Analysis
-
max time kernel
1775s -
max time network
1780s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
16/08/2023, 11:08
Behavioral task
behavioral1
Sample
Adobe Acrobat DC Setup.exe
Resource
win10-20230703-en
Behavioral task
behavioral2
Sample
Adobe Acrobat DC Setup.exe
Resource
win10v2004-20230703-en
General
-
Target
Adobe Acrobat DC Setup.exe
-
Size
3.6MB
-
MD5
e5ba9440e3338884a7963995ca9132d7
-
SHA1
aa177c582fff33279a5e9fd27104c43cbf8d8a70
-
SHA256
1eac2dc913dd6753e4195898af82412511a503990e1d5b7a86fd5919f6feee82
-
SHA512
54e3b044a9ae4583e89695e9c7ab1e6933ea38ff55473f32537b0a9adf6522a7fb433bc143224e0b6f79223692b474acbd1196fc2e2b361f1182062250a76bc7
-
SSDEEP
98304:4ZeSO1fNPbR/5pGs4+Lrlkixl7u2J43gZxbCaly7yhR+pd2SwGJYdy8K+I:cIWJX8K
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Extracted
quasar
1.0
Powershell
0.tcp.eu.ngrok.io:16640
039bf99d-a398-4525-a7b4-00d8916a2e80
-
encryption_key
8A2A7B58F2803115FF796E733C7311493928333B
-
install_name
AppLaunch.exe
-
log_directory
Windows Logs
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
Windows Applications
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer" powershеll.exe -
Quasar payload 4 IoCs
resource yara_rule behavioral1/memory/2832-117-0x0000000000260000-0x0000000000604000-memory.dmp family_quasar behavioral1/files/0x000800000001af39-123.dat family_quasar behavioral1/files/0x000800000001af39-125.dat family_quasar behavioral1/memory/1020-127-0x0000000000FE0000-0x0000000001312000-memory.dmp family_quasar -
Executes dropped EXE 3 IoCs
pid Process 1020 powershеll.exe 4180 Shrek.exe 4872 Scary_Bird.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\lusrmgr.msc mmc.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe Adobe Acrobat DC Setup.exe File opened for modification C:\Windows\system32\taskschd.msc mmc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\wall.jpg" Shrek.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\INF\netsstpa.PNF svchost.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri explorer.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri Taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\810424605.pri Taskmgr.exe File created C:\Windows\INF\netrasa.PNF svchost.exe File created C:\Windows\rescache\_merged\4183903823\810424605.pri Taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri Taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\810424605.pri Taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri Taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4300 schtasks.exe -
Kills process with taskkill 1 IoCs
pid Process 2124 taskkill.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\TypedURLs Taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\ImmutableMuiCache explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WinPos1280x720x96(1).top = "76" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "4" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-1#immutable1 = "User Accounts" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\MinPos1280x720x96(1).x = "4294967295" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\MinPos1280x720x96(1).y = "4294967295" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\ImmutableMuiCache\Strings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings Taskmgr.exe Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 5600310000000000e356e953100057696e646f777300400009000400efbe724a0b5de356e9532e0000006b0500000000010000000000000000000000000000001eccba00570069006e0064006f0077007300000016000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1980 NOTEPAD.EXE -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 4 IoCs
pid Process 212 explorer.exe 1264 explorer.exe 4948 explorer.exe 212 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5036 AcroRd32.exe 5036 AcroRd32.exe 5036 AcroRd32.exe 5036 AcroRd32.exe 5036 AcroRd32.exe 5036 AcroRd32.exe 5036 AcroRd32.exe 5036 AcroRd32.exe 5036 AcroRd32.exe 5036 AcroRd32.exe 5036 AcroRd32.exe 5036 AcroRd32.exe 5036 AcroRd32.exe 5036 AcroRd32.exe 5036 AcroRd32.exe 5036 AcroRd32.exe 5036 AcroRd32.exe 5036 AcroRd32.exe 5036 AcroRd32.exe 5036 AcroRd32.exe 4872 Scary_Bird.exe 4872 Scary_Bird.exe 4872 Scary_Bird.exe 4872 Scary_Bird.exe 4872 Scary_Bird.exe 4872 Scary_Bird.exe 4872 Scary_Bird.exe 4872 Scary_Bird.exe 4872 Scary_Bird.exe 4872 Scary_Bird.exe 4872 Scary_Bird.exe 4872 Scary_Bird.exe 4872 Scary_Bird.exe 4872 Scary_Bird.exe 4872 Scary_Bird.exe 4872 Scary_Bird.exe 4872 Scary_Bird.exe 4872 Scary_Bird.exe 4872 Scary_Bird.exe 4872 Scary_Bird.exe 4872 Scary_Bird.exe 4872 Scary_Bird.exe 4872 Scary_Bird.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 10 IoCs
pid Process 396 mmc.exe 212 explorer.exe 1264 explorer.exe 2604 Taskmgr.exe 1020 powershеll.exe 2748 netplwiz.exe 4940 mmc.exe 1520 Taskmgr.exe 4948 explorer.exe 5096 Netplwiz.exe -
Suspicious behavior: LoadsDriver 10 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 640 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1020 powershеll.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe Token: SeIncBasePriorityPrivilege 396 mmc.exe Token: 33 396 mmc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 5036 AcroRd32.exe 212 explorer.exe 212 explorer.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 2604 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 1520 Taskmgr.exe 212 explorer.exe 532 Taskmgr.exe 532 Taskmgr.exe 532 Taskmgr.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
pid Process 1020 powershеll.exe 396 mmc.exe 396 mmc.exe 5036 AcroRd32.exe 5036 AcroRd32.exe 5036 AcroRd32.exe 5036 AcroRd32.exe 5036 AcroRd32.exe 212 explorer.exe 212 explorer.exe 1264 explorer.exe 1264 explorer.exe 1264 explorer.exe 1264 explorer.exe 4948 explorer.exe 4948 explorer.exe 4940 mmc.exe 4940 mmc.exe 4940 mmc.exe 4940 mmc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2832 wrote to memory of 4300 2832 Adobe Acrobat DC Setup.exe 70 PID 2832 wrote to memory of 4300 2832 Adobe Acrobat DC Setup.exe 70 PID 2832 wrote to memory of 4300 2832 Adobe Acrobat DC Setup.exe 70 PID 2832 wrote to memory of 1020 2832 Adobe Acrobat DC Setup.exe 72 PID 2832 wrote to memory of 1020 2832 Adobe Acrobat DC Setup.exe 72 PID 1020 wrote to memory of 404 1020 powershеll.exe 75 PID 1020 wrote to memory of 404 1020 powershеll.exe 75 PID 404 wrote to memory of 2020 404 cmd.exe 77 PID 404 wrote to memory of 2020 404 cmd.exe 77 PID 404 wrote to memory of 396 404 cmd.exe 78 PID 404 wrote to memory of 396 404 cmd.exe 78 PID 404 wrote to memory of 2124 404 cmd.exe 79 PID 404 wrote to memory of 2124 404 cmd.exe 79 PID 5036 wrote to memory of 628 5036 AcroRd32.exe 93 PID 5036 wrote to memory of 628 5036 AcroRd32.exe 93 PID 5036 wrote to memory of 628 5036 AcroRd32.exe 93 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 1608 628 RdrCEF.exe 94 PID 628 wrote to memory of 4492 628 RdrCEF.exe 95 PID 628 wrote to memory of 4492 628 RdrCEF.exe 95 PID 628 wrote to memory of 4492 628 RdrCEF.exe 95 PID 628 wrote to memory of 4492 628 RdrCEF.exe 95 PID 628 wrote to memory of 4492 628 RdrCEF.exe 95 PID 628 wrote to memory of 4492 628 RdrCEF.exe 95 PID 628 wrote to memory of 4492 628 RdrCEF.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe"C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /SC ONLOGON /tn PowerShell /tr %systemroot%\System32\WindowsPowerShell\v1.0\powershеll.exe2⤵
- Creates scheduled task(s)
PID:4300
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershеll.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SYSTEM32\cmd.exe"cmd" /K CHCP 4373⤵
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\system32\chcp.comCHCP 4374⤵PID:2020
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s4⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:396
