Analysis
-
max time kernel
415s -
max time network
399s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
08-08-2024 06:56
General
-
Target
https://drive.google.com/file/d/1zhx2sDigW4t44fuINHEUqkqU0yKuRA2T/view
Malware Config
Signatures
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry class 23 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 49 IoCs
-
Suspicious use of SendNotifyMessage 27 IoCs
-
Suspicious use of SetWindowsHookEx 36 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1zhx2sDigW4t44fuINHEUqkqU0yKuRA2T/view1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffce21a46f8,0x7ffce21a4708,0x7ffce21a47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,3384692488241522570,4843357444779585584,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,3384692488241522570,4843357444779585584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,3384692488241522570,4843357444779585584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3384692488241522570,4843357444779585584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3384692488241522570,4843357444779585584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3384692488241522570,4843357444779585584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,3384692488241522570,4843357444779585584,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5576 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3384692488241522570,4843357444779585584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,3384692488241522570,4843357444779585584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6300 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,3384692488241522570,4843357444779585584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6300 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,3384692488241522570,4843357444779585584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3384692488241522570,4843357444779585584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3384692488241522570,4843357444779585584,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3384692488241522570,4843357444779585584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3384692488241522570,4843357444779585584,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3384692488241522570,4843357444779585584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2772 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3384692488241522570,4843357444779585584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2080,3384692488241522570,4843357444779585584,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4020 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2080,3384692488241522570,4843357444779585584,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4972 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3384692488241522570,4843357444779585584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3384692488241522570,4843357444779585584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3384692488241522570,4843357444779585584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1728 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3384692488241522570,4843357444779585584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7076 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2080,3384692488241522570,4843357444779585584,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3616 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,3384692488241522570,4843357444779585584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\7z2407-x64.exe"C:\Users\Admin\Downloads\7z2407-x64.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,3384692488241522570,4843357444779585584,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4972 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Deep Rock Galactic - How to Unlock Limited Items After Events.7z"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=533E5C588530A8DF6FD92C61D1D1ADE4 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0C36D9AF2C1EDE2E259EC89265DF19E0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0C36D9AF2C1EDE2E259EC89265DF19E0 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:14⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DD1F781C46F554019A3D08B92E2BB069 --mojo-platform-channel-handle=2348 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=06DDA09F6E3F72EEB70114C5184E6DC7 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AE32BCE164E690829AAE43CB9E1E8647 --mojo-platform-channel-handle=2512 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Deep Rock Galactic - How to Unlock Limited Items After Events\" -ad -an -ai#7zMap12153:182:7zEvent263381⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Deep Rock Galactic - How to Unlock Limited Items After Events\Version.txt1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\Deep Rock Galactic - How to Unlock Limited Items After Events\Hex Values.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\RestartFind.aif"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD58af282b10fd825dc83d827c1d8d23b53
SHA117c08d9ad0fb1537c7e6cb125ec0acbc72f2b355
SHA2561c0012c9785c3283556ac33a70f77a1bc6914d79218a5c4903b1c174aaa558ca
SHA512cb6811df9597796302d33c5c138b576651a1e1f660717dd79602db669692c18844b87c68f2126d5f56ff584eee3c8710206265465583de9ec9da42a6ed2477f8
-
Filesize
1.8MB
MD50009bd5e13766d11a23289734b383cbe
SHA1913784502be52ce33078d75b97a1c1396414cf44
SHA2563691adcefc6da67eedd02a1b1fc7a21894afd83ecf1b6216d303ed55a5f8d129
SHA512d92cd55fcef5b15975c741f645f9c3cc53ae7cd5dffd5d5745adecf098b9957e8ed379e50f3d0855d54598e950b2dbf79094da70d94dfd7fc40bda7163a09b2b
-
Filesize
691KB
MD5ef0279a7884b9dd13a8a2b6e6f105419
SHA1755af3328261b37426bc495c6c64bba0c18870b2
SHA2560cee5cb3da5dc517d2283d0d5dae69e9be68f1d8d64eca65c81daef9b0b8c69b
SHA5129376a91b8fb3f03d5a777461b1644049eccac4d77b44334d3fe292debed16b4d40601ebe9accb29b386f37eb3ccc2415b92e5cc1735bcce600618734112d6d0e
-
Filesize
152B
MD59b008261dda31857d68792b46af6dd6d
SHA1e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3
SHA2569ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da
SHA51278853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10
-
Filesize
152B
MD50446fcdd21b016db1f468971fb82a488
SHA1726b91562bb75f80981f381e3c69d7d832c87c9d
SHA25662c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222
SHA5121df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31
-
Filesize
2KB
MD5c31f93f0062ec89ab9019ac3fe108334
SHA15587825d6e66d975f9936c155667ccb382484ca2
SHA2566952c48b8ea1484ef46efb2b82099d3d0524b5ae03b432899ebc8318fd1790fd
SHA512fd5a2e76c50b62569bd9cb4f944e919390ee834da730243dda44608f5861048ccfe8a9184756e2e04aa14393a02803da96b9aedc691189daef2b3facc02fb95b
-
Filesize
408B
MD531cc54e6eb286dc4fd788a846b1d1120
SHA1a1d2028e8e4a1470ec972bf8fef68c9345833996
SHA2564d421db27992270d2547bbcf81c4d6f718390f86cbdf179ffd1dc7d935195b9c
SHA512e8136a63a22be9b592539bec5edf40b0dee4ecfbcce2552dfbe49f59a5d333c86dbc4238e28104f124cb3a7f6b6321b219416130aa65c166177a7221234b0035
-
Filesize
3KB
MD58a7b2c8383f3edddc1b32f4a77cc81a5
