Analysis
-
max time kernel
79s -
max time network
82s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 14:21
Static task
static1
Behavioral task
behavioral1
Sample
setup.msi
Resource
win10v2004-20240508-en
General
-
Target
setup.msi
-
Size
25.2MB
-
MD5
88dc81219af896d0bf89c205979f508a
-
SHA1
80b08945363dcc1d2c95901fe0f0b40d6caaaa8f
-
SHA256
c9ae88c3216428361342a043e3792fc650833f3825e13c801a1175858c0a9094
-
SHA512
88aa35ea8a5586938990422c5bd2c2e6b4114aa9a93ffc2afb960c7ecda26336947aa05c0125eaf15a8fc1c104c5e9973614f917b58cb5d533a95a52a3f05c3c
-
SSDEEP
393216:J+mPUMxcXDSfln4FDkMp3Hmk42/uzOqIQmavPbAzpJv:J+PMxVfln0gMVH8IjqdmavszpZ
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Windows directory 16 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e574815.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4882.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4921.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5375.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\e574819.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI4910.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI53C4.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{D3A13E70-1EE4-4106-B530-CD79B9DCBE5A} msiexec.exe File opened for modification C:\Windows\Installer\MSI83DE.tmp msiexec.exe File opened for modification C:\Windows\Installer\e574815.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4931.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI49A0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI49C0.tmp msiexec.exe -
Executes dropped EXE 2 IoCs
Processes:
UnRAR.exesteamerrorreporter64.exepid process 2292 UnRAR.exe 5036 steamerrorreporter64.exe -
Loads dropped DLL 9 IoCs
Processes:
MsiExec.exesteamerrorreporter64.exepid process 1456 MsiExec.exe 1456 MsiExec.exe 1456 MsiExec.exe 1456 MsiExec.exe 1456 MsiExec.exe 1456 MsiExec.exe 1456 MsiExec.exe 1456 MsiExec.exe 5036 steamerrorreporter64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 3988 msiexec.exe 3988 msiexec.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid 4 4 4 4 4 664 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 2260 msiexec.exe Token: SeIncreaseQuotaPrivilege 2260 msiexec.exe Token: SeSecurityPrivilege 3988 msiexec.exe Token: SeCreateTokenPrivilege 2260 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2260 msiexec.exe Token: SeLockMemoryPrivilege 2260 msiexec.exe Token: SeIncreaseQuotaPrivilege 2260 msiexec.exe Token: SeMachineAccountPrivilege 2260 msiexec.exe Token: SeTcbPrivilege 2260 msiexec.exe Token: SeSecurityPrivilege 2260 msiexec.exe Token: SeTakeOwnershipPrivilege 2260 msiexec.exe Token: SeLoadDriverPrivilege 2260 msiexec.exe Token: SeSystemProfilePrivilege 2260 msiexec.exe Token: SeSystemtimePrivilege 2260 msiexec.exe Token: SeProfSingleProcessPrivilege 2260 msiexec.exe Token: SeIncBasePriorityPrivilege 2260 msiexec.exe Token: SeCreatePagefilePrivilege 2260 msiexec.exe Token: SeCreatePermanentPrivilege 2260 msiexec.exe Token: SeBackupPrivilege 2260 msiexec.exe Token: SeRestorePrivilege 2260 msiexec.exe Token: SeShutdownPrivilege 2260 msiexec.exe Token: SeDebugPrivilege 2260 msiexec.exe Token: SeAuditPrivilege 2260 msiexec.exe Token: SeSystemEnvironmentPrivilege 2260 msiexec.exe Token: SeChangeNotifyPrivilege 2260 msiexec.exe Token: SeRemoteShutdownPrivilege 2260 msiexec.exe Token: SeUndockPrivilege 2260 msiexec.exe Token: SeSyncAgentPrivilege 2260 msiexec.exe Token: SeEnableDelegationPrivilege 2260 msiexec.exe Token: SeManageVolumePrivilege 2260 msiexec.exe Token: SeImpersonatePrivilege 2260 msiexec.exe Token: SeCreateGlobalPrivilege 