Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 19:15
Static task
static1
Behavioral task
behavioral1
Sample
fc6ab939f5f2d6f12cb1edbe2babd5b180d8d036fc0b37a77f784d1c52162112.msi
Resource
win7-20240221-en
General
-
Target
fc6ab939f5f2d6f12cb1edbe2babd5b180d8d036fc0b37a77f784d1c52162112.msi
-
Size
4.3MB
-
MD5
b88352bde539f79207be209759505f02
-
SHA1
8ede7ee0a43c4282b41687408ddc38a243ac4bfd
-
SHA256
fc6ab939f5f2d6f12cb1edbe2babd5b180d8d036fc0b37a77f784d1c52162112
-
SHA512
104d4330c05e41d2039a0b61438565c88138ec9b2c55632ab0ec8eaf70840b095e1dd5bb5d55b65373099df80896632499ff5b3c85240d7a389824cb72268921
-
SSDEEP
49152:zpUPB9qhCxzT+WKjSX15zLVI4vLeY9xV4qtGvmKBteU5oBgffUBS88qAU8:zpECQ1FLeYLVTV4WMVf
Malware Config
Extracted
darkgate
admin888
stachmentsuprimeresult.com
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
443
-
check_disk
false
-
check_ram
true
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
veVumtze
-
minimum_disk
30
-
minimum_ram
4096
-
ping_interval
6
-
rootkit
false
-
startup_persistence
true
-
username
admin888
Signatures
-
Detect DarkGate stealer 4 IoCs
resource yara_rule behavioral2/memory/716-93-0x0000000005DD0000-0x000000000611E000-memory.dmp family_darkgate_v6 behavioral2/memory/4208-110-0x0000000003400000-0x0000000003BA2000-memory.dmp family_darkgate_v6 behavioral2/memory/716-112-0x0000000005DD0000-0x000000000611E000-memory.dmp family_darkgate_v6 behavioral2/memory/4208-116-0x0000000003400000-0x0000000003BA2000-memory.dmp family_darkgate_v6 -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 60 ICACLS.EXE 560 ICACLS.EXE -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation Autoit3.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\LOGS\DPX\setuperr.log EXPAND.EXE File opened for modification C:\Windows\Installer\e584d7f.msi msiexec.exe File created C:\Windows\Installer\SourceHash{E7B97E0C-60D4-4CC6-8F85-E7269822C430} msiexec.exe File opened for modification C:\Windows\Installer\MSI4F54.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log EXPAND.EXE File created C:\Windows\Installer\e584d7f.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 4356 iTunesHelper.exe 716 Autoit3.exe -
Loads dropped DLL 2 IoCs
pid Process 4208 MsiExec.exe 4356 iTunesHelper.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000db5049eb9f24a4820000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000db5049eb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900db5049eb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1ddb5049eb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000db5049eb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autoit3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings Autoit3.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 1252 msiexec.exe 1252 msiexec.exe 716 Autoit3.exe 716 Autoit3.exe 716 Autoit3.exe 716 Autoit3.exe 4032 AcroRd32.exe 4032 AcroRd32.exe 4032 AcroRd32.exe 4032 AcroRd32.exe 4032 AcroRd32.exe 4032 AcroRd32.exe 4032 AcroRd32.exe 4032 AcroRd32.exe 4032 AcroRd32.exe 4032 AcroRd32.exe 4032 AcroRd32.exe 4032 AcroRd32.exe 4032 AcroRd32.exe 4032 AcroRd32.exe 4032 AcroRd32.exe 4032 AcroRd32.exe 4032 AcroRd32.exe 4032 AcroRd32.exe 4032 AcroRd32.exe 4032 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeShutdownPrivilege 556 msiexec.exe Token: SeIncreaseQuotaPrivilege 556 msiexec.exe Token: SeSecurityPrivilege 1252 msiexec.exe Token: SeCreateTokenPrivilege 556 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 