SHA15ba6bbff8f0ebf5796248139e0124a563a42367d
SHA256c906325ea8e49ef0b244155b5b6831ecdc748f6dc715381ef6aa921f2007f517
SHA5124c9ce638f34bc6bb67ba09ac7326cb2cd248dc2855fa123008f46aafb2a3b0d8ed8b99bdaabb72ce89a103a48e3cd1dcac6251113aec27fffd32e6d2eae3afd5
-
Filesize
4KB
MD51ae8a447c21d3db08c73e8574870dd44
SHA18307628f5f5cdf3f6949e2ee8af21b6ed0190228
SHA2564874e4d69f9a693b99ab04a621f933b3600ec7897e3427547c86ae635e086efc
SHA512feb20aa962082a7d7a477fc0f72208f0bf47f984f9fd12db3c93121453a4e71067958354a4eb6d6bee5d117f93919b9c1c7d88037b90d56c69bb9081e5540e1f
-
Filesize
6KB
MD511eb9cee96df3b6aa313a7fefc53b6c1
SHA14d359138b8dbb42f4eef8d51d35ea68602954377
SHA25665821677649d23c14aca8eae5a05beb92d249157e747410f041763b43cb55580
SHA512809ecb54bef8d61d3ff4a699dbb0a01c44b258b45d1268031bcca165b07bb4e10993e1438556de07e17ecd45dfdcd42c24f6d7847346ff839d4f4395a43e07b5
-
Filesize
6KB
MD58f22c1acbf2e32b7986efa652a42fa9c
SHA143cdc08facbdc58b00caa810904854af96706f05
SHA256e8a19534889f414b3a6b5cfa12f06437b0b915d08e03c20cc2d22735ba5a3e11
SHA512913580fb0d713b1a3fdfeb75931089747b1161009278b9c09a5ce908f6448abab952d66ad5ee831a914a9a36b11bc6db5ab9cc58993866a63933632f927328bf
-
Filesize
7KB
MD599774bead7ccacbce0786c533a29b130
SHA1f44dc2ad49805b795eb2a5f17618f06048b3ac5a
SHA256fd242dd71317d0ba8cc64e2c0ec4572a316b462ebce54b2409341ec6a14fce5e
SHA512142c35df8d5d6869d5e862a1169b4918069e3132ab4e7134898a83014d2b966408a23fa77d0f9ff8a9568eeae79519edc13b88478ace8c1e1390415b0a770847
-
Filesize
8KB
MD5cd953842077f3cf26946cd4386040e70
SHA1377f9e764d9cc17db68654abc342c052698af8c1
SHA256f830504061c2b56309f31e6ecad2a6adc87bef4dba1796732ff2c6532d5a7652
SHA512beaeadae2e1640e9268bee19b2535dc36e7136c08dcc9d759e8c6bb754033c70f433ebf3d4756a3b695f764b9815384ce23224d7ed92bc2077011c122f464646
-
Filesize
7KB
MD5cc7cbdb162930249e8da3716c3fbd41e
SHA17f72657177256262b7a83a3f4a5d43f555c45cb1
SHA256fb4b01bda787908dac3bf41f60039225cc668724102a59b3318c34010db12b44
SHA512d3e5a680cd3f4aff98806ac1ae6a725416ed0606d090ffcdc92f921277759e1eb7de34f56adca6c291178a2104e1e7d038ce1834960eca8de00eecbb555abda0
-
Filesize
1KB
MD53ede984488bc29a84c4ddad9c0221d4b
SHA1811f4dafacb39f635a0498051d80f3b553d6b535
SHA2567f45f2f0f7845c7dc578de088ff267654e2089ebf34a17911a6c04b7d0975822
SHA512fccf6d7ac74ffaed2f399a29dae6f78cebf0f99f9573cf250f1b77c47efa5516074822f5e944ea6d017d0df1a7ed2176722f1a49a59b2adf8e651ff41b8e5acb
-
Filesize
1KB
MD5a885408b020bc257588302c8982d517f
SHA1dedd3d1ee5737a3bc8b4d5c4dcb21207bd9ee584
SHA2560f72bfcfc119de100514c3521bd19a1bb06e61a89a5a9dff65bd718d989f4e02
SHA512525d2ff4cfcf8d4e93f3f83f3f4f6a7753a07077814857577d8c5d12cb36c26c787fe917a6a930857cd08102d75a743aed8c975ed3565b0a8aa6800313a08272
-
Filesize
1KB
MD58b84ec7eea6da70fb17f10f261e705fd
SHA14157daf2abf47895d5c3853cf76903a8c6d29467
SHA25606940abd1da1835f0ce7f7e5c1a7586ba743a8bb6fad5e7b62c2d7ba51189e42
SHA512f4758d30ce3651b5481b474763c1379451b005990731413a8a900905685651784ffef09cf53248f89ec86849df12a13cbca38b2df66ab769653d9ec37c33e1b0
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5195d99b1ea9cde439b5b6dd0f8ed75bd
SHA1caa8a3db880a84f1f5b7aac656b1f78f5bfccfed
SHA2566bafb6dc5eb5bdb115baaa816def0194bf484278cc8c92cc9b196a946c600c79
SHA5126f635e74ee0ef515f348e45043edfa5ca5ee1601dc4b82ba6ba2338076ff9161eb60f7e789654b7e4e7c84a95fd1b63ae78151d19ee72ab10e0f9916246ccbad
-
Filesize
11KB
MD58025de94f86158a737d8056c0a0f2fb6
SHA1de4a179b2413c1ee15d42e9714c9e712ff011c0c
SHA25658b3b8c065bdcdb9bddf34ce51c5c0aeb53de2d5e2b01cbca6a1ffe803c5af2d
