PID 1068 wrote to memory of 1076	1068	AcroRd32.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 2464	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 3556	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 3556	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 3556	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 3556	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 3556	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 3556	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 3556	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 3556	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 3556	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 3556	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 3556	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 3556	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 3556	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 3556	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 3556	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 3556	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 3556	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 3556	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 3556	1076	RdrCEF.exe	RdrCEF.exe
PID 1076 wrote to memory of 3556	1076	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\d959b480824d3f572e43bfdc6662d177353443bac3210448c8b02c9a01a3bec0.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1068

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:1076

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=124654ED287737CAFA831D15FD6E822B --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2464

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=45624AE60D2D1341CD0F6E6EB4BA7922 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=45624AE60D2D1341CD0F6E6EB4BA7922 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3556

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=FC7A2D1757C811022946A12D149F7BB6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=FC7A2D1757C811022946A12D149F7BB6 --renderer-client-id=4 --mojo-platform-channel-handle=2164 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3068

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4552E2005F7D679C66EC9DF5DE404C19 --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2144

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=886433F089A850A86314798ABF768AF2 --mojo-platform-channel-handle=1948 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4012

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FF6DBCBCDA20C6DA6BBB5B3BA2FD660C --mojo-platform-channel-handle=2412 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4132

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\A9R1t966d0_pok0bn_to.tmp\has been verified. However PDF, JPEG, xlsx, .docx" /o ""
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A9R1t966d0_pok0bn_to.tmp\has been verified. However PDF, JPEG, xlsx, .docx
Filesize
139KB

MD5
ec835425f9ac0a43ef2f5fffd56d2c95

SHA1
d36026e6716560212c761744ec301fb265c07634

SHA256
503a97b28718e3c1a2e58aa8ad3765ddc33c8d1f97648f253612dde76c585c25

SHA512
1198c203977253aa6f7d3f7123c2b94716689a0d8ff3a2f37ce77ce839b040f20ac31d25fd19705d4e61e8bef27235c9d6509363e8b72486295d634d281a8722

Download Submit
memory/1016-156-0x00007FFF52E50000-0x00007FFF52E60000-memory.dmp

Filesize
64KB

Download
memory/1016-160-0x00007FFF50640000-0x00007FFF50650000-memory.dmp

Filesize
64KB

Download
memory/1016-155-0x00007FFF52E50000-0x00007FFF52E60000-memory.dmp

Filesize
64KB

Download
memory/1016-164-0x00007FFF52E50000-0x00007FFF52E60000-memory.dmp

Filesize
64KB

Download
memory/1016-165-0x00007FFF52E50000-0x00007FFF52E60000-memory.dmp

Filesize
64KB

Download
memory/1016-163-0x00007FFF52E50000-0x00007FFF52E60000-memory.dmp

Filesize
64KB

Download
memory/1016-159-0x00007FFF50640000-0x00007FFF50650000-memory.dmp

Filesize
64KB

Download
memory/1016-154-0x00007FFF52E50000-0x00007FFF52E60000-memory.dmp

Filesize
64KB

Download
memory/1016-139-0x0000000000000000-mapping.dmp

Download
memory/1016-166-0x00007FFF52E50000-0x00007FFF52E60000-memory.dmp

Filesize
64KB

Download
memory/1016-158-0x00007FFF52E50000-0x00007FFF52E60000-memory.dmp

Filesize
64KB

Download
memory/1016-157-0x00007FFF52E50000-0x00007FFF52E60000-memory.dmp

Filesize
64KB

Download
memory/1076-130-0x0000000000000000-mapping.dmp

Download
memory/2144-144-0x0000000000000000-mapping.dmp

Download
memory/2464-132-0x0000000000000000-mapping.dmp

Download
memory/3068-141-0x0000000000000000-mapping.dmp

Download
memory/3556-135-0x0000000000000000-mapping.dmp

Download
memory/4012-149-0x0000000000000000-mapping.dmp

Download
memory/4132-152-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads