109e28e1841956878110d3eec893a910c898eff0e7e1491518ee249a2dcf0d52

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Deadly Beta (password 2121).rar
Size

4.1MB
MD5

fd43928e9192b49c74be9e3228831088
SHA1

a4f310330abf5988eef1e69e1c7280df5bcee923
SHA256

3e0faf2368d158b927fe8ddf8cc45c18465fd663545652dcf11812db0e039429
SHA512

33d181f02812d7179c1e0bdd995bb0ee38bb3b008a908cac91dd18356b025c051f19bb72fb41803d06135cf6fe92b6f1b8af0c934a06601aed9d930ab990f963
SSDEEP

98304:f3eCSqzMGzAv3DraKk9rszstKgoGz0jDtVJRb98FPD:fukyvi99rszst7l8tVJRc

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RdrCEF.exeRdrCEF.exeRdrCEF.exeAcroRd32.exeRdrCEF.exeRdrCEF.exeRdrCEF.exeRdrCEF.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133691379910569641"	chrome.exe

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

AcroRd32.exechrome.exe

pid	Process
1668	AcroRd32.exe
1668	AcroRd32.exe
1668	AcroRd32.exe
1668	AcroRd32.exe
1668	AcroRd32.exe
1668	AcroRd32.exe
1668	AcroRd32.exe
1668	AcroRd32.exe
1668	AcroRd32.exe
1668	AcroRd32.exe
1668	AcroRd32.exe
1668	AcroRd32.exe
1668	AcroRd32.exe
1668	AcroRd32.exe
1668	AcroRd32.exe
1668	AcroRd32.exe
1668	AcroRd32.exe
1668	AcroRd32.exe
1668	AcroRd32.exe
1668	AcroRd32.exe
2636	chrome.exe
2636	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid	Process
3612	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid	Process
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

AcroRd32.exechrome.exe

pid	Process
1668	AcroRd32.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe

Suspicious use of SetWindowsHookEx 63 IoCs

Processes:

OpenWith.exeAcroRd32.exe

pid	Process
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
3612	OpenWith.exe
1668	AcroRd32.exe
1668	AcroRd32.exe
1668	AcroRd32.exe
1668	AcroRd32.exe
1668	AcroRd32.exe
1668	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

OpenWith.exeAcroRd32.exeRdrCEF.exe

description	pid	Process	procid_target
PID 3612 wrote to memory of 1668	3612	OpenWith.exe	102
PID 3612 wrote to memory of 1668	3612	OpenWith.exe	102
PID 3612 wrote to memory of 1668	3612	OpenWith.exe	102
PID 1668 wrote to memory of 2600	1668	AcroRd32.exe	104
PID 1668 wrote to memory of 2600	1668	AcroRd32.exe	104
PID 1668 wrote to memory of 2600	1668	AcroRd32.exe	104
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 1440	2600	RdrCEF.exe	105
PID 2600 wrote to memory of 3032	2600	RdrCEF.exe	106
PID 2600 wrote to memory of 3032	2600	RdrCEF.exe	106
PID 2600 wrote to memory of 3032	2600	RdrCEF.exe	106
PID 2600 wrote to memory of 3032	2600	RdrCEF.exe	106
PID 2600 wrote to memory of 3032	2600	RdrCEF.exe	106
PID 2600 wrote to memory of 3032	2600	RdrCEF.exe	106
PID 2600 wrote to memory of 3032	2600	RdrCEF.exe	106
PID 2600 wrote to memory of 3032	2600	RdrCEF.exe	106
PID 2600 wrote to memory of 3032	2600	RdrCEF.exe	106
PID 2600 wrote to memory of 3032	2600	RdrCEF.exe	106
PID 2600 wrote to memory of 3032	2600	RdrCEF.exe	106
PID 2600 wrote to memory of 3032	2600	RdrCEF.exe	106
PID 2600 wrote to memory of 3032	2600	RdrCEF.exe	106
PID 2600 wrote to memory of 3032	2600	RdrCEF.exe	106
PID 2600 wrote to memory of 3032	2600	RdrCEF.exe	106
PID 2600 wrote to memory of 3032	2600	RdrCEF.exe	106
PID 2600 wrote to memory of 3032	2600	RdrCEF.exe	106

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Deadly Beta (password 2121).rar"
1⤵
- Modifies registry class
PID:4900