556 msiexec.exe Token: SeLockMemoryPrivilege 556 msiexec.exe Token: SeIncreaseQuotaPrivilege 556 msiexec.exe Token: SeMachineAccountPrivilege 556 msiexec.exe Token: SeTcbPrivilege 556 msiexec.exe Token: SeSecurityPrivilege 556 msiexec.exe Token: SeTakeOwnershipPrivilege 556 msiexec.exe Token: SeLoadDriverPrivilege 556 msiexec.exe Token: SeSystemProfilePrivilege 556 msiexec.exe Token: SeSystemtimePrivilege 556 msiexec.exe Token: SeProfSingleProcessPrivilege 556 msiexec.exe Token: SeIncBasePriorityPrivilege 556 msiexec.exe Token: SeCreatePagefilePrivilege 556 msiexec.exe Token: SeCreatePermanentPrivilege 556 msiexec.exe Token: SeBackupPrivilege 556 msiexec.exe Token: SeRestorePrivilege 556 msiexec.exe Token: SeShutdownPrivilege 556 msiexec.exe Token: SeDebugPrivilege 556 msiexec.exe Token: SeAuditPrivilege 556 msiexec.exe Token: SeSystemEnvironmentPrivilege 556 msiexec.exe Token: SeChangeNotifyPrivilege 556 msiexec.exe Token: SeRemoteShutdownPrivilege 556 msiexec.exe Token: SeUndockPrivilege 556 msiexec.exe Token: SeSyncAgentPrivilege 556 msiexec.exe Token: SeEnableDelegationPrivilege 556 msiexec.exe Token: SeManageVolumePrivilege 556 msiexec.exe Token: SeImpersonatePrivilege 556 msiexec.exe Token: SeCreateGlobalPrivilege 556 msiexec.exe Token: SeBackupPrivilege 1980 vssvc.exe Token: SeRestorePrivilege 1980 vssvc.exe Token: SeAuditPrivilege 1980 vssvc.exe Token: SeBackupPrivilege 1252 msiexec.exe Token: SeRestorePrivilege 1252 msiexec.exe Token: SeRestorePrivilege 1252 msiexec.exe Token: SeTakeOwnershipPrivilege 1252 msiexec.exe Token: SeRestorePrivilege 1252 msiexec.exe Token: SeTakeOwnershipPrivilege 1252 msiexec.exe Token: SeBackupPrivilege 2160 srtasks.exe Token: SeRestorePrivilege 2160 srtasks.exe Token: SeSecurityPrivilege 2160 srtasks.exe Token: SeTakeOwnershipPrivilege 2160 srtasks.exe Token: SeBackupPrivilege 2160 srtasks.exe Token: SeRestorePrivilege 2160 srtasks.exe Token: SeSecurityPrivilege 2160 srtasks.exe Token: SeTakeOwnershipPrivilege 2160 srtasks.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 556 msiexec.exe 556 msiexec.exe 4032 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4032 AcroRd32.exe 4032 AcroRd32.exe 4032 AcroRd32.exe 4032 AcroRd32.exe 4032 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1252 wrote to memory of 2160 1252 msiexec.exe 98 PID 1252 wrote to memory of 2160 1252 msiexec.exe 98 PID 1252 wrote to memory of 4208 1252 msiexec.exe 101 PID 1252 wrote to memory of 4208 1252 msiexec.exe 101 PID 1252 wrote to memory of 4208 1252 msiexec.exe 101 PID 4208 wrote to memory of 60 4208 MsiExec.exe 102 PID 4208 wrote to memory of 60 4208 MsiExec.exe 102 PID 4208 wrote to memory of 60 4208 MsiExec.exe 102 PID 4208 wrote to memory of 3104 4208 MsiExec.exe 104 PID 4208 wrote to memory of 3104 4208 MsiExec.exe 104 PID 4208 wrote to memory of 3104 4208 MsiExec.exe 104 PID 4208 wrote to memory of 4356 4208 MsiExec.exe 107 PID 4208 wrote to memory of 4356 4208 MsiExec.exe 107 PID 4356 wrote to memory of 716 4356 iTunesHelper.exe 108 PID 4356 wrote to memory of 716 4356 iTunesHelper.exe 108 PID 4356 wrote to memory of 716 4356 iTunesHelper.exe 108 PID 4208 wrote to memory of 3408 4208 MsiExec.exe 111 PID 4208 wrote to memory of 3408 4208 MsiExec.exe 111 PID 4208 wrote to memory of 3408 4208 MsiExec.exe 111 PID 716 wrote to memory of 4032 716 Autoit3.exe 113 PID 716 wrote to memory of 4032 716 Autoit3.exe 113 PID 716 wrote to memory of 4032 716 Autoit3.exe 113 PID 716 wrote to memory of 4208 716 Autoit3.exe 101 PID 4208 wrote to memory of 560 4208 MsiExec.exe 114 PID 4208 wrote to memory of 560 4208 MsiExec.exe 114 PID 4208 wrote to memory of 560 4208 MsiExec.exe 114 PID 4032 wrote to memory of 1152 4032 AcroRd32.exe 116 PID 4032 wrote to memory of 1152 4032 AcroRd32.exe 116 PID 4032 wrote to memory of 1152 4032 AcroRd32.exe 116 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 PID 1152 wrote to memory of 3044 1152 RdrCEF.exe 117 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fc6ab939f5f2d6f12cb1edbe2babd5b180d8d036fc0b37a77f784d1c52162112.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:556
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5D46BC4C2F51136E5A4D03BA6AF2CEF32⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-924575cc-0f86-426b-a209-a9dd0ed00ec5\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:60
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:3104
-
-
C:\Users\Admin\AppData\Local\Temp\MW-924575cc-0f86-426b-a209-a9dd0ed00ec5\files\iTunesHelper.exe"C:\Users\Admin\AppData\Local\Temp\MW-924575cc-0f86-426b-a209-a9dd0ed00ec5\files\iTunesHelper.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\temp\Autoit3.exe"c:\temp\Autoit3.exe" c:\temp\script.au34⤵
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\temp\Rivers HHBC info .pdf"5⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140436⤵
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=982F80E8BC1E75DFF62096704FEC32A5 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:27⤵PID:3044
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=24475C9619373C9F992F188D0961EB11 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=24475C9619373C9F992F188D0961EB11 --renderer-client-id=2 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job /prefetch:17⤵PID:3124
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2D8C45F48632D03EDC4DCC23F4C094CC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2D8C45F48632D03EDC4DCC23F4C094CC --renderer-client-id=4 --mojo-platform-channel-handle=2196 --allow-no-sandbox-job /prefetch:17⤵PID:4180
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6C56021EA9B3A48E72F0498881487F85 --mojo-platform-channel-handle=2444 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:27⤵PID:2380
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A827E48FE96FB24A37E7AE6D54ED1DE3 --mojo-platform-channel-handle=1980 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:27⤵PID:648
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C8865963AC2DA8159E03E71DBEF27DAC --mojo-platform-channel-handle=2540 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:27⤵PID:4216
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-924575cc-0f86-426b-a209-a9dd0ed00ec5\files"3⤵PID:3408
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-924575cc-0f86-426b-a209-a9dd0ed00ec5\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
PID:560
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1980
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD59bbba7f67486427831f7d2c0e626d4ca
SHA10b126887878dd54df537d278de07967bfe5994a3
SHA256f430b31bd27fb4a3bbe8ca9dd10eb2f0f1f788ccfc959444941e91f3e298cdd9
SHA5128d54fc23eb8eadfbe8d2262c22b135666de06f2e1e596ecdc7c825f6d012c5d61d04c6957538661775a7bb4e7f98703a017dcc1323ba521b4938d900a10df04e
-
Filesize
4.1MB
MD57333aa36063f51a7f1f9bb05fa679ab4
