hxxps://sub4unlock[.]com/FLD786[.]php?$=1111066&own=owner

Analysis

max time kernel
119s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://sub4unlock.com/FLD786.php?$=1111066&own=owner

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133673728741979402"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2728	chrome.exe
2728	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3020	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2464	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
4400	OpenWith.exe
4400	OpenWith.exe
4400	OpenWith.exe
3020	OpenWith.exe
3020	OpenWith.exe
3020	OpenWith.exe
3020	OpenWith.exe
3020	OpenWith.exe
3020	OpenWith.exe
3020	OpenWith.exe
3020	OpenWith.exe
3020	OpenWith.exe
3020	OpenWith.exe
3020	OpenWith.exe
3020	OpenWith.exe
3020	OpenWith.exe
3020	OpenWith.exe
3020	OpenWith.exe
3020	OpenWith.exe
3020	OpenWith.exe
1180	AcroRd32.exe
1180	AcroRd32.exe
1180	AcroRd32.exe
1180	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 3264	2728	chrome.exe	86
PID 2728 wrote to memory of 3264	2728	chrome.exe	86
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 1912	2728	chrome.exe	87
PID 2728 wrote to memory of 2704	2728	chrome.exe	88
PID 2728 wrote to memory of 2704	2728	chrome.exe	88
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89
PID 2728 wrote to memory of 4772	2728	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://sub4unlock.com/FLD786.php?$=1111066&own=owner
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffc538ecc40,0x7ffc538ecc4c,0x7ffc538ecc58
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,16150178167216531258,4992488704983456881,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1872,i,16150178167216531258,4992488704983456881,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1984 /prefetch:3
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,16150178167216531258,4992488704983456881,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2268 /prefetch:8
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,16150178167216531258,4992488704983456881,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,16150178167216531258,4992488704983456881,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4600,i,16150178167216531258,4992488704983456881,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4612 /prefetch:8
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3344,i,16150178167216531258,4992488704983456881,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3244,i,16150178167216531258,4992488704983456881,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4044 /prefetch:8
  2⤵
  PID:4520

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2776

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2608

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\bot_nuker\" -spe -an -ai#7zMap16829:80:7zEvent2981
1⤵
- Suspicious use of FindShellTrayWindow
PID:2464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\bot_nuker\BOT Nuker\start.bat" "
1⤵
PID:2700

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3020
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\bot_nuker\BOT Nuker\main.py"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1180
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4936
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A9DA0FD1EE97CEF152893B46B37D1CAE --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4900
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DD50507E6579743D253CF604801BDC46 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DD50507E6579743D253CF604801BDC46 --renderer-client-id=2 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:1640
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=758177AD18A94F950B338EC2B58F1F52 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4636
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0571836455549573CF4A554D2BCFCDB1 --mojo-platform-channel-handle=1904 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4212
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DAC09440D3E91D27833A984A291AD6C8 --mojo-platform-channel-handle=1972 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
0104d7686935cb116c43fce528e85aac

SHA1
217daeef281cb4a8555c793a9ec9817b5a0da2f2

SHA256
15cd2ca42ca8147245b90c87173196112f56ea4c6846f0aa7f10b409da5ded6d

SHA512
53f86b412fcb64bcbddbf7fdab51c66eb509925235ce05f93396d83d7f01d083d868f889c0c95024d4854bca511c607bffa653cafefb6d862f5121cedd903dad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0b007c92abf9c01add326745ff8029aa

SHA1
70abc84119781a1c651cec20605cc483b25e9935

SHA256
855ed81217b52803d20da7b845d88e3e553095bcbd689ca3183d16a2e82d5718

SHA512
4bc712e3b2967c8d788195364d86328ae592edbfd40eceb32405f2f5b28520e1ebe8fad8084f37b7953db887764d3ce83e070b161b7569541bf204eacfb3dd23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
85cbf074eea741b1dc0b3488de0dd2e6

SHA1
0fc06d758d1b7a4d6348b9c0aa2eb2df48003d6a

SHA256
4762948721f7f71cad064366b50265fa21ff1025cd231d3686797240d08aa5f1

SHA512
7f1daf65c6a3e270c8c5b3c2151c7cf658fc740ffe8591daea917d35e82b0c702e904f4613d0f9eeb25b3a253b499c17f2e6d0c906bc71ca4fc674e9836dcf52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e7d87e5e8bf36ae6318cc2230c1e74c1

SHA1
02c9731bccbc139fcff068cbf08b6a5d8f49e5eb

SHA256
a7620a9320e9ba052b77c90bcabd5582f2c09e2eff26e7cdcaa8d539ed26d2e1

SHA512
508c1556d03edfdb41551df790be45e52c0f9b75ec6b3efd9b990d5487827124688f64a1d26438b22974dd44417d8d1418bc37016410151e690cceb7bc1eed33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d0c194958587577f0ce16484503beb8a

SHA1
070f2b5ac7ff8f2a172c5d9833d3179cf9901018

SHA256
5075dd7ff6a679e3a377a5d479cee8c8718dfec596c74e7c5699cbe7fc94d1ea

SHA512
2c81fa4d79e530d7d9e248512d7d7d3431c327827c3d6700683aa8ba206fb357676ddfc1b87a53897e2220ed795bc7bce4fb9177f72145609b1f52c658ad4f67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ce0bbe12669870236aca7317bc0417f1

SHA1
ed571d756d07c8033936979f428034d680ece754

SHA256
b0145c5c4ef6108f6910efb85f594286dc51aba65ffcb05fe9f1fbf950478ad4

SHA512
9f67a89b617635975b29bebec4c63ace5bb8e0650a154747fdb1b520ec9ba38be827bbbf84853abcf07288cc43ab7643c17ccee67ebbdc5d186132b3b92957a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b057863a5edc45f58f6cd1fd1f526220

SHA1
4b036f1b20ea59cbc81d32ceb2f9b0080066c287

SHA256
3b46d1268ca9bc9fc986c4b1dede363d5c9baf7c95b2474c5c471a212442d948

SHA512
1c71378256ee1dbc2af7e1999e1dfba355fbf7e122af234a41cb21a4f1b204b0616b8d20504ade353da8640a4ee722b6f9b70ca4aafe5015499b3ab18e2ef018

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
32ff4f32df55b4110a09f8a8298e9a01

SHA1
3add885d5cddc0744e21657da957766914a914bd

SHA256
8f8e360eef8f2460c0729cae6ffc12302762253a96f55a400f293d8e4dcd0036

SHA512
8dcaee9f9b4d623e2d2f33e48a01f9dd2e1c832da4333112cd5797d13a0477e7fa2c787f26368e0425e5ad831615fc3a11aa2e50ad50064aa33d957c951d8561

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dee3ccb72dea8f33e5042f456987f80c

SHA1
d0bc96290f0d1db7550bf65307309b170ce106d6

SHA256
a987824c9769465708437fd7a58cd0632ba3bff307c718b5792cc6789febc78b

SHA512
525305938f46c145e1e9b18e665d7b5fcd718f37f199971de2442895e81c7aef28b5526111019f791ac83d5b0f723d3d37f1309705eeecc7457cff18d7ea0f6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ccd71c82b3b5b569a3dce79540ef6182

SHA1
68499e4bc3c615d8cc98a519073f35c6b9f74a3b

SHA256
2ec1782db783a118bf6f5dfb6eb8cb57d9caa7c2824204fac6fb603aa295ad8c

SHA512
f5ae1ea5e1a31bcd8c29c3f78bea4fe9709a6bb0b4697f9a158d85b94fc072ec0fd27f0f16ac1f26f396794a12f7f9eeba70e8d082e07db41e02ac10c9a7e73b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
d20c1d0a62f1244ecf6b608ac8761fed

SHA1
0c9b9491cacfef383fe48b864e5ca1b5152e70fa

SHA256
be14c1e6775bd0cbed3c2d96a5df447fe773f40f378aeb3b19e69e002a0906c5

SHA512
e2048bb30ca50824ea0ff1e645b5f33ed49f8ad47059759c23e07bb4f7ba469da4540fce760f2c399e40bfb78eb957f8381c1c6037bf37394ab658de3a35c77d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
fabbb3090ca32028ab43229036439eb5

SHA1
f81613c5d065333ccb8085eb948a468ce913654b

SHA256
9170594f8f2ca5e83eaf357822077fd2ae498d488ae711887bc329cae22b9431

SHA512
00fe86e7c0aff27e423ffdde38f026de4358238f8bb23dfd688eb0df93fd94f87722bf46490b07d3c726a4f6207f2b07c9925cdce1ad7b06e906b400dbd0b802

Download Submit
C:\Users\Admin\Downloads\bot_nuker.rar

Filesize
3KB

MD5
46ad7c742e1a336aad3d5855adf57c58

SHA1
116b9635cd5af5983055a88f1cb09298309274e8

SHA256
71212871e1de6f1a16861b66e777f1326bd0fd5b253245b5a34ed0a434a89cc8

SHA512
33dc5bdb2799d60e27c8bc6e323aebeec40bfd7b3779b939168baadc51a0e4895afd043c7f7e19b8a3c063d6a2be73319c050d9dda63b9a21307344240efe141

Download Submit
C:\Users\Admin\Downloads\bot_nuker\BOT Nuker\main.py

Filesize
28KB

MD5
fd1ad324c7cea5d066874390bb0b7ab8

SHA1
76f9324ce4f5d51440c8a68654e16190d33b02bf

SHA256
f34d3494280f8b11fa90c9768b034fd3ffcb50a97c9f7fabdc2e25630a66d6ff

SHA512
5f1c16260b4b35175a23b01203204267f56f140d8b498a16401db26ca6a91a02c91566945b707c0593edc3ca976ca8ff3f99e5005821c145d09f4a80ec609060

Download Submit
C:\Users\Admin\Downloads\bot_nuker\BOT Nuker\start.bat

Filesize
17B

MD5
4dd2bbf958af0350871eff73e9f4ff58

SHA1
3aed0d2a5c585695bc13f21114bbf23bf1a49b42

SHA256
afd122bd4767c5eba0aa313b273b8ad03a497d3bd73da327f332714d6f2c6585

SHA512
06419f04a947825c36bbbc3d9182699bafc15987583cb0db4aab2d60fea080abbb5bdb0f8179ae56c41bd8a1a112e7d9b2e82bbcddcc2b2fd6d670113ade7104

Download Submit