Analysis
-
max time kernel
193s -
max time network
199s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
17-06-2022 17:36
General
-
Target
SCAN-308928.html
-
Size
936KB
-
MD5
4fa012174f4858a0a0220466d6b7b832
-
SHA1
b4e17de0b0579c0bead99f252635e19686335c69
-
SHA256
df9fcc3c8b20c1bbe485985afdc0b13af5de43309cb541e7359071d3c01cfbc8
-
SHA512
f47d2786021f164d381cb0683ba00570636d673bd208a1407eb1d414003bcd66c0d3b392f33f0c195ca4c9904831b60819618eb20dc3145607725793e59ea6c0
Score
10/10
Malware Config
Signatures
-
Matanbuchus
A loader sold as MaaS first seen in February 2021.
-
Blocklisted process makes network request 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 7 IoCs
-
Drops file in Windows directory 8 IoCs
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 59 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 37 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\SCAN-308928.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2576 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa56bc4f50,0x7ffa56bc4f60,0x7ffa56bc4f702⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1640 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1968 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2388 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2940 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2904 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2560 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4736 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4744 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5028 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3064 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5576 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5572 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5820 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5344 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2788 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3628 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1076 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3624 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,1567750731869183332,8074871580087430077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3592 /prefetch:82⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Temp1_SCAN-308928.zip\SCAN-308928.pdf.msi"1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll2⤵
-
C:\Windows\SysWOW64\regsvr32.exe-n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll3⤵
- Loads dropped DLL
-
-
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs2⤵
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\SCAN-308928.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=06BC68E0A8DFB0B9FA39E202E561D19C --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3697C391ADBF790137E8FEAB47C9BAA7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3697C391ADBF790137E8FEAB47C9BAA7 --renderer-client-id=2 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job /prefetch:13⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DF31FC261BB5C13BA4726C6EA7034DFC --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DABA6737AFC31AA4A251AAF3D9D1AD13 --mojo-platform-channel-handle=2352 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=73F14287C9F9BDB76A8227B0811D65DA --mojo-platform-channel-handle=1880 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
-
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:32⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"3⤵
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"1⤵
- Drops file in Program Files directory
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4168_736891264\ChromeRecovery.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4168_736891264\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={81ee9abd-e3b9-4913-bc05-3dc094f20e5f} --system2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