SHA12944bfdccabb766254b94c0a1d3665ec423d114b
SHA2562d550bcc063ba4c3cd852edc0b36c49c1d70fbcd44a63ff035153b9f574b65e3
SHA5120c89804413e0f4cb35c1a6c50d460da241aa8e0d011c1f4e1e813f3002093fc661c59adfc58ea4369f79f0c8d785b72d31ce965ccfe3a259d5eff485b5a80d3d
-
Filesize
1.5MB
MD5ce8ee7e4e7b695d4af2c3ecf8411e637
SHA1dd7ea41c7c351e82ab5438b75a3d830574a0aa58
SHA2567cdb07238c8cc903e13e689d4de1129f5fb3b647e4a1c1e98c5a0e8516184ed1
SHA512ad3492b03af2d9b6bf2632fcc65703c0e06116ea3945c4bc401047842514e7789c31912e0887f20e234b58ce970ebd1486d9b5521a76c02dcc5e58804873c3b2
-
Filesize
358KB
MD5ed6a1c72a75dee15a6fa75873cd64975
SHA167a15ca72e3156f8be6c46391e184087e47f4a0d
SHA2560d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda
SHA512256c2ebfeb42c2d3340d8bb423ef0ae48d5fb9fe5ca09c363595f51a03007482b67a777e4cae7a8194f69bc3a3fbcdb9abb5c9f92097925272431bb9d50f5c03
-
Filesize
2.2MB
MD57f84dfa82977609c70e15708df513a0e
SHA14bc3db683396cda2b80e0e35650234574e6f78f3
SHA256087ff871a8d10cb876601850d8c2bc976ac213ededda4fcc29056639f0888074
SHA512adec7d2cd6776e8da52ccbb968d29f3b2ff1d091173211f7fc7e972f46cdbb486544fe877327b28295a3f53fce162f9179a20d6b5e60d950fb13fae3e4c00863
-
Filesize
1KB
MD57920688cfc858d4ddd5ff5d0d4e2bed4
SHA11b71200216603ec9d476447eedc67c16037ee00b
SHA256b05afb785fa6343c167faad9921505847a86b08cd9411d231113f27f5d29d205
SHA512b550466f9adf89e6e71c000f6b7444a87aa138d0192d1823cfa796e8678a2ba88d0f5cbbb051b8d6ce2621276e3c33fcb3cc9461596361abbd2bd271c97c0351
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
452KB
MD583a4aa4e048bd8b95e99c0b33746bdc3
SHA1ef39e3b288cfd0c268c5fbc794f0863d2edd33e3
SHA2567a80069879f0ff1457a52225113a81dc6fdf3cf152dabc1f5f77a5dd815c96fa
SHA512b24d5ec5c3c212f4a36c600b20bb5b020066b1e535f6d0640cfde7ca94baafb5950d5c665d2e03508fc453cd8f9e54aecce0bf4914461a11ab23b3083df8c7ba
-
Filesize
4B
MD543208a29fcebf0f85ff4fb3dee4fbebc
SHA1abbb4dd59ac51984157e1e1b4742496405ae5c3d
SHA256b9333e242fc219b03950ab9aad5fe39b0cb0e854fc44d6719924277225b81450
SHA512b403e49510d6b131552479e3268dfbb10b43fdf082bd32c6c417fa404211e1a3094705231f81761e2d651571f247fd3ef3f9072815320749e24081cc7946f340
-
Filesize
11.9MB
MD5cdf5fd8df112699f3b55611342f4bf34
SHA1d927ca5e1d52621ed8433b12c436619f92e0d16e
SHA2568f065086ea54d0942e88da3d44c340ff14bb7352533db833cf04201a414456aa
SHA5125fa3cffda76f725cca6f174a1df71340762e00784d4acb3d44897b8aa72711abc012d269f18d54b0957424184c2c59122652e76faef25eefbca40d217a3d43fb
-
\??\Volume{eb4950db-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{67532655-71af-4759-9131-771f2a6c5124}_OnDiskSnapshotProp
Filesize6KB
MD58e7037276846203266c61835753fa8b7
SHA12c84645ec386c44932931def881ddf9eaf7d3cec
SHA25663bc31a1508d7fc0bc502ceb398910de10324bb795f5d9f34ae0f611d956be6f
SHA51271886a2e044efa3368f1d432b42777d50631d8f6c060f7807449644d328480bf9eda94cc03a5f62e06f7736429b17cd742e8be05587f06a1178650c9b07af75c
-
Filesize
1.0MB
MD5ff77fd2453e50e3d846587ec60ac8027
SHA14a7c389d241f7f486ee24229d13c0e553d255a8a
SHA25643ed3e85a7f0c80a9b532c11853a30a39a570b57f9e61703426bd6f25c30dbab
SHA512bf79b53049f947e9947a383677a6e797e703fada5eef96a762b11b7df727db6630c1697485861d9bfad0057865e119c86d10198d269cd144e4289b97992f040c
-
Filesize
76B
MD52b5beed06469bc15ef9d3fc81026d520
SHA132b9af19321d3a95a566f2720bf3594c8709017e
SHA256bc694c165646842697db370a7688753a08bed7803aa9aaaf626e54ad77b3b0fe
SHA51278963f15247f17099214e7c33d2fb9c3b01f1986334da01c2cddda957d7d916f74a0e7f1cf2d57b1afe6f52eb999e1cf2cf6b9fd3d2afdf7f6ec6b0a8532742a