Malware Analysis Report

2025-08-05 14:11

Sample ID 230816-m8jb3acc21
Target Adobe Acrobat DC Setup.exe
SHA256 1eac2dc913dd6753e4195898af82412511a503990e1d5b7a86fd5919f6feee82
Tags
quasar powershell persistence ransomware spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1eac2dc913dd6753e4195898af82412511a503990e1d5b7a86fd5919f6feee82

Threat Level: Known bad

The file Adobe Acrobat DC Setup.exe was found to be: Known bad.

Malicious Activity Summary

quasar powershell persistence ransomware spyware trojan

Quasar family

Quasar RAT

Modifies WinLogon for persistence

Quasar payload

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Sets desktop wallpaper using registry

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Runs net.exe

Suspicious behavior: LoadsDriver

Modifies registry class

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: AddClipboardFormatListener

Opens file in notepad (likely ransom note)

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-16 11:08

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-16 11:08

Reported

2023-08-16 11:37

Platform

win10-20230703-en

Max time kernel

1775s

Max time network

1780s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe N/A

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe N/A
N/A N/A C:\Users\Admin\Shrek.exe N/A
N/A N/A C:\Users\Admin\Scary_Bird.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\lusrmgr.msc C:\Windows\system32\mmc.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe N/A
File opened for modification C:\Windows\system32\taskschd.msc C:\Windows\system32\mmc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\wall.jpg" C:\Users\Admin\Shrek.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\INF\netsstpa.PNF C:\Windows\system32\svchost.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\explorer.exe N/A
File created C:\Windows\rescache\_merged\1601268389\3877292338.pri C:\Windows\system32\Taskmgr.exe N/A
File created C:\Windows\rescache\_merged\4183903823\810424605.pri C:\Windows\system32\Taskmgr.exe N/A
File created C:\Windows\INF\netrasa.PNF \??\c:\windows\system32\svchost.exe N/A
File created C:\Windows\rescache\_merged\4183903823\810424605.pri C:\Windows\system32\Taskmgr.exe N/A
File created C:\Windows\rescache\_merged\1601268389\3877292338.pri C:\Windows\system32\Taskmgr.exe N/A
File created C:\Windows\rescache\_merged\4183903823\810424605.pri C:\Windows\System32\Taskmgr.exe N/A
File created C:\Windows\rescache\_merged\1601268389\3877292338.pri C:\Windows\System32\Taskmgr.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Windows\system32\Taskmgr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\ImmutableMuiCache C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WinPos1280x720x96(1).top = "76" C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "4" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-1#immutable1 = "User Accounts" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\MinPos1280x720x96(1).x = "4294967295" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\MinPos1280x720x96(1).y = "4294967295" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\ImmutableMuiCache\Strings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings C:\Windows\system32\Taskmgr.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 5600310000000000e356e953100057696e646f777300400009000400efbe724a0b5de356e9532e0000006b0500000000010000000000000000000000000000001eccba00570069006e0064006f0077007300000016000000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs net.exe

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Users\Admin\Scary_Bird.exe N/A
N/A N/A C:\Users\Admin\Scary_Bird.exe N/A
N/A N/A C:\Users\Admin\Scary_Bird.exe N/A
N/A N/A C:\Users\Admin\Scary_Bird.exe N/A
N/A N/A C:\Users\Admin\Scary_Bird.exe N/A
N/A N/A C:\Users\Admin\Scary_Bird.exe N/A
N/A N/A C:\Users\Admin\Scary_Bird.exe N/A
N/A N/A C:\Users\Admin\Scary_Bird.exe N/A
N/A N/A C:\Users\Admin\Scary_Bird.exe N/A
N/A N/A C:\Users\Admin\Scary_Bird.exe N/A
N/A N/A C:\Users\Admin\Scary_Bird.exe N/A
N/A N/A C:\Users\Admin\Scary_Bird.exe N/A
N/A N/A C:\Users\Admin\Scary_Bird.exe N/A
N/A N/A C:\Users\Admin\Scary_Bird.exe N/A
N/A N/A C:\Users\Admin\Scary_Bird.exe N/A
N/A N/A C:\Users\Admin\Scary_Bird.exe N/A
N/A N/A C:\Users\Admin\Scary_Bird.exe N/A
N/A N/A C:\Users\Admin\Scary_Bird.exe N/A
N/A N/A C:\Users\Admin\Scary_Bird.exe N/A
N/A N/A C:\Users\Admin\Scary_Bird.exe N/A
N/A N/A C:\Users\Admin\Scary_Bird.exe N/A
N/A N/A C:\Users\Admin\Scary_Bird.exe N/A
N/A N/A C:\Users\Admin\Scary_Bird.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2832 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe C:\Windows\SysWOW64\schtasks.exe
PID 2832 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe C:\Windows\SysWOW64\schtasks.exe
PID 2832 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe C:\Windows\SysWOW64\schtasks.exe
PID 2832 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe
PID 2832 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe
PID 1020 wrote to memory of 404 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe C:\Windows\SYSTEM32\cmd.exe
PID 1020 wrote to memory of 404 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe C:\Windows\SYSTEM32\cmd.exe
PID 404 wrote to memory of 2020 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 404 wrote to memory of 2020 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 404 wrote to memory of 396 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\mmc.exe
PID 404 wrote to memory of 396 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\mmc.exe
PID 404 wrote to memory of 2124 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\taskkill.exe
PID 404 wrote to memory of 2124 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\taskkill.exe
PID 5036 wrote to memory of 628 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5036 wrote to memory of 628 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5036 wrote to memory of 628 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 1608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 4492 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 4492 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 4492 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 4492 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 4492 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 4492 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 628 wrote to memory of 4492 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /SC ONLOGON /tn PowerShell /tr %systemroot%\System32\WindowsPowerShell\v1.0\powershеll.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershеll.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd" /K CHCP 437

C:\Windows\system32\chcp.com

CHCP 437

C:\Windows\system32\mmc.exe

"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s

C:\Windows\system32\taskkill.exe

taskkill /f /im mmc.exe

C:\Windows\System32\SystemSettingsBroker.exe

C:\Windows\System32\SystemSettingsBroker.exe -Embedding

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s SstpSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s RasMan

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s RasMan

C:\Windows\System32\DataExchangeHost.exe

C:\Windows\System32\DataExchangeHost.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=54DABA8AE68282BE53EE09473648FE27 --mojo-platform-channel-handle=1616 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AFA0E35A62AE7CC9D26267FCD6441BA7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AFA0E35A62AE7CC9D26267FCD6441BA7 --renderer-client-id=2 --mojo-platform-channel-handle=1624 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1789D9B55458133BD3D24EBBCBE3A0ED --mojo-platform-channel-handle=2180 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=81A687C4863218B5CF004362662D1ABD --mojo-platform-channel-handle=1780 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EEE201144F6F47A230DD9D1F3C642D75 --mojo-platform-channel-handle=1608 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Users\Admin\Shrek.exe

"C:\Users\Admin\Shrek.exe"

C:\Users\Admin\Scary_Bird.exe

"C:\Users\Admin\Scary_Bird.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3c4

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\lsasetup.log

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\system32\Taskmgr.exe

taskmgr

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" user /add COOL

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user /add COOL

C:\Windows\system32\Taskmgr.exe

"C:\Windows\system32\Taskmgr.exe" /1

C:\Windows\system32\netplwiz.exe

"C:\Windows\system32\netplwiz.exe"

C:\Windows\system32\mmc.exe

mmc.exe C:\Windows\system32\lusrmgr.msc computername=localmachine

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\system32\Netplwiz.exe

netplwiz.exe

C:\Windows\system32\launchtm.exe

launchtm.exe /2

C:\Windows\System32\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe" /2

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.102.39:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 39.102.125.3.in-addr.arpa udp
DE 3.125.102.39:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 ipwho.is udp
CA 108.181.98.179:443 ipwho.is tcp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 179.98.181.108.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.209.94:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 94.209.125.3.in-addr.arpa udp
DE 3.125.209.94:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.102.39:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.124.142.205:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 205.142.124.3.in-addr.arpa udp
DE 3.124.142.205:16640 0.tcp.eu.ngrok.io tcp
DE 3.124.142.205:16640 0.tcp.eu.ngrok.io tcp
DE 3.124.142.205:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.124.142.205:16640 0.tcp.eu.ngrok.io tcp
DE 3.124.142.205:16640 0.tcp.eu.ngrok.io tcp
DE 3.124.142.205:16640 0.tcp.eu.ngrok.io tcp
DE 3.124.142.205:16640 0.tcp.eu.ngrok.io tcp
DE 3.124.142.205:16640 0.tcp.eu.ngrok.io tcp
DE 3.124.142.205:16640 0.tcp.eu.ngrok.io tcp
DE 3.124.142.205:16640 0.tcp.eu.ngrok.io tcp
DE 3.124.142.205:16640 0.tcp.eu.ngrok.io tcp
DE 3.124.142.205:16640 0.tcp.eu.ngrok.io tcp
DE 3.124.142.205:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.102.39:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.223.134:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 134.223.125.3.in-addr.arpa udp
DE 3.125.223.134:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 75.249.158.18.in-addr.arpa udp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.102.39:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 224.104.207.23.in-addr.arpa udp
US 8.8.8.8:53 137.0.85.104.in-addr.arpa udp
US 8.8.8.8:53 74.175.53.84.in-addr.arpa udp

Files

memory/2832-117-0x0000000000260000-0x0000000000604000-memory.dmp

memory/2832-118-0x00000000738C0000-0x0000000073FAE000-memory.dmp

memory/2832-119-0x0000000004E90000-0x0000000004F2C000-memory.dmp

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe

MD5 fdd63d8e4b7dd0c30b0db7e3eeecacf5
SHA1 459e5f66dbcba0c68055de45621bd0a1f02d9058
SHA256 4fb157d755b2747ee028d5b8e79b9a5a8ad76bcea6c0c0c4321b3c968b0995d3
SHA512 c8291cfb83564d7ff999713d16b2ccc627ec38a88f1aa9e04724c483f66ef14cc56a096ecc7321b213c68c56f2d910b49513948e61a84f390c105df46ee59650

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe

MD5 fdd63d8e4b7dd0c30b0db7e3eeecacf5
SHA1 459e5f66dbcba0c68055de45621bd0a1f02d9058
SHA256 4fb157d755b2747ee028d5b8e79b9a5a8ad76bcea6c0c0c4321b3c968b0995d3
SHA512 c8291cfb83564d7ff999713d16b2ccc627ec38a88f1aa9e04724c483f66ef14cc56a096ecc7321b213c68c56f2d910b49513948e61a84f390c105df46ee59650