253KB
MD549ac3c96d270702a27b4895e4ce1f42a
SHA155b90405f1e1b72143c64113e8bc65608dd3fd76
SHA25682aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f
SHA512b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0
-
Filesize
471B
MD511758d1f5ba1328b8a7e1d51e04f6ae7
SHA15747db1ccd5288570646b8ab84ffe0af4bbf8eb1
SHA256173325e5feb58075f37d8fb7b8efae817b65b57c35e791f17216bb0a10d42f27
SHA51244a8fe50efe2d535a35f4c0d12e6e9fb1d8f283685760883552668bc5b304d28591cec0ddb545592f9859d0f2ab99eee07577ccbb85eb854bf268fb90acca425
-
Filesize
727B
MD573ac237453f0f6bff2dfe61de511468d
SHA1afc5cb5cfd0a494c63b12eefa006f5560d72a4cc
SHA2562c601da2cdaa11fef3cd1f30c22058a07fca7d4898458e0ad7509d5c391f5598
SHA5126b33eb27f5c63015ccfd755dfc5409a72ce186baf23a45391432fceb6054f92967d1641ad1ce9e8ba0cfb2f4556cab56afa6eda7a65199bbbe65201f0bab6271
-
Filesize
727B
MD5dbd0ea3109b08b1c543287c52f386fa2
SHA1f062abf3894c0a5dddb21b19782466db11ead513
SHA256d32d6c2ddd4165ff710d503cd874aa96a7c45a74d08b98eb6ba6e1f8ce86bc18
SHA512f2a56b17c9562fe6fa4e8f91a7aca9f1c29053ea0fe26be109b6e0ba99bac756dc4e2d27b2c7c98e60008c8e4ff4c87ff063f4f4272dfb59436f56de14fb3555
-
Filesize
434B
MD5ce3f5b8f6e504b54143cb763083d59e1
SHA11c37d62331744fbb4900bcf0e548bcb99f5bcb67
SHA256408604a441bfa640ed12fe995d87dcb750c7f1a31545d91845f8a4761daecbdd
SHA5126b25b301c06f816a9a860ad6c4b1d6d2c712d1710513ab5861b6240ed8388a6cf6eb1dc04e55e74b55e511acd0a33fc272ff764ecf4ab1225792e6f9e70d530e
-
Filesize
434B
MD5c87c39a831ff08f25039629197b6ed49
SHA156e966f13a1fbf1a8b61b0ec727e754dff55b34d
SHA2560102a7b8d1a2e0628b7bb7b76059e15cc3dd78431e083a02c2515afd05822a76
SHA51292e2e1bf8afd88b1a866038ce05210c362b7e73973e589d1a01e236f2a17d91b975578c65d32943bc5369d435e7cac511d78c32d13500c115aa88507e4a85583
-
Filesize
412B
MD5a777f3a563a9933334dc4b6259a4b80f
SHA101d000079a9b36fd0d944d0eecf42e83f75b469a
SHA2569f1e187e0192eeb67740eecc519a4575df37ed096a5d31553b3029b92a15e4cf
SHA512885e5fd84d1432c0aa2445d913e9eb59ddc9c1e7715dcc67ce13d08b725383da135ddddbd2a52e7d0baad8d7c259c2229ee9824b949e3517439b2702fa0da454
-
Filesize
401KB
MD5ab26edfebc42dea6681c8a23b964ad59
SHA172d820702dfbb3716722f08c4ddfa446fbd1a161
SHA25688f50d29a83bfbe6a6c2c490a22e54cd79718f60a4ea574017d491d78ae28c4b
SHA512406a31427270148b33dd2eb50f1f87088728e9cd68d6ac9cc168e59a949b341487925fef85643c2231f139fca4e10c0b7215e3ba41bd8fdf505c09fed0360d2a
-
Filesize
401KB
MD5ab26edfebc42dea6681c8a23b964ad59
SHA172d820702dfbb3716722f08c4ddfa446fbd1a161
SHA25688f50d29a83bfbe6a6c2c490a22e54cd79718f60a4ea574017d491d78ae28c4b
SHA512406a31427270148b33dd2eb50f1f87088728e9cd68d6ac9cc168e59a949b341487925fef85643c2231f139fca4e10c0b7215e3ba41bd8fdf505c09fed0360d2a
-
Filesize
68B
MD50308aa2c8dab8a69de41f5d16679bb9b
SHA1c6827bf44a433ff086e787653361859d6f6e2fb3
SHA2560a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489
SHA5121a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72
-
Filesize
141KB
MD5ea1c1ffd3ea54d1fb117bfdbb3569c60
SHA110958b0f690ae8f5240e1528b1ccffff28a33272
SHA2567c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d
SHA5126c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf
-
Filesize
23.0MB
MD59ef76000ed48febd033fe2ca26462a09
SHA12fdb41636b4937c07d0e6f8e965c43da44df42ac
SHA256b7260f131db27660ea8678a32e5e29c0ac921baeebb2df88c0c658d99f615cd8
SHA5122fcde2fcea14171b573b02a5d7c240766cc2adae011631794fb354ec8a9a74c80dd75817e09bfb1293fda78210d236e2179f17248a41a4e6f818f8a52fe12048
-
Filesize
5KB
MD59bf6fe1c78ffd59883b9b5b76f34bc43
SHA12b25e3d74c0bd602bfda4a17fa6c790bc50a9124
SHA2563a9402556bba76232692af3bde50bfac7e07ce39be501b99a85d51997332c591
SHA512fe378a45a44603b4c000878eaddb95dd99ce4d6c1b4b316466244529e3f933b51c81d5c6dff445332667236e2113da21f3b9a9fb43191e89fd69290fbcf32bd0
-
Filesize
64KB
-
Filesize
64KB