48074ccfef76be5bb09e4addbb9d37b0fb3a38e376901b6f57ce27dec94aee70

Analysis

max time kernel
150s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 12:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

48074ccfef76be5bb09e4addbb9d37b0fb3a38e376901b6f57ce27dec94aee70.exe
Size

263KB
MD5

da63d0e34f84dc3093f173d206ef75a1
SHA1

b679f60dcc8481a80ce4d5f66c733ee7b22b64fb
SHA256

48074ccfef76be5bb09e4addbb9d37b0fb3a38e376901b6f57ce27dec94aee70
SHA512

4fe99e5adb7d268c6c66aa659bc297f2f8aee27776acea7e990d70c4972f4e5d0fc52823c6db860f281cc20c24d6a68e79ef5cd4ac19f3a201d013587a9d7ce5
SSDEEP

6144:4yZcAuFcCf38XolyxnDFJ6VcWhlhrK64XxHcA/d5i8fgBw2VaD:RTOcCf6y0C3MNdhgw2VaD

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\58032 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\msiqcuf.bat"	svchost.exe

Executes dropped EXE 3 IoCs

pid	Process
5044	equipment .exe
308	equipment.exe
4524	equipment.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	48074ccfef76be5bb09e4addbb9d37b0fb3a38e376901b6f57ce27dec94aee70.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	equipment .exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	equipment.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	equipment.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 308 set thread context of 4524	308	equipment.exe	86

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\LOCALS~1\Temp\msiqcuf.bat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	48074ccfef76be5bb09e4addbb9d37b0fb3a38e376901b6f57ce27dec94aee70.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
308	equipment.exe
308	equipment.exe
4524	equipment.exe
4524	equipment.exe
2880	AcroRd32.exe
2880	AcroRd32.exe
2880	AcroRd32.exe
2880	AcroRd32.exe
2880	AcroRd32.exe
2880	AcroRd32.exe
2880	AcroRd32.exe
2880	AcroRd32.exe
2880	AcroRd32.exe
2880	AcroRd32.exe
2880	AcroRd32.exe
2880	AcroRd32.exe
2880	AcroRd32.exe
2880	AcroRd32.exe
2880	AcroRd32.exe
2880	AcroRd32.exe
2880	AcroRd32.exe
2880	AcroRd32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4524	equipment.exe
4524	equipment.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2880	AcroRd32.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2880	AcroRd32.exe
308	equipment.exe
308	equipment.exe
2880	AcroRd32.exe
2880	AcroRd32.exe
2880	AcroRd32.exe
2880	AcroRd32.exe
2880	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 2880	5072	48074ccfef76be5bb09e4addbb9d37b0fb3a38e376901b6f57ce27dec94aee70.exe	79
PID 5072 wrote to memory of 2880	5072	48074ccfef76be5bb09e4addbb9d37b0fb3a38e376901b6f57ce27dec94aee70.exe	79
PID 5072 wrote to memory of 2880	5072	48074ccfef76be5bb09e4addbb9d37b0fb3a38e376901b6f57ce27dec94aee70.exe	79
PID 5072 wrote to memory of 5044	5072	48074ccfef76be5bb09e4addbb9d37b0fb3a38e376901b6f57ce27dec94aee70.exe	80
PID 5072 wrote to memory of 5044	5072	48074ccfef76be5bb09e4addbb9d37b0fb3a38e376901b6f57ce27dec94aee70.exe	80
PID 5072 wrote to memory of 5044	5072	48074ccfef76be5bb09e4addbb9d37b0fb3a38e376901b6f57ce27dec94aee70.exe	80
PID 5072 wrote to memory of 2844	5072	48074ccfef76be5bb09e4addbb9d37b0fb3a38e376901b6f57ce27dec94aee70.exe	81
PID 5072 wrote to memory of 2844	5072	48074ccfef76be5bb09e4addbb9d37b0fb3a38e376901b6f57ce27dec94aee70.exe	81
PID 5072 wrote to memory of 2844	5072	48074ccfef76be5bb09e4addbb9d37b0fb3a38e376901b6f57ce27dec94aee70.exe	81
PID 5044 wrote to memory of 308	5044	equipment .exe	83
PID 5044 wrote to memory of 308	5044	equipment .exe	83
PID 5044 wrote to memory of 308	5044	equipment .exe	83
PID 5044 wrote to memory of 208	5044	equipment .exe	84
PID 5044 wrote to memory of 208	5044	equipment .exe	84
PID 5044 wrote to memory of 208	5044	equipment .exe	84
PID 308 wrote to memory of 4524	308	equipment.exe	86
PID 308 wrote to memory of 4524	308	equipment.exe	86
PID 308 wrote to memory of 4524	308	equipment.exe	86
PID 308 wrote to memory of 4524	308	equipment.exe	86
PID 308 wrote to memory of 4524	308	equipment.exe	86
PID 308 wrote to memory of 4524	308	equipment.exe	86
PID 308 wrote to memory of 4524	308	equipment.exe	86
PID 4524 wrote to memory of 4124	4524	equipment.exe	87
PID 4524 wrote to memory of 4124	4524	equipment.exe	87
PID 4524 wrote to memory of 4124	4524	equipment.exe	87
PID 2880 wrote to memory of 4680	2880	AcroRd32.exe	88
PID 2880 wrote to memory of 4680	2880	AcroRd32.exe	88
PID 2880 wrote to memory of 4680	2880	AcroRd32.exe	88
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91
PID 4680 wrote to memory of 3896	4680	RdrCEF.exe	91

C:\Users\Admin\AppData\Local\Temp\48074ccfef76be5bb09e4addbb9d37b0fb3a38e376901b6f57ce27dec94aee70.exe
"C:\Users\Admin\AppData\Local\Temp\48074ccfef76be5bb09e4addbb9d37b0fb3a38e376901b6f57ce27dec94aee70.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\equipment.pdf"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=25EBBA802B36CCBE7D81903122D9A006 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:3896
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9CEAB4129FAFEFCC3AF138BD365D9340 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9CEAB4129FAFEFCC3AF138BD365D9340 --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:524
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F7B4CCED31BFA90AB02F828DC5FB947C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F7B4CCED31BFA90AB02F828DC5FB947C --renderer-client-id=4 --mojo-platform-channel-handle=2172 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:4252
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4E71E29FB2F8F607B526082084CD2849 --mojo-platform-channel-handle=2548 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4056
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=491529DE1C1243D9B55B10C54A01997B --mojo-platform-channel-handle=1888 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1784
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7FAD6B833F402375BF24604995B36E24 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4564
- C:\Users\Admin\AppData\Local\Temp\equipment .exe
  "C:\Users\Admin\AppData\Local\Temp\equipment .exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\equipment.exe
    "C:\Users\Admin\AppData\Local\Temp\equipment.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:308
  - - C:\Users\Admin\AppData\Local\Temp\equipment.exe
      C:\Users\Admin\AppData\Local\Temp\equipment.exe
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4524
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\syswow64\svchost.exe
        5⤵
        Adds policy Run key to start application
        Drops file in Program Files directory
        
        PID:4124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
    3⤵
    PID:208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  PID:2844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
300B

MD5
a89ec636163a074f091947f250a62883

SHA1
96c60a01bcc2a06db7ae90f22b6859951a0f2386

SHA256
d54539750c8187271af588e1bc955d6fba0e6d26dc0872076a49feff5eff0613

SHA512
3ba5a931c6323bfb092d89fe61fc170e7cb3974ebfb0d6278711bac61bc7ebb02fd38f775f7433670ed1ae652f5279a580b84a457b112c1227099fb50a3310ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
192B

MD5
25aa12d7381d9fbd193683cfe9d4d598

SHA1
badf454d247bb1720f0d50e715a2c51df4a282ef

SHA256
892aab432d2430c45385590c68f6724c4bf05b2f0ca388cb9a0643f92c674af2

SHA512
23759f2c548690786241477fd66c78dc3481aeafaf8b5f6a5d54a9bcfe9b2bd2ff767cbc2dafa24f1b4ab4b364232fa4fcad793cbc7e026db3cc0db5a6e2170d

Download Submit
C:\Users\Admin\AppData\Local\Temp\equipment .exe

Filesize
163KB

MD5
1ab53795f0c7f37b668f77dde8ba0d9f

SHA1
7b34969c1b0f4c657704f690f5febccf3da8595d

SHA256
01acdc49c2901f797764e2821607ec0be4d7662f28de02a83e8b81d0da9b4a58

SHA512
c406107f7eb2208c467048a967c43e45d26863baf6c2f2e13600eba0c6d9b91c381fe4b099ff4da67c45d52d34392a4472ec42b0dd66afd9071390864d09d5c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\equipment .exe

Filesize
163KB

MD5
1ab53795f0c7f37b668f77dde8ba0d9f

SHA1
7b34969c1b0f4c657704f690f5febccf3da8595d

SHA256
01acdc49c2901f797764e2821607ec0be4d7662f28de02a83e8b81d0da9b4a58

SHA512
c406107f7eb2208c467048a967c43e45d26863baf6c2f2e13600eba0c6d9b91c381fe4b099ff4da67c45d52d34392a4472ec42b0dd66afd9071390864d09d5c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\equipment.exe

Filesize
120KB

MD5
ba118c11d5739dc6e11adeaf5e297f4f

SHA1
4a5aac8d08ade1ab6ca2392d1bb3124eede1e5d8

SHA256
4b06d8ca582a261a2c1489fce78534dc85c4a4d99b775092ff878ebc560e120a

SHA512
f7a2a7b3a8575a1058afbc51113cae176edfb8bd2736b49e928cd6dec56d0f86c4c27580452a378d8635e0b66ce9c13c9fc839b0ce4a12512afe91e3659783c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\equipment.exe

Filesize
120KB

MD5
ba118c11d5739dc6e11adeaf5e297f4f

SHA1
4a5aac8d08ade1ab6ca2392d1bb3124eede1e5d8

SHA256
4b06d8ca582a261a2c1489fce78534dc85c4a4d99b775092ff878ebc560e120a

SHA512
f7a2a7b3a8575a1058afbc51113cae176edfb8bd2736b49e928cd6dec56d0f86c4c27580452a378d8635e0b66ce9c13c9fc839b0ce4a12512afe91e3659783c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\equipment.exe

Filesize
120KB

MD5
ba118c11d5739dc6e11adeaf5e297f4f

SHA1
4a5aac8d08ade1ab6ca2392d1bb3124eede1e5d8

SHA256
4b06d8ca582a261a2c1489fce78534dc85c4a4d99b775092ff878ebc560e120a

SHA512
f7a2a7b3a8575a1058afbc51113cae176edfb8bd2736b49e928cd6dec56d0f86c4c27580452a378d8635e0b66ce9c13c9fc839b0ce4a12512afe91e3659783c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\equipment.pdf

Filesize
38KB

MD5
6948fef2dd8fe5777f51411fae91cc71

SHA1
9895f6a9cc620c8866c9853a0f2e113cc0a054bf

SHA256
9983ee85788d7bf8cb37a8da2f6729bab7904009dd1ed44ba2703aa6ccf02663

SHA512
8215c66f62974fa97bd755557be141589690b77936c19dd5bc0e907e40a0e7cc295f380ffc985eea38654530c54e84bfb6f40bf89d8ec56b6ed0cb8bff439f78

Download Submit
memory/308-147-0x00000000005F0000-0x00000000005F4000-memory.dmp

Filesize
16KB

Download
memory/4124-150-0x0000000000910000-0x0000000000915000-memory.dmp

Filesize
20KB

Download
memory/4124-151-0x0000000000270000-0x000000000027E000-memory.dmp

Filesize
56KB

Download
memory/4124-175-0x0000000000910000-0x0000000000915000-memory.dmp

Filesize
20KB

Download
memory/4524-145-0x0000000000400000-0x0000000001788000-memory.dmp

Filesize
19.5MB

Download
memory/4524-148-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download