hxxps://ono-pharma[.]box[.]com/shared/static/p0pktw6egsapwa3fb85j7nugmqw6g4h9[.]pdf

Analysis

max time kernel
67s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 11:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://ono-pharma.box.com/shared/static/p0pktw6egsapwa3fb85j7nugmqw6g4h9.pdf

Score

6^/10

discovery

Malware Config

Signatures

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133676749520040287"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4644	chrome.exe
4644	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4644	chrome.exe
4644	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4028	AcroRd32.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4028	AcroRd32.exe
4028	AcroRd32.exe
4028	AcroRd32.exe
4028	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 3972	4644	chrome.exe	83
PID 4644 wrote to memory of 3972	4644	chrome.exe	83
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 4812	4644	chrome.exe	84
PID 4644 wrote to memory of 3980	4644	chrome.exe	85
PID 4644 wrote to memory of 3980	4644	chrome.exe	85
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86
PID 4644 wrote to memory of 1732	4644	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ono-pharma.box.com/shared/static/p0pktw6egsapwa3fb85j7nugmqw6g4h9.pdf
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff974b4cc40,0x7ff974b4cc4c,0x7ff974b4cc58
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1732,i,13412622973025949819,5611385865390473494,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,13412622973025949819,5611385865390473494,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,13412622973025949819,5611385865390473494,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2372 /prefetch:8
  2⤵
  PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,13412622973025949819,5611385865390473494,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,13412622973025949819,5611385865390473494,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3876,i,13412622973025949819,5611385865390473494,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3828,i,13412622973025949819,5611385865390473494,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:888

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1632

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:924

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\注文書_小野薬品工業_M24_08_04.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4028
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1740
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=857211C6DA6290F7EC17BF918BADB476 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1728
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6F7226EBD7161CD4113FB8FA33DA80FB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6F7226EBD7161CD4113FB8FA33DA80FB --renderer-client-id=2 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:452
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=834F92B2BAEAB882C2038A2645B1C6B2 --mojo-platform-channel-handle=2336 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:888
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4B56BA45D9833E69F439533F94A82442 --mojo-platform-channel-handle=1844 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3028
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5A0D8B568302D7FCA0F3B4232A7EDC16 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5A0D8B568302D7FCA0F3B4232A7EDC16 --renderer-client-id=6 --mojo-platform-channel-handle=1848 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3588
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EC9A89AFBB1A89C1D4526FA0A035B2B3 --mojo-platform-channel-handle=2568 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
a941b962d228c3a758c9073b0913f96f

SHA1
9bf87ae4f5ddeb41c4a2c0da63e8ae80b59bf2e4

SHA256
06875498ce3725961e5e3c84471ec864d277eb1b3bc13ae9b176365ba0c5b0aa

SHA512
ae52ee356885be99c99aa4aa33a47ded1036386b5575e2801f22cb1db90b8636802c5386d2b00de3eedd6527912e87abe99735fd6f44df26d17ff7e5ded3fef6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
abfb66988cf0c56dda6e5574869760a5

SHA1
4e7e74729d6ab5445ba8ddc1c9155fb6fca8683f

SHA256
3ac3b17acaf2a730e4a6b29e61b8f0bd7eab581555a68fad391f4e2fcc7c969f

SHA512
fc7f5bbdfb3a2b5238af587c1319f6453f076d98b27cf933e6df6df1103dc568ee70845897f87cb542682f6bc67678ec462b1cfea89aa834ebde06b759b5ce46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
860B

MD5
478cbe9959dbeed66be35bac368a32ba

SHA1
ac832b8aa2f3cc12199851b4d6f662f2a5280654

SHA256
ea3aa600ad1ce5480b7a7866f5590b72fa60c286f36bdf67ab77837c34bb9f11

SHA512
118354fb7aae97ff1a5b9688bfea173fba024f38a82f774301b9420dfab5f6daa938340d0b1dbc9a4b9712f688994aa80107137ecec30ac066cb30901855b6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
883469878e4ed4a8e49fc0d4551f0591

SHA1
c9a9e5bb515f23cde9ad25b9550d38b3780b221a

SHA256
82211059ecbcd527fc88d92cc64e476f568e518511bbd512dfae86b373b05b38

SHA512
051ea17cbe14f2afab1ba67a60fe9e47548f650c0b72f93ddd3441686d901d77144fb83b86686b831e44d953e9f86f53b4181f1ca150df172bc915e2b8aaeaa9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7c42da9cfb9a05f3bfd31e6eb3dde194

SHA1
44922f6cc8e43151eeb11d3db666f9be65b1027a

SHA256
2afb0a935739bd0d77a181942c25335e54318d975f2d56388523790d94bd8f49

SHA512
79f74fb7946eadba470fd6a547736f6759d3b1057430265cadeace94dc361dbcadb647d70a4e55248e35384adf27f70c2b580b7d3cd48ca845a264951aa6b313

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f206f2ce3c4e2b69701837e119227d95

SHA1
41f1dd45a8cb81485f2f443a522539e5ce9f6c1d

SHA256
948deae3996a3d0483a66b226d1b0e56e7edd3e20e54f5f45eaeaf613c64aafc

SHA512
8e414f95856dee3e47c64e277cadc80f3c7625e431832396a3d0da29c5ca11fac529a47367e5347c62ff47cef214e1a55dccdcbcae554b7b2e0e94d0cf3692fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1fa4fb2d88e65749f3d3ffbcc8e3cc85

SHA1
6bb0d5310deabaa49bcd5f54e06de2ccb8342c8f

SHA256
37cfcb9335f004368161fdd23a451ad7851528ef6b7662f107a3890ff6f191c7

SHA512
e67b02b4e284b8f541a46e5fec453506743832d67edb92ecb74b4c85e9350b80d2fd37e49af477edf6cc92c74dc59e0e15c8de0f5645b83ff33720a2c6486782

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
5c795c37518ed318471d1c9931fe3a8d

SHA1
a3dc406462f4af1e05269de7bbb08d8389203bd4

SHA256
e69d83e044bd0763b9241ecfd3249894347a3fe16a62c1f69e9fa0e7045508be

SHA512
81c2e65b7923efd907aa177611d41865a55892c295c1061b8f782276ba987369e2d04a692b84c4f7e4a9839db2ced148c4b63194f45acf573f374149cba0d7a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
05c92ce9843fcbc4d6dddee4836f3155

SHA1
53f4766ae13762713b0493bed8a943202f331f7d

SHA256
4e755bef5ddfaab138596c5c07fa71a3221ccfb7a6faf851428f5a96440c8a8b

SHA512
9aaa98092eeda5ce8be76443e245dd10051692b81d613ce07ff502539c5ddfb61109a71ca6e19c00f2639c601d5511e541bfc94cf8fb72f5abf298c459c4d394

Download Submit
C:\Users\Admin\Downloads\注文書_小野薬品工業_M24_08_04.pdf

Filesize
270KB

MD5
a04ab3d8cc0f15edbdecfb270a4711b8

SHA1
a1fdcb9cac24e63868049087e21cb63412866daf

SHA256
5e624761541b3ed20ba1dd1467bc8f77d7233a6c3a3440992426b9d9db591b97

SHA512
9d269fc09b9494739779ed7f87a05f6675ac56cc02fb0885ca090b180314bc537e715c1866fd3a05706ebe9d890d8043b321a63e8a08cfaf713f7945cf3cdaaa

Download Submit