68d1541ba606eb5397cb488bddcc857935b5ee24e2e5d8a072bf288c7b20c473

Resubmissions

03/08/2024, 06:11

240803-gxlp6avgrj 4

Analysis

max time kernel
33s
max time network
34s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
03/08/2024, 06:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

The BEST PSZ!.rbxl
Size

12.4MB
MD5

fb8d8d831451349d7141df7b811b9035
SHA1

8d0a12dcd08cc8a5728c14ae3d543cfe3d501c67
SHA256

68d1541ba606eb5397cb488bddcc857935b5ee24e2e5d8a072bf288c7b20c473
SHA512

f6cc74c36421b029abaa3afdb770033bbb0063f05fcda87b97117c3b36f701d66b45476d94b199e8777c141aaa6ccd359f3b355373032271dcad007cab6e19bc
SSDEEP

393216:ANaJHrQ6GLRpPoAADu+yyAV/UKw7tsypZ:AwNWLRpPoBlAVQ7tHpZ

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4572	chrome.exe
4572	chrome.exe
560	AcroRd32.exe
560	AcroRd32.exe
560	AcroRd32.exe
560	AcroRd32.exe
560	AcroRd32.exe
560	AcroRd32.exe
560	AcroRd32.exe
560	AcroRd32.exe
560	AcroRd32.exe
560	AcroRd32.exe
560	AcroRd32.exe
560	AcroRd32.exe
560	AcroRd32.exe
560	AcroRd32.exe
560	AcroRd32.exe
560	AcroRd32.exe
560	AcroRd32.exe
560	AcroRd32.exe
560	AcroRd32.exe
560	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4468	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
4468	OpenWith.exe
560	AcroRd32.exe
560	AcroRd32.exe
560	AcroRd32.exe
560	AcroRd32.exe
560	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 560	4468	OpenWith.exe	82
PID 4468 wrote to memory of 560	4468	OpenWith.exe	82
PID 4468 wrote to memory of 560	4468	OpenWith.exe	82
PID 560 wrote to memory of 5004	560	AcroRd32.exe	85
PID 560 wrote to memory of 5004	560	AcroRd32.exe	85
PID 560 wrote to memory of 5004	560	AcroRd32.exe	85
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 2952	5004	RdrCEF.exe	86
PID 5004 wrote to memory of 1508	5004	RdrCEF.exe	87
PID 5004 wrote to memory of 1508	5004	RdrCEF.exe	87
PID 5004 wrote to memory of 1508	5004	RdrCEF.exe	87
PID 5004 wrote to memory of 1508	5004	RdrCEF.exe	87
PID 5004 wrote to memory of 1508	5004	RdrCEF.exe	87
PID 5004 wrote to memory of 1508	5004	RdrCEF.exe	87
PID 5004 wrote to memory of 1508	5004	RdrCEF.exe	87
PID 5004 wrote to memory of 1508	5004	RdrCEF.exe	87
PID 5004 wrote to memory of 1508	5004	RdrCEF.exe	87
PID 5004 wrote to memory of 1508	5004	RdrCEF.exe	87
PID 5004 wrote to memory of 1508	5004	RdrCEF.exe	87
PID 5004 wrote to memory of 1508	5004	RdrCEF.exe	87
PID 5004 wrote to memory of 1508	5004	RdrCEF.exe	87
PID 5004 wrote to memory of 1508	5004	RdrCEF.exe	87
PID 5004 wrote to memory of 1508	5004	RdrCEF.exe	87
PID 5004 wrote to memory of 1508	5004	RdrCEF.exe	87
PID 5004 wrote to memory of 1508	5004	RdrCEF.exe	87

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\The BEST PSZ!.rbxl"
1⤵
- Modifies registry class
PID:1812

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\The BEST PSZ!.rbxl"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EF9F65B05888F8B0D79CD1D887EB9AA7 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2952
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=52E173736FC99077D8EE20F035F09D52 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=52E173736FC99077D8EE20F035F09D52 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:1508
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=57FFB836E6EC3E2917C5B8D9A581EF34 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:920
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=ABB20BBAF3B4331B85404C8BE3AF29A9 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4748
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2EEBC10D933A7D7A04EDBB30AACD61DD --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffecd55cc40,0x7ffecd55cc4c,0x7ffecd55cc58
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1816,i,4634592810725833380,12475592163913060980,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1812 /prefetch:2
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,4634592810725833380,12475592163913060980,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2116 /prefetch:3
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,4634592810725833380,12475592163913060980,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2220 /prefetch:8
  2⤵
  PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,4634592810725833380,12475592163913060980,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,4634592810725833380,12475592163913060980,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4428,i,4634592810725833380,12475592163913060980,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4464 /prefetch:1
  2⤵
  PID:476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4760,i,4634592810725833380,12475592163913060980,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4804,i,4634592810725833380,12475592163913060980,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:32
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4996,i,4634592810725833380,12475592163913060980,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:3032