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im mmc.exe4⤵
- Kills process with taskkill
PID:2124
-
-
C:\Windows\system32\Taskmgr.exetaskmgr4⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2604 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"5⤵PID:3264
-
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" user /add COOL5⤵PID:904
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /add COOL6⤵PID:1780
-
-
-
C:\Windows\system32\Taskmgr.exe"C:\Windows\system32\Taskmgr.exe" /15⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1520 -
C:\Windows\system32\netplwiz.exe"C:\Windows\system32\netplwiz.exe"6⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2748 -
C:\Windows\system32\mmc.exemmc.exe C:\Windows\system32\lusrmgr.msc computername=localmachine7⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4940
-
-
-
-
-
C:\Windows\system32\Netplwiz.exenetplwiz.exe4⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:5096
-
-
-
C:\Users\Admin\Shrek.exe"C:\Users\Admin\Shrek.exe"3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:4180
-
-
C:\Users\Admin\Scary_Bird.exe"C:\Users\Admin\Scary_Bird.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4872 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:4908
-
-
-
-
C:\Windows\System32\SystemSettingsBroker.exeC:\Windows\System32\SystemSettingsBroker.exe -Embedding1⤵PID:1512
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc1⤵PID:4904
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s SstpSvc1⤵PID:2260
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2444
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
- Drops file in Windows directory
PID:3560
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s RasMan1⤵PID:5044
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s RasMan1⤵PID:2680
-
C:\Windows\System32\DataExchangeHost.exeC:\Windows\System32\DataExchangeHost.exe -Embedding1⤵PID:4184
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=54DABA8AE68282BE53EE09473648FE27 --mojo-platform-channel-handle=1616 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:1608
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AFA0E35A62AE7CC9D26267FCD6441BA7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AFA0E35A62AE7CC9D26267FCD6441BA7 --renderer-client-id=2 --mojo-platform-channel-handle=1624 --allow-no-sandbox-job /prefetch:13⤵PID:4492
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1789D9B55458133BD3D24EBBCBE3A0ED --mojo-platform-channel-handle=2180 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:2600
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=81A687C4863218B5CF004362662D1ABD --mojo-platform-channel-handle=1780 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:32
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EEE201144F6F47A230DD9D1F3C642D75 --mojo-platform-channel-handle=1608 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:564
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3c41⤵PID:4928
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4552
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:212 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\lsasetup.log2⤵
- Opens file in notepad (likely ransom note)
PID:1980
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:1952
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:4228
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding1⤵PID:3816
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2236
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1264
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4948
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:2200
-
C:\Windows\system32\launchtm.exelaunchtm.exe /21⤵PID:3372
-
C:\Windows\System32\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe" /22⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:532
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD5928d517e59d9786ee71bd6aeb90f439b
SHA19c82fed59061444a294468f26a77a96261f3d273
SHA256532fc588b91bf7152e645ece535d824fb633bcd41a486c8dd94be44c8ee64f1b
SHA5129f8f2235a870be3972842224a79c61d560c2bb7630982329faa2d2cd0da69f88f49901741f25155e8d4c7ec693f80e1073fef3cec36cb2980ce13348aba73404
-
Filesize
403KB
MD5b4d3016a1cccde90a62b685149c832f9
SHA15d6c4ba3474e6544bd24343da564e90bba89f6f7
SHA256df6afa046a72bb55e8984cf9e2870dc62112e4b81d4fef5a94c98e1c4386e373
SHA512abf5e15b40fa03eb9390854199b9feaf0132aac756c5f07d45c81f58c8b4d909833a996a19ccfef7abb905ddb9206591b1eda49a4674bc75a7c5a9c6372590e7
-
Filesize
28KB
MD5633ef26a3954af53882dd7abd4336f5c
SHA163cc9a917e2629cc46c1534209b957aa274bdc99
SHA25658b9390f26d319b22691ee9651b592d15f826e6f089c5f7183cf3ad249f89f28
SHA512ba1392b3169d35e1ff0961876e6c3c624be2d0a0c5bde79274e8dadee274b5ee571dbd5580d4c2ce270b924b3b41bae54b3a9f88f80bb0c9b46857d6c4c30276
-
Filesize
162KB
MD50d02b03a068d671348931cc20c048422
SHA167b6deacf1303acfcbab0b158157fdc03a02c8d5
SHA25644f4263d65889ea8f0db3c6e31a956a4664e9200aba2612c9be7016feeb323c0
SHA512805e7b4fafed39dec5ecc2ede0c65b6e103e6757e0bd43ecdce7c00932f59e3e7a68d2ea0818244dfeb691b022c1ccca590a3f4239f99e1cd8a29ba66daed358
-
Filesize
2KB
MD5a2942665b12ed000cd2ac95adef8e0cc
SHA1ac194f8d30f659131d1c73af8d44e81eccab7fde
SHA256bdc5de6c42c523a333c26160d212c62385b03f5ebdae5aa8c5d025ff3f8aa374
SHA5124e5ba962ba97656974c390b45302d60f4c82d604feb6199d44e80497a40d0b0a9fd119ca17ac184809ca0821ab6813292892c433ed7277f65c275f37a96070b9
-
Filesize
1.4MB
MD5f4f09d7cf149b800eb771341e85a9dcc
SHA19decef3e447172801382d4db209d80078e030fab
SHA2564edd0fcc32e1dc9b22bb77b01f27d5df7eab26cc298e4ba606b345be88d8a11e
SHA512cd5881bf4bced9ccd6af173bcf8a741ebc96eadb36a24792eb612aa8adf9663beeb449c7fe82995bfc0c6809767f4f9e59516efe7265c262ff5cbe52c3a89764
-
Filesize
1.4MB
MD5f4f09d7cf149b800eb771341e85a9dcc
SHA19decef3e447172801382d4db209d80078e030fab
SHA2564edd0fcc32e1dc9b22bb77b01f27d5df7eab26cc298e4ba606b345be88d8a11e
SHA512cd5881bf4bced9ccd6af173bcf8a741ebc96eadb36a24792eb612aa8adf9663beeb449c7fe82995bfc0c6809767f4f9e59516efe7265c262ff5cbe52c3a89764
-
Filesize
56KB
MD5c11179b0ada3d14158a804070032e6b9
SHA11ee5285431a5db7974891cc6ba7bfab6cf397236
SHA256c530c3765b5bdbc6eb408cfaebfd8ed73581e2b42f4c217c6291a3d5e28c2f37
SHA512f0dc00c7c4bd0c632faf0f32c902d7f53e1705cf1e81eca5d5b0caea7989f38935b8b76bc5d61b4feeee76fb6e6c8916bf231b8ef5c0fe4965b5e0ff9d790a13
-
Filesize
56KB
MD5c11179b0ada3d14158a804070032e6b9
SHA11ee5285431a5db7974891cc6ba7bfab6cf397236
SHA256c530c3765b5bdbc6eb408cfaebfd8ed73581e2b42f4c217c6291a3d5e28c2f37
SHA512f0dc00c7c4bd0c632faf0f32c902d7f53e1705cf1e81eca5d5b0caea7989f38935b8b76bc5d61b4feeee76fb6e6c8916bf231b8ef5c0fe4965b5e0ff9d790a13
-
Filesize
22KB
MD580648b43d233468718d717d10187b68d
SHA1a1736e8f0e408ce705722ce097d1adb24ebffc45
SHA2568ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380
SHA512eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9
-
Filesize
6KB
MD501e21456e8000bab92907eec3b3aeea9
SHA139b34fe438352f7b095e24c89968fca48b8ce11c
SHA25635ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f
SHA5129d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec
-
Filesize
3.2MB
MD5fdd63d8e4b7dd0c30b0db7e3eeecacf5
SHA1459e5f66dbcba0c68055de45621bd0a1f02d9058
SHA2564fb157d755b2747ee028d5b8e79b9a5a8ad76bcea6c0c0c4321b3c968b0995d3
SHA512c8291cfb83564d7ff999713d16b2ccc627ec38a88f1aa9e04724c483f66ef14cc56a096ecc7321b213c68c56f2d910b49513948e61a84f390c105df46ee59650
-
Filesize
3.2MB
MD5fdd63d8e4b7dd0c30b0db7e3eeecacf5
SHA1459e5f66dbcba0c68055de45621bd0a1f02d9058
SHA2564fb157d755b2747ee028d5b8e79b9a5a8ad76bcea6c0c0c4321b3c968b0995d3
SHA512c8291cfb83564d7ff999713d16b2ccc627ec38a88f1aa9e04724c483f66ef14cc56a096ecc7321b213c68c56f2d910b49513948e61a84f390c105df46ee59650