memory/1020-127-0x0000000000FE0000-0x0000000001312000-memory.dmp

memory/1020-126-0x00007FF8F2660000-0x00007FF8F304C000-memory.dmp

memory/2832-128-0x00000000738C0000-0x0000000073FAE000-memory.dmp

memory/1020-129-0x000000001C080000-0x000000001C090000-memory.dmp

memory/1020-130-0x000000001C390000-0x000000001C3E0000-memory.dmp

memory/1020-131-0x000000001C4A0000-0x000000001C552000-memory.dmp

memory/1020-132-0x00007FF8F2660000-0x00007FF8F304C000-memory.dmp

memory/1020-135-0x000000001C400000-0x000000001C412000-memory.dmp

memory/1020-136-0x000000001C460000-0x000000001C49E000-memory.dmp

memory/1020-137-0x000000001C080000-0x000000001C090000-memory.dmp

memory/396-144-0x00007FF8F2660000-0x00007FF8F304C000-memory.dmp

memory/396-145-0x000000001CD20000-0x000000001CD30000-memory.dmp

memory/396-177-0x000000001CD20000-0x000000001CD30000-memory.dmp

memory/396-186-0x000000001CD20000-0x000000001CD30000-memory.dmp

memory/396-302-0x000000001CD20000-0x000000001CD30000-memory.dmp

memory/396-303-0x000000001CD20000-0x000000001CD30000-memory.dmp

memory/396-304-0x00007FF646B40000-0x00007FF646B50000-memory.dmp

memory/396-305-0x000000001CD20000-0x000000001CD30000-memory.dmp

memory/396-307-0x000000001CD20000-0x000000001CD30000-memory.dmp

memory/396-308-0x000000001CD20000-0x000000001CD30000-memory.dmp

memory/396-309-0x00007FF8F2660000-0x00007FF8F304C000-memory.dmp

memory/396-311-0x000000001CD20000-0x000000001CD30000-memory.dmp

memory/396-312-0x000000001CD20000-0x000000001CD30000-memory.dmp

memory/396-313-0x000000001CD20000-0x000000001CD30000-memory.dmp

memory/396-314-0x000000001CD20000-0x000000001CD30000-memory.dmp

memory/396-315-0x000000001CD20000-0x000000001CD30000-memory.dmp

memory/396-316-0x00007FF646B40000-0x00007FF646B50000-memory.dmp

memory/396-317-0x000000001CD20000-0x000000001CD30000-memory.dmp

memory/396-318-0x000000001CD20000-0x000000001CD30000-memory.dmp

memory/396-319-0x000000001CD20000-0x000000001CD30000-memory.dmp

memory/396-320-0x00007FF8F2660000-0x00007FF8F304C000-memory.dmp

C:\Windows\INF\netsstpa.PNF

MD5 01e21456e8000bab92907eec3b3aeea9
SHA1 39b34fe438352f7b095e24c89968fca48b8ce11c
SHA256 35ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f
SHA512 9d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec

C:\Windows\INF\netrasa.PNF

MD5 80648b43d233468718d717d10187b68d
SHA1 a1736e8f0e408ce705722ce097d1adb24ebffc45
SHA256 8ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380
SHA512 eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 b30d3becc8731792523d599d949e63f5
SHA1 19350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256 b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 752a1f26b18748311b691c7d8fc20633
SHA1 c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512 a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 928d517e59d9786ee71bd6aeb90f439b
SHA1 9c82fed59061444a294468f26a77a96261f3d273
SHA256 532fc588b91bf7152e645ece535d824fb633bcd41a486c8dd94be44c8ee64f1b
SHA512 9f8f2235a870be3972842224a79c61d560c2bb7630982329faa2d2cd0da69f88f49901741f25155e8d4c7ec693f80e1073fef3cec36cb2980ce13348aba73404

memory/5036-463-0x00000000096A0000-0x000000000994B000-memory.dmp

memory/5036-465-0x00000000096A0000-0x00000000097ED000-memory.dmp

memory/1020-468-0x000000001F420000-0x000000001F946000-memory.dmp

C:\Users\Admin\Shrek.exe

MD5 c11179b0ada3d14158a804070032e6b9
SHA1 1ee5285431a5db7974891cc6ba7bfab6cf397236
SHA256 c530c3765b5bdbc6eb408cfaebfd8ed73581e2b42f4c217c6291a3d5e28c2f37
SHA512 f0dc00c7c4bd0c632faf0f32c902d7f53e1705cf1e81eca5d5b0caea7989f38935b8b76bc5d61b4feeee76fb6e6c8916bf231b8ef5c0fe4965b5e0ff9d790a13

C:\Users\Admin\Shrek.exe

MD5 c11179b0ada3d14158a804070032e6b9
SHA1 1ee5285431a5db7974891cc6ba7bfab6cf397236
SHA256 c530c3765b5bdbc6eb408cfaebfd8ed73581e2b42f4c217c6291a3d5e28c2f37
SHA512 f0dc00c7c4bd0c632faf0f32c902d7f53e1705cf1e81eca5d5b0caea7989f38935b8b76bc5d61b4feeee76fb6e6c8916bf231b8ef5c0fe4965b5e0ff9d790a13

memory/4180-506-0x00000000738C0000-0x0000000073FAE000-memory.dmp

memory/4180-505-0x00000000000B0000-0x00000000000C6000-memory.dmp

memory/4180-507-0x0000000004FA0000-0x000000000549E000-memory.dmp

memory/4180-508-0x00000000049F0000-0x0000000004A82000-memory.dmp

memory/4180-509-0x0000000004BF0000-0x0000000004C00000-memory.dmp

memory/4180-510-0x00000000048F0000-0x00000000048FA000-memory.dmp

memory/4180-511-0x0000000004C00000-0x0000000004C56000-memory.dmp

memory/4180-514-0x00000000738C0000-0x0000000073FAE000-memory.dmp

memory/4180-515-0x0000000004BF0000-0x0000000004C00000-memory.dmp

C:\Users\Admin\Scary_Bird.exe

MD5 f4f09d7cf149b800eb771341e85a9dcc
SHA1 9decef3e447172801382d4db209d80078e030fab
SHA256 4edd0fcc32e1dc9b22bb77b01f27d5df7eab26cc298e4ba606b345be88d8a11e
SHA512 cd5881bf4bced9ccd6af173bcf8a741ebc96eadb36a24792eb612aa8adf9663beeb449c7fe82995bfc0c6809767f4f9e59516efe7265c262ff5cbe52c3a89764

C:\Users\Admin\Scary_Bird.exe

MD5 f4f09d7cf149b800eb771341e85a9dcc
SHA1 9decef3e447172801382d4db209d80078e030fab
SHA256 4edd0fcc32e1dc9b22bb77b01f27d5df7eab26cc298e4ba606b345be88d8a11e
SHA512 cd5881bf4bced9ccd6af173bcf8a741ebc96eadb36a24792eb612aa8adf9663beeb449c7fe82995bfc0c6809767f4f9e59516efe7265c262ff5cbe52c3a89764

memory/4872-522-0x00000000738C0000-0x0000000073FAE000-memory.dmp

memory/4872-521-0x0000000000EE0000-0x0000000001048000-memory.dmp

memory/4872-523-0x00000000058D0000-0x00000000058E0000-memory.dmp

memory/4872-526-0x00000000058D0000-0x00000000058E0000-memory.dmp

memory/4872-528-0x00000000738C0000-0x0000000073FAE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 633ef26a3954af53882dd7abd4336f5c
SHA1 63cc9a917e2629cc46c1534209b957aa274bdc99
SHA256 58b9390f26d319b22691ee9651b592d15f826e6f089c5f7183cf3ad249f89f28
SHA512 ba1392b3169d35e1ff0961876e6c3c624be2d0a0c5bde79274e8dadee274b5ee571dbd5580d4c2ce270b924b3b41bae54b3a9f88f80bb0c9b46857d6c4c30276

C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin

MD5 b4d3016a1cccde90a62b685149c832f9
SHA1 5d6c4ba3474e6544bd24343da564e90bba89f6f7
SHA256 df6afa046a72bb55e8984cf9e2870dc62112e4b81d4fef5a94c98e1c4386e373
SHA512 abf5e15b40fa03eb9390854199b9feaf0132aac756c5f07d45c81f58c8b4d909833a996a19ccfef7abb905ddb9206591b1eda49a4674bc75a7c5a9c6372590e7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\810424605.pri

MD5 a2942665b12ed000cd2ac95adef8e0cc
SHA1 ac194f8d30f659131d1c73af8d44e81eccab7fde
SHA256 bdc5de6c42c523a333c26160d212c62385b03f5ebdae5aa8c5d025ff3f8aa374
SHA512 4e5ba962ba97656974c390b45302d60f4c82d604feb6199d44e80497a40d0b0a9fd119ca17ac184809ca0821ab6813292892c433ed7277f65c275f37a96070b9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\3877292338.pri

MD5 0d02b03a068d671348931cc20c048422
SHA1 67b6deacf1303acfcbab0b158157fdc03a02c8d5
SHA256 44f4263d65889ea8f0db3c6e31a956a4664e9200aba2612c9be7016feeb323c0
SHA512 805e7b4fafed39dec5ecc2ede0c65b6e103e6757e0bd43ecdce7c00932f59e3e7a68d2ea0818244dfeb691b022c1ccca590a3f4239f99e1cd8a29ba66daed358

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-16 11:08

Reported

2023-08-16 11:37

Platform

win10v2004-20230703-en

Max time kernel

1766s

Max time network

1779s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /SC ONLOGON /tn PowerShell /tr %systemroot%\System32\WindowsPowerShell\v1.0\powershеll.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershеll.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 254.131.241.8.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.102.39:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 39.102.125.3.in-addr.arpa udp
US 8.8.8.8:53 ipwho.is udp
CA 108.181.98.179:443 ipwho.is tcp
US 8.8.8.8:53 179.98.181.108.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.209.94:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 94.209.125.3.in-addr.arpa udp
DE 3.125.209.94:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 18.192.31.165:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 165.31.192.18.in-addr.arpa udp
DE 18.192.31.165:16640 0.tcp.eu.ngrok.io tcp
DE 18.192.31.165:16640 0.tcp.eu.ngrok.io tcp
DE 18.192.31.165:16640 0.tcp.eu.ngrok.io tcp
DE 18.192.31.165:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.124.142.205:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 205.142.124.3.in-addr.arpa udp
DE 3.124.142.205:16640 0.tcp.eu.ngrok.io tcp
DE 3.124.142.205:16640 0.tcp.eu.ngrok.io tcp
DE 3.124.142.205:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 75.249.158.18.in-addr.arpa udp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.102.39:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.223.134:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 134.223.125.3.in-addr.arpa udp
DE 3.125.223.134:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:16640 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.124.142.205:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 18.158.249.75:16640 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 18.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 18.192.31.165:16640 0.tcp.eu.ngrok.io tcp