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
77ab4f4f7a0a5f64b3ffc9425173b178

SHA1
9b23ded31b91778c653f2cf5d3be2364a578e4cb

SHA256
9085d1606e7129e28bfa12a7823835e54f3aa91a1806e3212e2dd2c553ac2c84

SHA512
95d0729afac6a8bc1eb9917999751d1ce2a79aa5cbb49abf9fac790d9e16c9daeed87be21ee3b4f4132d4e7d51f1dd7c212893321ce7b6771408df60832b36b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
dd2192934d5744e81c506b4c4667bef3

SHA1
a6ec2e7d014c91d079c1002e13a5f0a1140f27ff

SHA256
f296689d076dc116c8506aeb6a4fa4ed97554c722b117ead7e055b3530c08fdc

SHA512
1f4f69dad7f900b8202004b7b1ba6f855f64cb7b470b13ff3a2b9f0b67ed7eb278cdee720613dbbac39a17fecf52afecaaa7772911f47bdcfdbe294e2f4c85cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
64df6c04a769d9f796ebd7c3eb70f248

SHA1
6704b31bc702b8a7cbdacd68bc347b00c2321ffa

SHA256
4c8337dfce9a838b31fc8dab673983b30ddb1763eedef6f534a82ddd9ce281fe

SHA512
387a0c7b6d616e2639f9a27092335b2a76c2b202b40221ad7a652ff0689730d5959f650dc93b8f75052ecb9180817fd71769ce81bae691c19878d3c9a35ddc00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
352B

MD5
7d03485903be4f7a44f2a5c7ab321013

SHA1
06907b9a4ba1d522f7bee958020d7095af85b38d

SHA256
1f3c1db66a2f2ba64ab0bfd322929b8f3e306c108cf688bc70873d7b106b1b1d

SHA512
09a26a39c57f1ac38d05889660c4c8bf16300a6a555d4c038196f0c12eee157225df0886f485e6266c480f185974c79c7913ca9512b30f296ece4b6df487059c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
352B

MD5
0164b0eef95e8acac018eefafd5a5877

SHA1
ae3cd56a2a0f7167aa7db340f6518d0b62423d3b

SHA256
cdb3137c16a2e1ed71321a161f64d2a037ae88f8d65f05498003263b1de29571

SHA512
b080660d8ccf5791a18430f3451b8b69827224ea79b012ac8da8ec54b06f9f6d77aaa3dd11b57dfce165c9cd299e8e9703934e691c8f4ebc72c319533f258a86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5bb49147ffa32ad06cf6862d61fb53e2

SHA1
ca0303979ec53e81c32bb1397ec642f7bd7f5eb4

SHA256
9a44dd533fbe4f6a88765d32e2936e16fd02065369e24b02682f4c528ef335cd

SHA512
6d30d000c897196ff18fed5bdeb5f23f8bfb491eb65eb6d84b983f41a6506b20431a6fc3d961bea9f8df1b727dd5ae9897dd3d69301f828d26734c14963efa30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c8acc9fc155440695c8ab4fe081b43cf

SHA1
d74a0e6fc855850d97f560e6def51ffecf47b138

SHA256
d6c14976d6e540283e841cfbe7ebfd22cc0b17343346510707775294701a2f9d

SHA512
a1af98a48375859677868cde157611235809c474997e47a1e8066dd121dc491681c8693dfc2fc736189d91afd417eabaa37ec15a12605844166c6bb3ac42c118

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
c6708c38a8a5f307ddb9841d03fea654

SHA1
d78c48d3da45cf837599a84491ed6a23232a8c9f

SHA256
5224a013a1dddd17928822fdd8b94e716eceec167f8d91069449b4f7313e72d5

SHA512
f0959a2deb225783cc40eef88a60a6d32e1e4a4916748fc8a51eed01b953c5fafe21ddd66ba06b8f81be7ceb5cd93f4189a2244615fd0de188456f189525762c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
2adf1acb35c7e4f8579ac54f09ce5f5e

SHA1
6306935a7c000e8095e64504cea72ba07d2b561a

SHA256
7a83de38ec7c0b64f34bce2a7c6506c84f9ef0c2a4962a16c9daf76d80bcaeaf

SHA512
f9cdadea568a1b24c1935476d3b6ae84a553db0ae610ab05d6625a2086f31462a694eb280a3e6629886f06efe320b677dbe965b56fc744f62dd7c842acb2731e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit