Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
03-08-2024 11:05
General
-
Target
https://drive.google.com/file/d/1AHIHOopROTZPm08llkFZjJdHIa6GRKuG/view
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry class 4 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 35 IoCs
-
Suspicious use of SetWindowsHookEx 57 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1AHIHOopROTZPm08llkFZjJdHIa6GRKuG/view1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb37df3cb8,0x7ffb37df3cc8,0x7ffb37df3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,8272965220839042766,3135320458003746756,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2072 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,8272965220839042766,3135320458003746756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,8272965220839042766,3135320458003746756,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8272965220839042766,3135320458003746756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8272965220839042766,3135320458003746756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8272965220839042766,3135320458003746756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2060,8272965220839042766,3135320458003746756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,8272965220839042766,3135320458003746756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8272965220839042766,3135320458003746756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8272965220839042766,3135320458003746756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8272965220839042766,3135320458003746756,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8272965220839042766,3135320458003746756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8272965220839042766,3135320458003746756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8272965220839042766,3135320458003746756,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,8272965220839042766,3135320458003746756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6232 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,8272965220839042766,3135320458003746756,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4732 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8272965220839042766,3135320458003746756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8272965220839042766,3135320458003746756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8272965220839042766,3135320458003746756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8272965220839042766,3135320458003746756,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8272965220839042766,3135320458003746756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8272965220839042766,3135320458003746756,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8272965220839042766,3135320458003746756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8272965220839042766,3135320458003746756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8272965220839042766,3135320458003746756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\FPSAnimator_Playable.rar"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5D597D1E750DFFDD65408EFEB55F4ECB --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7D8FDFD89E77CE0E5C970E8035E2D0C7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7D8FDFD89E77CE0E5C970E8035E2D0C7 --renderer-client-id=2 --mojo-platform-channel-handle=1792 --allow-no-sandbox-job /prefetch:14⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6A01C314CE6E19726CA73044835728A7 --mojo-platform-channel-handle=2360 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9079911708C789C300E70EEA45E3657D --mojo-platform-channel-handle=1924 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=90ED356AB47586B8EF29BCED57ED2CA6 --mojo-platform-channel-handle=1836 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\FPSAnimator_Playable.rar"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play "C:\Users\Admin\Downloads\FPSAnimator_Playable.rar"2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT4⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 11963⤵
- Program crash
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 744 -ip 7441⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD5cc64bef63991cf90d8ac0c15659742eb
SHA1c958ef3335af13fc9c355600f596e8e89d79ac94
SHA25670ab1a508899b3d98024cd356e7b059e7de094e81be9de23fd64d0b9ed661fce
SHA512b42ece877d70279a86d4e4f10e614ad353bdce3fcbf47cf9da8c0f6b57897d1b7f2dc2469ec8d81056fcf496973dcee2fc96387451ae0a285b9d7b49935af971
-
Filesize
12KB
MD5593339bf3733c764cb68618cea2cee6e
SHA138be5935390b4aceeb3dc98c3c17db3ee30fb574
SHA256a683c862c6404a91889b4fade8d76097989558e6a5623954021f5eff1ede00b1
SHA512128736805ada83bc772911d5cef2ab4ab65070dea02e18181b92cf681356891186407c64eb7a6527de2b839b31b91a9c322c234690845ab2ea93ca61b3d13cca
-
Filesize
12KB
MD5107673e8b0ff4c2766066f980a481236
SHA1ce7e5ca8041923fe6d9678bf0e1732756c54d580
SHA256d2ca4569b8cc187b09f8c060f583d310a8f8944586aa28c83f1499900ec6512a
SHA51254e9b71362de1b0ba56845a5a9e948876ab96d4117d91d46fb12727c2596fb700277a057b6394705317075c30aecb534afc0563a7426176e7e1cd3846aa097bc
-
Filesize
152B
MD5a8276eab0f8f0c0bb325b5b8c329f64f
SHA18ce681e4056936ca8ccd6f487e7cd7cccbae538b
SHA256847f60e288d327496b72dbe1e7aa1470a99bf27c0a07548b6a386a6188cd72da
SHA51242f91bf90e92220d0731fa4279cc5773d5e9057a9587f311bee0b3f7f266ddceca367bd0ee7f1438c3606598553a2372316258c05e506315e4e11760c8f13918
-
Filesize
152B
MD5058032c530b52781582253cb245aa731
SHA17ca26280e1bfefe40e53e64345a0d795b5303fab
SHA2561c3a7192c514ef0d2a8cf9115cfb44137ca98ec6daa4f68595e2be695c7ed67e
SHA51277fa3cdcd53255e7213bb99980049e11d6a2160f8130c84bd16b35ba9e821a4e51716371526ec799a5b4927234af99e0958283d78c0799777ab4dfda031f874f
-
Filesize
3KB
MD5d8cff2b77fd5bdc6cb3eb238e8f11dc2
SHA1e99ac7e953943b03a30dba4df6f1f39411d38fe1
SHA25640882f8198c76c2c3478127b6074664c9d61c06659001e77893f41ad5924a45b
SHA512f6bc06f0d19dfce0b27950e43e78bfe463c93536275ab20966bb73eda4bb9b7bc0c6d21ccca81f7f338d4b7c427404c1f9b8166a4d289e191016622cffdcaa06
-
Filesize
408B
MD50401d8bc545e2fa2fed771ec40f63cea
SHA104417be2f549800ca4340d2763d76f83c46e7f5e
SHA256cdbac977f96571a9bbc614f9f8898cf50c25b3b8dc7070a985171686a3baaba3
SHA51279fd371c354c6a01cca66c9ff6d64926536b7efec434f4313e1040ef721e812ebaa97b673457f8eebe2e371548ef709003d75d16850ef3601c75d0559fda105a
-
Filesize
4KB
MD56cac406e6d049c71ebf7600b29c95e3f
SHA184f60435ce335fd4f63a9fcebfa77eccc51b8df6
SHA256f7b417fdc513622704065b8bd2436b02431f19f7495ccc1aac73b7f3dc72c989
SHA5121ac6b615192aa5ef7539640d36716049854a34eb42ec66e0cbb88c98beeedd508ea5a2b5508203b6c2f44e91ced23d0c44fd9171bb6ef8f72a69033cb97323cb
-
Filesize
3KB
MD59c4d81fe7ef1b34f05b4216e3198604a
SHA13dca194c628fc579e3e6a14485488e17cf5d2844
SHA2569aba28601ce5bcf3b89d359143512fa37b252ba9bad7baa67c40703e5e56efd3
SHA512f647c3bd090c7cae05631af3241e60e352b1d97fbdde9c1659fcb27d86ba4ac00f91265ed9ca4c07ecf0009f6ba494bacdd641b8540ee3ea0eb958a51685a11f
-
Filesize
5KB
MD57aa50a86b1ef3969dace38f46fa3e161
SHA1ccd3c48030aa0b42fe3b5e4a84f3b1401d4036f1
SHA256b0a29ec5eed05b480b4918b124d86127e6577b2579f456dd52dd586a6a4d5dbf
SHA51264ec18a786b97bd05c5a0052b128c8c31c3c0d8297c6ac9092186f4c5b3423ff212f4eca79b74675665cafc3a7e8c9061d27edb434b2ebee85f3faca15097626
-
Filesize
6KB
MD543a864c00d62bc056762304d1d24c87b
SHA1fa99ceb62bbd4b674a29043876d37b22c953c64e
SHA256663c4ace31a4623779b3c5f73cbf8130910abf99f6a6a9571174975f3eeb8d6c
SHA512ba3daa1e8c5bc6a3f0536a72b4364fa30c110c4383610f543d3ad199841ff31e26c7fcd1090861f0a8e5f4ee1572b68fc158149201cde10d9c945f2dae42448d
-
Filesize
6KB
MD5bad7b0d539a3170969c1ba35670a31d4
SHA179b318367605077f086c5623d0f85f243e57b100
SHA256e9c225bcb5a5e3b4c59d68e977a003fccfafbbd96069649925c5f679849eb067
SHA5124824a4413de2f788049c8ad687800486d029d818534ab9c5187fefdcb975070bed1a65a78c3ef6e0138ec7c5f7e076bb76685abd0eb8af525c6bf042d0fc469e
-
Filesize
6KB
MD52132661966bfe9adfbedb3dfa82a2f8d
SHA1c876a986d2d03ab49594eca44f503efb38f1b591
SHA2562bd3918f295fa30c85d6a539751b52076532944d3662eb648802b1c79fe39021
SHA51261e9e859978e44998a1b5dbb9986ebe01d26ee62a60b0cdc7bfe4269b60ff5413131872f46393659abc36aab719bd846d4ee9ccf94075d011720cefb777b1d4d
-
Filesize
1KB
MD578079365014f15dfde76de7cebdde1d0
SHA1acbca2645fdd9ab30b4ce6d49d3a4cfd39270224
SHA256f21c3720d278ffe7f97a794a0e437337ffb6749b5857f2953367abfcf44e1a62
SHA512ac1e67402704f813b795173960d4a3ad047aafbcbb07b9a1c7449e78c0f84f6965c83b40330152b708187bb21396175fc06c725af4e0ef7fcb1f239cec1e628a
-
Filesize
1KB
MD5aa37d9bed7227b5419586b7502dd8e57
SHA1154aae5746d7c8150385dd19a6edd5480be914d0
SHA2560c9110fc0dd0ecca3ffd581d251688fd923cb3e895a5b97e63fe36999210c6bd
SHA512fc8bea29fed96417e57141878af12169412a1ea98e51a2959e716b58408321a3cde47282658259862f4067cbd1b6e099cce11c727280d92c9ae44c32122fc5a3
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5cbe6578e13154c56b5657bf471eb8ebe
SHA1001c1531fe57357a15f6ee9724ef66115f5ec9e7
SHA256aff5d2b65612a9d3fc272507bb141c952cce1f3e297e39815a3180592969e166
SHA51207157014e9ca10989bca1c057d51c98c29ab8252e5a3cdb08412605fc64cdfa22ba8a3d4a729c1857f3d8daa6bdf2416e5e8d8977d87b612ea403346bb34328a
-
Filesize
11KB
MD5bf7922c1e074f841c5c7b05b8bf3774b
SHA14ff851f2296b8ba88659264af13a644858b89dfa
SHA256717000a9a61f9bd62cfe19e50df5c2cc0b12e4a8299b48a5eccf1c243882224e
SHA5121660d51a1a09dbb270ca0179bb31daed09360d8b38efcb951eded7d3a60c2c1c508b5c009d62e83899a3e75d3d7ef624a99873151ff462551c6cd93a63840d85
-
Filesize
11KB
MD5093d2f7a3b35e0c7c71f43e4b794203c
SHA16960fb66611ffa6e02b05d282d853c97b94ecbdf
SHA256682ece2ed52944a3bc7674864f50a9dd0a2171f24adaa7a77def72e6f1b8cec2
SHA51256e41c64762f48a7b69e4c2f9c9a67c0d8bedf5c0de61bad576a70d85f66f022f97b464f59ea03bd768fd71245e5809206df7a43451804fdc64e90d6ccaaad1a
-
Filesize
384KB
MD5a90e66b429c083fff1601e745e6d28a9
SHA1e8cff5d18831b9a878902072de69f6d40955cd76
SHA25694ad6f79cf2ab5230b25a6df555fa411c74f245d692852fdf7ba7b6b7dd56a15
SHA5127abc4bf71b3875e1825ef1c95ec42d9cfe99a773da3b917f929cb8aa0b310df5af4853beb3b800c9e9a07b3fd008214bc5552890c55360aeacd3ea6a69b30350
-
Filesize
1024KB
MD5f57f2a3d28af1be361ae0a4ff5ff739d
SHA145faaaba1677c3c0d7dbceccfbbf299e1b6c22c5
SHA256d83a3e502dbd8dab86cc919e39dc2682e9d11152b5756e8b19c1a7b21ffc208f
SHA51282f7a2c11afc500372eb0c0ba5585b05d97d26e7dc67e5c232fab89d33e2f250f1f223cd1ff6687625502ec79e7b49eb458a8400475651316bd91ba09ac6c42c
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD5fe640100138409d7165ecfb526d9d94b
SHA1ee298e57c6de374f8a945e38034b4be994f9f15f
SHA256cf798cc96e5e390582e6070161ec519282797a48d9baf6f22e8b17142e78e242
SHA5125a3581aa5e4e0fd216332e3f340408d0684151e1b517e2fdfba2b666c3595b386cc47871dc02b4e260fe0e70872ed79efec23da20944317e6b3f7ff409cb754e
-
Filesize
87B
MD5c7399842fc1c9263bc2e78bf40c8b533
SHA183f37bc6a334c5025bd2dfda8b1c6c6e0a36e5ea
SHA25678991c92e9f2058648c670acc7d140a78d0bbb8f1d123e98955d519fee4b1f5a
SHA512e3c5d5f74fd04e51f606e7d7b97808f2a6c30e8d354321d3ce0f28c1a88250024b951de7b79665a298e1783c225f3fdc1dc34e748b1f7c7c3a75d8e9bb4f6c26
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
68KB
-
Filesize
208KB
-
Filesize
92KB
-
Filesize
2.7MB
-
Filesize
92KB
-
Filesize
16.7MB
-
Filesize
992KB
-
Filesize
68KB
-
Filesize
2.7MB
-
Filesize
116KB
-
Filesize
260KB
-
Filesize
2.0MB
-
Filesize
68KB
-
Filesize
96KB
-
Filesize
208KB
-
Filesize
992KB