Files

memory/3992-133-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/3992-134-0x00000000005C0000-0x0000000000964000-memory.dmp

memory/3992-135-0x00000000052D0000-0x000000000536C000-memory.dmp

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe

MD5 fdd63d8e4b7dd0c30b0db7e3eeecacf5
SHA1 459e5f66dbcba0c68055de45621bd0a1f02d9058
SHA256 4fb157d755b2747ee028d5b8e79b9a5a8ad76bcea6c0c0c4321b3c968b0995d3
SHA512 c8291cfb83564d7ff999713d16b2ccc627ec38a88f1aa9e04724c483f66ef14cc56a096ecc7321b213c68c56f2d910b49513948e61a84f390c105df46ee59650

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe

MD5 fdd63d8e4b7dd0c30b0db7e3eeecacf5
SHA1 459e5f66dbcba0c68055de45621bd0a1f02d9058
SHA256 4fb157d755b2747ee028d5b8e79b9a5a8ad76bcea6c0c0c4321b3c968b0995d3
SHA512 c8291cfb83564d7ff999713d16b2ccc627ec38a88f1aa9e04724c483f66ef14cc56a096ecc7321b213c68c56f2d910b49513948e61a84f390c105df46ee59650

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe

MD5 fdd63d8e4b7dd0c30b0db7e3eeecacf5
SHA1 459e5f66dbcba0c68055de45621bd0a1f02d9058
SHA256 4fb157d755b2747ee028d5b8e79b9a5a8ad76bcea6c0c0c4321b3c968b0995d3
SHA512 c8291cfb83564d7ff999713d16b2ccc627ec38a88f1aa9e04724c483f66ef14cc56a096ecc7321b213c68c56f2d910b49513948e61a84f390c105df46ee59650

memory/1408-150-0x00000000003D0000-0x0000000000702000-memory.dmp

memory/1408-151-0x00007FFF32DB0000-0x00007FFF33871000-memory.dmp

memory/1408-152-0x00000000029C0000-0x00000000029D0000-memory.dmp

memory/1408-153-0x0000000002970000-0x00000000029C0000-memory.dmp

memory/1408-154-0x000000001B940000-0x000000001B9F2000-memory.dmp

memory/3992-157-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/1408-158-0x000000001B430000-0x000000001B442000-memory.dmp

memory/1408-159-0x000000001C780000-0x000000001C7BC000-memory.dmp

memory/1408-160-0x000000001B880000-0x000000001B919000-memory.dmp

memory/1408-161-0x00007FFF32DB0000-0x00007FFF33871000-memory.dmp

memory/1408-162-0x00000000029C0000-0x00000000029D0000-memory.dmp

memory/1408-164-0x00000000029C0000-0x00000000029D0000-memory.dmp

memory/1408-165-0x00000000029C0000-0x00000000029D0000-memory.dmp

memory/1408-166-0x00000000029C0000-0x00000000029D0000-memory.dmp

memory/1408-168-0x00000000029C0000-0x00000000029D0000-memory.dmp

memory/1408-170-0x000000001DB80000-0x000000001E0A8000-memory.dmp

memory/1408-174-0x000000001B880000-0x000000001B919000-memory.dmp

C:\Users\Admin\AppData\Roaming\Windows Logs\2023-08-16

MD5 50defcfc4bbe2e8d0ceb51423e803119
SHA1 23ac63264c00e6f5d9de38c723476c5a4ec94899
SHA256 3233e42f48eda5768ad96e4b967d3b6f650afe748cf9d3e95d711bef462627a9
SHA512 34b6a15292027e1d94ede71dea898df6154bf7e3ed52b8b6dc01882ee376087e95b659cb21c57eeec4c94f657dd94918598628dc7cb37e33861bb382422e5087