Analysis Overview
SHA256
1eac2dc913dd6753e4195898af82412511a503990e1d5b7a86fd5919f6feee82
Threat Level: Known bad
The file Adobe Acrobat DC Setup.exe was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar RAT
Modifies WinLogon for persistence
Quasar payload
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Sets desktop wallpaper using registry
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Runs net.exe
Suspicious behavior: LoadsDriver
Modifies registry class
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: AddClipboardFormatListener
Opens file in notepad (likely ransom note)
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-16 11:08
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-16 11:08
Reported
2023-08-16 11:37
Platform
win10-20230703-en
Max time kernel
1775s
Max time network
1780s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe | N/A |
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe | N/A |
| N/A | N/A | C:\Users\Admin\Shrek.exe | N/A |
| N/A | N/A | C:\Users\Admin\Scary_Bird.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\lusrmgr.msc | C:\Windows\system32\mmc.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe | C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe | N/A |
| File opened for modification | C:\Windows\system32\taskschd.msc | C:\Windows\system32\mmc.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\wall.jpg" | C:\Users\Admin\Shrek.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\INF\netsstpa.PNF | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\2219095117.pri | C:\Windows\explorer.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\3877292338.pri | C:\Windows\system32\Taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\4183903823\810424605.pri | C:\Windows\system32\Taskmgr.exe | N/A |
| File created | C:\Windows\INF\netrasa.PNF | \??\c:\windows\system32\svchost.exe | N/A |
| File created | C:\Windows\rescache\_merged\4183903823\810424605.pri | C:\Windows\system32\Taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\3877292338.pri | C:\Windows\system32\Taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\4183903823\810424605.pri | C:\Windows\System32\Taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\3877292338.pri | C:\Windows\System32\Taskmgr.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\TypedURLs | C:\Windows\system32\Taskmgr.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\ImmutableMuiCache | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WinPos1280x720x96(1).top = "76" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "4" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-1#immutable1 = "User Accounts" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\MinPos1280x720x96(1).x = "4294967295" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\MinPos1280x720x96(1).y = "4294967295" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\ImmutableMuiCache\Strings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings | C:\Windows\system32\Taskmgr.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 5600310000000000e356e953100057696e646f777300400009000400efbe724a0b5de356e9532e0000006b0500000000010000000000000000000000000000001eccba00570069006e0064006f0077007300000016000000 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\explorer.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Runs net.exe
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mmc.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\system32\Taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe | N/A |
| N/A | N/A | C:\Windows\system32\netplwiz.exe | N/A |
| N/A | N/A | C:\Windows\system32\mmc.exe | N/A |
| N/A | N/A | C:\Windows\system32\Taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\system32\Netplwiz.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /SC ONLOGON /tn PowerShell /tr %systemroot%\System32\WindowsPowerShell\v1.0\powershеll.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershеll.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd" /K CHCP 437
C:\Windows\system32\chcp.com
CHCP 437
C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
C:\Windows\system32\taskkill.exe
taskkill /f /im mmc.exe
C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=54DABA8AE68282BE53EE09473648FE27 --mojo-platform-channel-handle=1616 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AFA0E35A62AE7CC9D26267FCD6441BA7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AFA0E35A62AE7CC9D26267FCD6441BA7 --renderer-client-id=2 --mojo-platform-channel-handle=1624 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1789D9B55458133BD3D24EBBCBE3A0ED --mojo-platform-channel-handle=2180 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=81A687C4863218B5CF004362662D1ABD --mojo-platform-channel-handle=1780 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EEE201144F6F47A230DD9D1F3C642D75 --mojo-platform-channel-handle=1608 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Users\Admin\Shrek.exe
"C:\Users\Admin\Shrek.exe"
C:\Users\Admin\Scary_Bird.exe
"C:\Users\Admin\Scary_Bird.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c4
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\lsasetup.log
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\system32\Taskmgr.exe
taskmgr
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" user /add COOL
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add COOL
C:\Windows\system32\Taskmgr.exe
"C:\Windows\system32\Taskmgr.exe" /1
C:\Windows\system32\netplwiz.exe
"C:\Windows\system32\netplwiz.exe"
C:\Windows\system32\mmc.exe
mmc.exe C:\Windows\system32\lusrmgr.msc computername=localmachine
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\system32\Netplwiz.exe
netplwiz.exe
C:\Windows\system32\launchtm.exe
launchtm.exe /2
C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe" /2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.102.39:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 39.102.125.3.in-addr.arpa | udp |
| DE | 3.125.102.39:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| CA | 108.181.98.179:443 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.98.181.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.209.94:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 94.209.125.3.in-addr.arpa | udp |
| DE | 3.125.209.94:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.102.39:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.124.142.205:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 205.142.124.3.in-addr.arpa | udp |
| DE | 3.124.142.205:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.124.142.205:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.102.39:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.223.134:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 134.223.125.3.in-addr.arpa | udp |
| DE | 3.125.223.134:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 75.249.158.18.in-addr.arpa | udp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.102.39:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 224.104.207.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.0.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.175.53.84.in-addr.arpa | udp |
Files
memory/2832-117-0x0000000000260000-0x0000000000604000-memory.dmp
memory/2832-118-0x00000000738C0000-0x0000000073FAE000-memory.dmp
memory/2832-119-0x0000000004E90000-0x0000000004F2C000-memory.dmp
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe
| MD5 | fdd63d8e4b7dd0c30b0db7e3eeecacf5 |
| SHA1 | 459e5f66dbcba0c68055de45621bd0a1f02d9058 |
| SHA256 | 4fb157d755b2747ee028d5b8e79b9a5a8ad76bcea6c0c0c4321b3c968b0995d3 |
| SHA512 | c8291cfb83564d7ff999713d16b2ccc627ec38a88f1aa9e04724c483f66ef14cc56a096ecc7321b213c68c56f2d910b49513948e61a84f390c105df46ee59650 |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe
| MD5 | fdd63d8e4b7dd0c30b0db7e3eeecacf5 |
| SHA1 | 459e5f66dbcba0c68055de45621bd0a1f02d9058 |
| SHA256 | 4fb157d755b2747ee028d5b8e79b9a5a8ad76bcea6c0c0c4321b3c968b0995d3 |
| SHA512 | c8291cfb83564d7ff999713d16b2ccc627ec38a88f1aa9e04724c483f66ef14cc56a096ecc7321b213c68c56f2d910b49513948e61a84f390c105df46ee59650 |
memory/1020-127-0x0000000000FE0000-0x0000000001312000-memory.dmp
memory/1020-126-0x00007FF8F2660000-0x00007FF8F304C000-memory.dmp
memory/2832-128-0x00000000738C0000-0x0000000073FAE000-memory.dmp
memory/1020-129-0x000000001C080000-0x000000001C090000-memory.dmp
memory/1020-130-0x000000001C390000-0x000000001C3E0000-memory.dmp
memory/1020-131-0x000000001C4A0000-0x000000001C552000-memory.dmp
memory/1020-132-0x00007FF8F2660000-0x00007FF8F304C000-memory.dmp
memory/1020-135-0x000000001C400000-0x000000001C412000-memory.dmp
memory/1020-136-0x000000001C460000-0x000000001C49E000-memory.dmp
memory/1020-137-0x000000001C080000-0x000000001C090000-memory.dmp
memory/396-144-0x00007FF8F2660000-0x00007FF8F304C000-memory.dmp
memory/396-145-0x000000001CD20000-0x000000001CD30000-memory.dmp
memory/396-177-0x000000001CD20000-0x000000001CD30000-memory.dmp
memory/396-186-0x000000001CD20000-0x000000001CD30000-memory.dmp
memory/396-302-0x000000001CD20000-0x000000001CD30000-memory.dmp
memory/396-303-0x000000001CD20000-0x000000001CD30000-memory.dmp
memory/396-304-0x00007FF646B40000-0x00007FF646B50000-memory.dmp
memory/396-305-0x000000001CD20000-0x000000001CD30000-memory.dmp
memory/396-307-0x000000001CD20000-0x000000001CD30000-memory.dmp
memory/396-308-0x000000001CD20000-0x000000001CD30000-memory.dmp
memory/396-309-0x00007FF8F2660000-0x00007FF8F304C000-memory.dmp
memory/396-311-0x000000001CD20000-0x000000001CD30000-memory.dmp
memory/396-312-0x000000001CD20000-0x000000001CD30000-memory.dmp
memory/396-313-0x000000001CD20000-0x000000001CD30000-memory.dmp
memory/396-314-0x000000001CD20000-0x000000001CD30000-memory.dmp
memory/396-315-0x000000001CD20000-0x000000001CD30000-memory.dmp
memory/396-316-0x00007FF646B40000-0x00007FF646B50000-memory.dmp
memory/396-317-0x000000001CD20000-0x000000001CD30000-memory.dmp
memory/396-318-0x000000001CD20000-0x000000001CD30000-memory.dmp
memory/396-319-0x000000001CD20000-0x000000001CD30000-memory.dmp
memory/396-320-0x00007FF8F2660000-0x00007FF8F304C000-memory.dmp
C:\Windows\INF\netsstpa.PNF
| MD5 | 01e21456e8000bab92907eec3b3aeea9 |
| SHA1 | 39b34fe438352f7b095e24c89968fca48b8ce11c |
| SHA256 | 35ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f |
| SHA512 | 9d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec |
C:\Windows\INF\netrasa.PNF
| MD5 | 80648b43d233468718d717d10187b68d |
| SHA1 | a1736e8f0e408ce705722ce097d1adb24ebffc45 |
| SHA256 | 8ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380 |
| SHA512 | eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9 |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | b30d3becc8731792523d599d949e63f5 |
| SHA1 | 19350257e42d7aee17fb3bf139a9d3adb330fad4 |
| SHA256 | b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3 |
| SHA512 | 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 752a1f26b18748311b691c7d8fc20633 |
| SHA1 | c1f8e83eebc1cc1e9b88c773338eb09ff82ab862 |
| SHA256 | 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131 |
| SHA512 | a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5 |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 928d517e59d9786ee71bd6aeb90f439b |
| SHA1 | 9c82fed59061444a294468f26a77a96261f3d273 |
| SHA256 | 532fc588b91bf7152e645ece535d824fb633bcd41a486c8dd94be44c8ee64f1b |
| SHA512 | 9f8f2235a870be3972842224a79c61d560c2bb7630982329faa2d2cd0da69f88f49901741f25155e8d4c7ec693f80e1073fef3cec36cb2980ce13348aba73404 |
memory/5036-463-0x00000000096A0000-0x000000000994B000-memory.dmp
memory/5036-465-0x00000000096A0000-0x00000000097ED000-memory.dmp
memory/1020-468-0x000000001F420000-0x000000001F946000-memory.dmp
C:\Users\Admin\Shrek.exe
| MD5 | c11179b0ada3d14158a804070032e6b9 |
| SHA1 | 1ee5285431a5db7974891cc6ba7bfab6cf397236 |
| SHA256 | c530c3765b5bdbc6eb408cfaebfd8ed73581e2b42f4c217c6291a3d5e28c2f37 |
| SHA512 | f0dc00c7c4bd0c632faf0f32c902d7f53e1705cf1e81eca5d5b0caea7989f38935b8b76bc5d61b4feeee76fb6e6c8916bf231b8ef5c0fe4965b5e0ff9d790a13 |
C:\Users\Admin\Shrek.exe
| MD5 | c11179b0ada3d14158a804070032e6b9 |
| SHA1 | 1ee5285431a5db7974891cc6ba7bfab6cf397236 |
| SHA256 | c530c3765b5bdbc6eb408cfaebfd8ed73581e2b42f4c217c6291a3d5e28c2f37 |
| SHA512 | f0dc00c7c4bd0c632faf0f32c902d7f53e1705cf1e81eca5d5b0caea7989f38935b8b76bc5d61b4feeee76fb6e6c8916bf231b8ef5c0fe4965b5e0ff9d790a13 |
memory/4180-506-0x00000000738C0000-0x0000000073FAE000-memory.dmp
memory/4180-505-0x00000000000B0000-0x00000000000C6000-memory.dmp
memory/4180-507-0x0000000004FA0000-0x000000000549E000-memory.dmp
memory/4180-508-0x00000000049F0000-0x0000000004A82000-memory.dmp
memory/4180-509-0x0000000004BF0000-0x0000000004C00000-memory.dmp
memory/4180-510-0x00000000048F0000-0x00000000048FA000-memory.dmp
memory/4180-511-0x0000000004C00000-0x0000000004C56000-memory.dmp
memory/4180-514-0x00000000738C0000-0x0000000073FAE000-memory.dmp
memory/4180-515-0x0000000004BF0000-0x0000000004C00000-memory.dmp
C:\Users\Admin\Scary_Bird.exe
| MD5 | f4f09d7cf149b800eb771341e85a9dcc |
| SHA1 | 9decef3e447172801382d4db209d80078e030fab |
| SHA256 | 4edd0fcc32e1dc9b22bb77b01f27d5df7eab26cc298e4ba606b345be88d8a11e |
| SHA512 | cd5881bf4bced9ccd6af173bcf8a741ebc96eadb36a24792eb612aa8adf9663beeb449c7fe82995bfc0c6809767f4f9e59516efe7265c262ff5cbe52c3a89764 |
C:\Users\Admin\Scary_Bird.exe
| MD5 | f4f09d7cf149b800eb771341e85a9dcc |
| SHA1 | 9decef3e447172801382d4db209d80078e030fab |
| SHA256 | 4edd0fcc32e1dc9b22bb77b01f27d5df7eab26cc298e4ba606b345be88d8a11e |
| SHA512 | cd5881bf4bced9ccd6af173bcf8a741ebc96eadb36a24792eb612aa8adf9663beeb449c7fe82995bfc0c6809767f4f9e59516efe7265c262ff5cbe52c3a89764 |
memory/4872-522-0x00000000738C0000-0x0000000073FAE000-memory.dmp
memory/4872-521-0x0000000000EE0000-0x0000000001048000-memory.dmp
memory/4872-523-0x00000000058D0000-0x00000000058E0000-memory.dmp
memory/4872-526-0x00000000058D0000-0x00000000058E0000-memory.dmp
memory/4872-528-0x00000000738C0000-0x0000000073FAE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | 633ef26a3954af53882dd7abd4336f5c |
| SHA1 | 63cc9a917e2629cc46c1534209b957aa274bdc99 |
| SHA256 | 58b9390f26d319b22691ee9651b592d15f826e6f089c5f7183cf3ad249f89f28 |
| SHA512 | ba1392b3169d35e1ff0961876e6c3c624be2d0a0c5bde79274e8dadee274b5ee571dbd5580d4c2ce270b924b3b41bae54b3a9f88f80bb0c9b46857d6c4c30276 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin
| MD5 | b4d3016a1cccde90a62b685149c832f9 |
| SHA1 | 5d6c4ba3474e6544bd24343da564e90bba89f6f7 |
| SHA256 | df6afa046a72bb55e8984cf9e2870dc62112e4b81d4fef5a94c98e1c4386e373 |
| SHA512 | abf5e15b40fa03eb9390854199b9feaf0132aac756c5f07d45c81f58c8b4d909833a996a19ccfef7abb905ddb9206591b1eda49a4674bc75a7c5a9c6372590e7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\810424605.pri
| MD5 | a2942665b12ed000cd2ac95adef8e0cc |
| SHA1 | ac194f8d30f659131d1c73af8d44e81eccab7fde |
| SHA256 | bdc5de6c42c523a333c26160d212c62385b03f5ebdae5aa8c5d025ff3f8aa374 |
| SHA512 | 4e5ba962ba97656974c390b45302d60f4c82d604feb6199d44e80497a40d0b0a9fd119ca17ac184809ca0821ab6813292892c433ed7277f65c275f37a96070b9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\3877292338.pri
| MD5 | 0d02b03a068d671348931cc20c048422 |
| SHA1 | 67b6deacf1303acfcbab0b158157fdc03a02c8d5 |
| SHA256 | 44f4263d65889ea8f0db3c6e31a956a4664e9200aba2612c9be7016feeb323c0 |
| SHA512 | 805e7b4fafed39dec5ecc2ede0c65b6e103e6757e0bd43ecdce7c00932f59e3e7a68d2ea0818244dfeb691b022c1ccca590a3f4239f99e1cd8a29ba66daed358 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-16 11:08
Reported
2023-08-16 11:37
Platform
win10v2004-20230703-en
Max time kernel
1766s
Max time network
1779s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe | C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3992 wrote to memory of 3088 | N/A | C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 3992 wrote to memory of 3088 | N/A | C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 3992 wrote to memory of 3088 | N/A | C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 3992 wrote to memory of 1408 | N/A | C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe |
| PID 3992 wrote to memory of 1408 | N/A | C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /SC ONLOGON /tn PowerShell /tr %systemroot%\System32\WindowsPowerShell\v1.0\powershеll.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershеll.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.131.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.102.39:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 39.102.125.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| CA | 108.181.98.179:443 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 179.98.181.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.209.94:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 94.209.125.3.in-addr.arpa | udp |
| DE | 3.125.209.94:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.192.31.165:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 165.31.192.18.in-addr.arpa | udp |
| DE | 18.192.31.165:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.165:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.165:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.165:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.124.142.205:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 205.142.124.3.in-addr.arpa | udp |
| DE | 3.124.142.205:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 75.249.158.18.in-addr.arpa | udp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.102.39:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.223.134:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 134.223.125.3.in-addr.arpa | udp |
| DE | 3.125.223.134:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.124.142.205:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.175.53.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.158.249.75:16640 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 18.175.53.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.192.31.165:16640 | 0.tcp.eu.ngrok.io | tcp |
Files
memory/3992-133-0x0000000074520000-0x0000000074CD0000-memory.dmp
memory/3992-134-0x00000000005C0000-0x0000000000964000-memory.dmp
memory/3992-135-0x00000000052D0000-0x000000000536C000-memory.dmp
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe
| MD5 | fdd63d8e4b7dd0c30b0db7e3eeecacf5 |
| SHA1 | 459e5f66dbcba0c68055de45621bd0a1f02d9058 |
| SHA256 | 4fb157d755b2747ee028d5b8e79b9a5a8ad76bcea6c0c0c4321b3c968b0995d3 |
| SHA512 | c8291cfb83564d7ff999713d16b2ccc627ec38a88f1aa9e04724c483f66ef14cc56a096ecc7321b213c68c56f2d910b49513948e61a84f390c105df46ee59650 |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe
| MD5 | fdd63d8e4b7dd0c30b0db7e3eeecacf5 |
| SHA1 | 459e5f66dbcba0c68055de45621bd0a1f02d9058 |
| SHA256 | 4fb157d755b2747ee028d5b8e79b9a5a8ad76bcea6c0c0c4321b3c968b0995d3 |
| SHA512 | c8291cfb83564d7ff999713d16b2ccc627ec38a88f1aa9e04724c483f66ef14cc56a096ecc7321b213c68c56f2d910b49513948e61a84f390c105df46ee59650 |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe
| MD5 | fdd63d8e4b7dd0c30b0db7e3eeecacf5 |
| SHA1 | 459e5f66dbcba0c68055de45621bd0a1f02d9058 |
| SHA256 | 4fb157d755b2747ee028d5b8e79b9a5a8ad76bcea6c0c0c4321b3c968b0995d3 |
| SHA512 | c8291cfb83564d7ff999713d16b2ccc627ec38a88f1aa9e04724c483f66ef14cc56a096ecc7321b213c68c56f2d910b49513948e61a84f390c105df46ee59650 |
memory/1408-150-0x00000000003D0000-0x0000000000702000-memory.dmp
memory/1408-151-0x00007FFF32DB0000-0x00007FFF33871000-memory.dmp
memory/1408-152-0x00000000029C0000-0x00000000029D0000-memory.dmp
memory/1408-153-0x0000000002970000-0x00000000029C0000-memory.dmp
memory/1408-154-0x000000001B940000-0x000000001B9F2000-memory.dmp
memory/3992-157-0x0000000074520000-0x0000000074CD0000-memory.dmp
memory/1408-158-0x000000001B430000-0x000000001B442000-memory.dmp
memory/1408-159-0x000000001C780000-0x000000001C7BC000-memory.dmp
memory/1408-160-0x000000001B880000-0x000000001B919000-memory.dmp
memory/1408-161-0x00007FFF32DB0000-0x00007FFF33871000-memory.dmp
memory/1408-162-0x00000000029C0000-0x00000000029D0000-memory.dmp
memory/1408-164-0x00000000029C0000-0x00000000029D0000-memory.dmp
memory/1408-165-0x00000000029C0000-0x00000000029D0000-memory.dmp
memory/1408-166-0x00000000029C0000-0x00000000029D0000-memory.dmp
memory/1408-168-0x00000000029C0000-0x00000000029D0000-memory.dmp
memory/1408-170-0x000000001DB80000-0x000000001E0A8000-memory.dmp
memory/1408-174-0x000000001B880000-0x000000001B919000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows Logs\2023-08-16
| MD5 | 50defcfc4bbe2e8d0ceb51423e803119 |
| SHA1 | 23ac63264c00e6f5d9de38c723476c5a4ec94899 |
| SHA256 | 3233e42f48eda5768ad96e4b967d3b6f650afe748cf9d3e95d711bef462627a9 |
| SHA512 | 34b6a15292027e1d94ede71dea898df6154bf7e3ed52b8b6dc01882ee376087e95b659cb21c57eeec4c94f657dd94918598628dc7cb37e33861bb382422e5087 |