SHA5127a45fa5b9183203898c23ab50ae0d7589ba36eaab484505d357b74dd5d1dedde0c9df608854d01423dac6b7b797fff1954f02a2bc5695566b69437640f907d60
-
Filesize
11KB
MD5d4b06c1866df20946cfc84a3497315de
SHA167292eb89bc4a702504e6c3c3212dda5eb9d2e57
SHA2561f715b883c6f277779e188ae926757d565ba079ef72c017dcd478003061999c1
SHA512d80180ecd7176143c5385ef21701a1aa2e655bc7fa763a6791141efba870a07a3046c0080b04a6ad0ade01bfeda0b55d48cf81c0fed51ed6270c5e4e05560301
-
Filesize
264KB
MD537506907c4db37ae06bbe9eddcbedd45
SHA1a46e8bc5f411b6bf3dff35010bff429cfdff93bf
SHA25638105ff192d48bc4aeec5f895693c84830f161d7ca88911633d7e7acf2089b29
SHA51220e7b54c96cf6003938acff2c12c6fbb105d379e0f97a170c054c4bd0461222c8b1f56cd10c36a3e5365fd1b8ec3ff4f2e59086d2481db3cae8c4faf1f108fa2
-
Filesize
11KB
MD556e3ce5462e10e06602f7f357953a727
SHA1680ee007945c1831d700a7de33e6f4e053091028
SHA2561952f3c54f15aeb88beba15a3f575068e43fb6e104dfa064983367a383754853
SHA51265fcf29f5bf53dfafe20a5b675a9f9c57f98a6e2643981e7c47e231811721638251bd07b6af396b8fd175bb594affe9249715bf58bc34a37cdc2e6d9adfcb2d9
-
Filesize
4KB
MD5e293c8b58b491970908c77b8f4c89b1f
SHA190428f06c8c129120cfd88213ac34213a0f15a2c
SHA256fa45d33ca9c7977402c593d50e654a6490ad1ab9b7347b9aad34eff15c62c934
SHA512371ace53ce3ee3c7904ed651863985c87844be1c319fc2f9f6c6e37bb4599a67e237fa64319da31711647a6187e27a5e10579dbd3047c87e2f8d5b82f058c93e
-
Filesize
2KB
MD5e531ddc7e77a1a3cc18fb36227ed644b
SHA14045ac161763d6c6aae3111ba712834943110f6c
SHA2565b2f0cb69011094abd5f06eb1f002db662106a8db90f25a387a90546f47b3f7d
SHA51229f92b7ffbefa457a2a09ca55b626195bb2537393067fb2e494bb589bc32070e958ece1f93bbe63157210b4ed43433363955fb9bcdacb62b368a49c71fc3d0fc
-
Filesize
2KB
MD55dfda17044470bbaf77363693de60048
SHA18599e3456041e14db7ee90db56b60db9236e0606
SHA256a1f4d3826f53e73dd7d61e760d70cf4ccb75883d753fa4bc25598b44df801650
SHA5122861a5868974f22861606434c259fa5175bea6d0ac1fbad66fbfa25a499ebc6555664fdd4f452d03209b08326573ee9aeeb4e20d7d785828be7abb51a99c53b9
-
Filesize
3KB
MD54c5c3f442c6ed4d0c7ff50f8cddfc0b3
SHA136a6419abbaa24475d6a8875e1e1a0ca761f72ad
SHA256866b4abe365e081a41ef9b7404002084eff2aeb3c820bb1d5b2be0eb2287d663
SHA512dac30347b4341313c9a4af8f478869d2eced4e015890f158e315d2b892af0fb212584e6729c7c2635e8fc27300a59e7967008ed9e0db6b9ed8e5cc874c2ea2ae
-
Filesize
1.8MB
MD5e7fc5451de8c6ea5fbb7a258da647494
SHA1896df872a29dbd176be7081f20464512c911ff10
SHA256be708acda830331c6082abb35c16d23d3f12096db4fda74b430faeae3b80c486
SHA5126817c7a7d2bba86b126f29fd1d0d439c04d93f580a31e014aa2019c61e0d3c3b039a328a8d67b9773560f812981cf67d4307cc9dcf1543bea707e963e1ed5c25
-
Filesize
77B
MD5758a73e9d1d05aa58fb1d879b4551f93
SHA11917c0f044e1b8262231ef08385a7fefa41a8a43
SHA25657583998fc4d34a99592d44581e8e72ccecc9e6130b50b02354b65b45e462e4f
SHA5129da36a1d92bc7c9ca2ea75908a7807f699b8b0401dbcced588126c7f909dbf73d379ba5e67d5d3372445c49074d8160e5f5f7756b6d3004b87d69a3d1a006b9a
-
Filesize
1.5MB
MD5f1320bd826092e99fcec85cc96a29791
SHA1c0fa3b83cf9f9ec5e584fbca4a0afa9a9faa13ed
SHA256ad12cec3a3957ff73a689e0d65a05b6328c80fd76336a1b1a6285335f8dab1ba
SHA512c6ba7770de0302dd90b04393a47dd7d80a0de26fab0bc11e147bf356e3e54ec69ba78e3df05f4f8718ba08ccaefbd6ea0409857973af3b6b57d271762685823a
-
Filesize
1.8MB
MD5f38f2e608116e6cbc63ede3f84d05a99
SHA1f7921ef489d7bf349cf0dfa3352ff96b80b4a0a1
SHA256c842aaac653fac43dd116271c1da022f7a7dde2239274e12eff2a9754f3a4d98
SHA51242e883b4f1789d0bacdbf34712b492a74bc46153bcce591f5279e25b2cbb5e0ebdabcf110263df7d08a6fca0db1b238dc95ec2e3f297e31cc9d79ff9cb13f7d5
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
208KB
-
Filesize
992KB
-
Filesize
2.7MB
-
Filesize
16.7MB