2260 msiexec.exe Token: SeRestorePrivilege 3988 msiexec.exe Token: SeTakeOwnershipPrivilege 3988 msiexec.exe Token: SeRestorePrivilege 3988 msiexec.exe Token: SeTakeOwnershipPrivilege 3988 msiexec.exe Token: SeRestorePrivilege 3988 msiexec.exe Token: SeTakeOwnershipPrivilege 3988 msiexec.exe Token: SeRestorePrivilege 3988 msiexec.exe Token: SeTakeOwnershipPrivilege 3988 msiexec.exe Token: SeRestorePrivilege 3988 msiexec.exe Token: SeTakeOwnershipPrivilege 3988 msiexec.exe Token: SeRestorePrivilege 3988 msiexec.exe Token: SeTakeOwnershipPrivilege 3988 msiexec.exe Token: SeRestorePrivilege 3988 msiexec.exe Token: SeTakeOwnershipPrivilege 3988 msiexec.exe Token: SeRestorePrivilege 3988 msiexec.exe Token: SeTakeOwnershipPrivilege 3988 msiexec.exe Token: SeRestorePrivilege 3988 msiexec.exe Token: SeTakeOwnershipPrivilege 3988 msiexec.exe Token: SeRestorePrivilege 3988 msiexec.exe Token: SeTakeOwnershipPrivilege 3988 msiexec.exe Token: SeRestorePrivilege 3988 msiexec.exe Token: SeTakeOwnershipPrivilege 3988 msiexec.exe Token: SeRestorePrivilege 3988 msiexec.exe Token: SeTakeOwnershipPrivilege 3988 msiexec.exe Token: SeRestorePrivilege 3988 msiexec.exe Token: SeTakeOwnershipPrivilege 3988 msiexec.exe Token: SeRestorePrivilege 3988 msiexec.exe Token: SeTakeOwnershipPrivilege 3988 msiexec.exe Token: SeRestorePrivilege 3988 msiexec.exe Token: SeTakeOwnershipPrivilege 3988 msiexec.exe Token: SeRestorePrivilege 3988 msiexec.exe Token: SeTakeOwnershipPrivilege 3988 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2260 msiexec.exe 2260 msiexec.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 1104 AcroRd32.exe 1104 AcroRd32.exe 1104 AcroRd32.exe 1104 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 3988 wrote to memory of 1456 3988 msiexec.exe MsiExec.exe PID 3988 wrote to memory of 1456 3988 msiexec.exe MsiExec.exe PID 3988 wrote to memory of 1456 3988 msiexec.exe MsiExec.exe PID 3988 wrote to memory of 2292 3988 msiexec.exe UnRAR.exe PID 3988 wrote to memory of 2292 3988 msiexec.exe UnRAR.exe PID 3988 wrote to memory of 5036 3988 msiexec.exe steamerrorreporter64.exe PID 3988 wrote to memory of 5036 3988 msiexec.exe steamerrorreporter64.exe PID 1104 wrote to memory of 3008 1104 AcroRd32.exe RdrCEF.exe PID 1104 wrote to memory of 3008 1104 AcroRd32.exe RdrCEF.exe PID 1104 wrote to memory of 3008 1104 AcroRd32.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 1896 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 4680 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 4680 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 4680 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 4680 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 4680 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 4680 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 4680 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 4680 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 4680 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 4680 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 4680 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 4680 3008 RdrCEF.exe RdrCEF.exe PID 3008 wrote to memory of 4680 3008 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A2BF05FCF4CA0791AFDED877758D3CC92⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\UnRAR.exe"C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\UnRAR.exe" x -p "C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\ruw9eigh.rar" "C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\steamerrorreporter64.exe"C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\steamerrorreporter64.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Documents\RepairExpand.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=90E616E102CD307A3D5F4C3241B7BF69 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0BA1C568721DA0EAF1B54B8573F06F48 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0BA1C568721DA0EAF1B54B8573F06F48 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=164B22FD634A22786771CE427AE6380E --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=40DF11F6521A5F1F4307C2BFC83B3D09 --mojo-platform-channel-handle=1856 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1E067F57DE0EBB23208A16452D5292B2 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e574818.rbsFilesize
22KB
MD52043849004b76dbb6bec40b062cb5780
SHA1151a9381b10a8eab6883e8d4fe46ab5d0828b87d
SHA256e8b2fe08d9e1c0d187d561e6e6e1c749ace3068e5d712f5a27736d81f8b4a09f
SHA512e58f07e29e94e94cf2412280d0aa1d6d7cfd9b2806d56b04eb1f7bffaa0da589b2dff1f1725bd206c9deecd455bc36554c84b28db0ee33a861ef1cca91b4d58d
-
C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\UnRAR.exeFilesize
494KB
MD598ccd44353f7bc5bad1bc6ba9ae0cd68
SHA176a4e5bf8d298800c886d29f85ee629e7726052d
SHA256e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b
SHA512d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f
-
C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\ruw9eigh.rarFilesize
377KB
MD512d808fb55382fd418f040a58224005c
SHA14a5e4e8b846a66e3030a2f47e241220f4705e645
SHA256726ea94cc3bafd39b372ad9b5282b7393bb07f8e5d412874eb80c53f0b17e01f
SHA51229c10a08c3e31f6edcbc7f8a41ebd0f065acb275f3f0fca5c19685a759445f3a01756cbcf9846f25d59ae8e9fd03d50fba205eee3144f37e7d33f0e8e1300d17
-
C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\steamerrorreporter64.exeFilesize
639KB
MD5fd3ce044ac234fdab3df9d7f492c470a
SHA1a74a287d5d82a8071ab36c72b2786342d83a8ef7
SHA2560a0c09753b5103e86e32c2d8086dd1399f0d97a00e1525ec9c390067cdb242ba
SHA51286d7e805fab0e5130003facbb1525ee261440846f342f53ae64c3f8d676d1208d5fd9bd91e3222c63cc30c443348eb5ddedab14c8847dae138fba7e9be69d08d
-
C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\tier0_s64.dllFilesize
386KB
MD57e60404cfb232a1d3708a9892d020e84
SHA131328d887bee17641608252fb2f9cd6caf8ba522
SHA2565a3e15cb90baf4b3ebe0621fa6f5f37b0fe99848387d6f2fd99ae770d1e6d766
SHA5124d8abd59bd77bdb6e5b5e5f902d2a10fa5136437c51727783e79aed6a796f9ee1807faf14f1a72a1341b9f868f61de8c676b00a4b07a2a26cfb8a4db1b77eb3c
-
C:\Windows\Installer\MSI4882.tmpFilesize
738KB
MD5b158d8d605571ea47a238df5ab43dfaa
SHA1bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA51256aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591
-
C:\Windows\Installer\MSI49A0.tmpFilesize
1.1MB
MD51a2b237796742c26b11a008d0b175e29
SHA1cfd5affcfb3b6fd407e58dfc7187fad4f186ea18
SHA25681e0df47bcb2b3380fb0fb58b0d673be4ef1b0367fd2b0d80ab8ee292fc8f730
SHA5123135d866bf91f9e09b980dd649582072df1f53eabe4c5ac5d34fff1aeb5b6fa01d38d87fc31de19a0887a910e95309bcf0e7ae54e6e8ed2469feb64da4a4f9e5
-
C:\Windows\Installer\MSI53C4.tmpFilesize
364KB
MD554d74546c6afe67b3d118c3c477c159a
SHA1957f08beb7e27e657cd83d8ee50388b887935fae
SHA256f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611
SHA512d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f
-
C:\Windows\Installer\e574815.msiFilesize
25.2MB
MD588dc81219af896d0bf89c205979f508a
SHA180b08945363dcc1d2c95901fe0f0b40d6caaaa8f
SHA256c9ae88c3216428361342a043e3792fc650833f3825e13c801a1175858c0a9094
SHA51288aa35ea8a5586938990422c5bd2c2e6b4114aa9a93ffc2afb960c7ecda26336947aa05c0125eaf15a8fc1c104c5e9973614f917b58cb5d533a95a52a3f05c3c