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Deadly Beta (password 2121).rar"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=751DFD8DE19B78BA1B334F9A3C4409E6 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1440
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=509304DCE7D7D9DC6A8C459E46CD024B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=509304DCE7D7D9DC6A8C459E46CD024B --renderer-client-id=2 --mojo-platform-channel-handle=1772 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:3032
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BDB84F9A4EA3275EA71E1A5E2E5201DB --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4580
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D240B946B97924F0D097C32B4B8BBDB6 --mojo-platform-channel-handle=1840 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:540
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FBA668B08D3C84383FC094E62D827937 --mojo-platform-channel-handle=2456 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4176
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=CE3C095B2D13515631FF4FAA8875A85C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=CE3C095B2D13515631FF4FAA8875A85C --renderer-client-id=8 --mojo-platform-channel-handle=2132 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:2908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcd314cc40,0x7ffcd314cc4c,0x7ffcd314cc58
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1876,i,3766288537634638642,4382798223500584074,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2176,i,3766288537634638642,4382798223500584074,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,3766288537634638642,4382798223500584074,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2200 /prefetch:8
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,3766288537634638642,4382798223500584074,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3300,i,3766288537634638642,4382798223500584074,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3724,i,3766288537634638642,4382798223500584074,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3716 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4864,i,3766288537634638642,4382798223500584074,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4868,i,3766288537634638642,4382798223500584074,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4164,i,3766288537634638642,4382798223500584074,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:432

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
24ec5cce1434ef6958c1f90ce6885e7e

SHA1
3a50ae2da3ec62a6278c2a2d4368e97dd33dae59

SHA256
76420a7ef92a817d5a17771ae0c41a03d8b613ba2af84f7030bd5d39f58e9d3b

SHA512
876bea88d324c1d970b6d91a2d6cf156acb02e76f5a43505987938c3c12e64e35aba1efd6ee7439160a373f014cb3e7f2f6966d11f2776f8cc04602ef6226250

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\715aa366-739c-49ea-aaa6-89cadfb80cbb.tmp

Filesize
197KB

MD5
8fd94b8da54181be6dfd98b25f19e7dc

SHA1
0e481336c29a2dfc2e76f7c0df35e5584cfc99ad

SHA256
143be78ecc925c0c91030769a8f6187cfc6ac7207bc5917abd0fc991fdd26411

SHA512
8c08296212d8cd25fb1f7aa082ffe8b9ae1d66fdc6bc56fb0cb06ce701c47470f9bb00ba12d023815b875debb752401faf7ebf39ea8e785211c9723c761f7708

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
59327cc4f7b8ccd39746b821ec641e06

SHA1
8799d434e879c15c453d67158f7a027ac349501c

SHA256
935bcf0e00431694525129bbd9e55ef3e06972d55161ef69491d89b622476cb7

SHA512
3b38314b25b80ca45e44c38743970596c9ef17b0d53797e2e4c4f174b3148f19af7d367b8c4aed464738249cc218ed4944d370899bf86422ea599781e69e64b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
212KB

MD5
2257803a7e34c3abd90ec6d41fd76a5a

SHA1
f7a32e6635d8513f74bd225f55d867ea56ae4803

SHA256
af23860fb3a448f2cc6107680078402555a345eb45bc5efb750f541fe5d7c174

SHA512
e9f4dc90d0829885f08879e868aa62041150b500f62682fc108da258eee26ad9509dcbf6e8a55f2d0bdba7aa9118dd149a70a7d851820d4ea683db7808c48540

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
93ae9f4fed851c7dab3d7500d4ac5d53

SHA1
a9d6ac2a00be0f95d3ae79258de7250b33c8df8e

SHA256
8d417221d8d20280f22404fb287a056e0062b2d651759974c1baa8baf425da9b

SHA512
5ab643ff56f538507a6c127dcd6f2488c05bb31ad08a8144ce36e6ac75244fccebd8dd7ef79a8644a829d9995e40e4ab3ba7150a4cb3af3f4b5f51b4772a1d67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
aa760beac88623c52814b151c6127eb7

SHA1
3554502e068877429f1d97d5c37bedb57e581282

SHA256
3d0bd0513ba46524737a4d97ea29d344ef5e255e3a4902648f0985fc44c4fcb6

SHA512
e51a02dabbfa14b3b66aa8f33858057fcd2c5427c0e6059ca24e75ccd7fb7d1981611529e906f41bd572963b780d0b8f3d44049029db5f091d5c46aaeeda61ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d3d5f6e2e03a3c2589662f90337028b1

SHA1
2c369a1202a7927ead0c31d64288ad182477f9b7

SHA256
4c04928352f1ec22e89d1ae6facb60203401d05b2dbdf0c98e32250220bf5b7c

SHA512
5548fb67c76466f2af0d006f161a9ae11c36f4564959b93d948f3596c6d2b4d957496bef944b80e284459e83ae5608b4488e6266fc8fdbc1c03716e79440ea0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ff5b8777791a6860e427f202cfc57f36

SHA1
de8c0602f3de415ad275619f8132e78e5763f022

SHA256
b284b1397d35702dead863754482fb58c6ed9f27e448b7e4ec9e2f6fa1d274f1

SHA512
b393c97642383be53fa4d8e31558297527723e8ed9e9448028b441f180a9f55fdd6aac17e826dc637639f04fdc053f28c0873a70b3fdcb4b4beea67f3db136e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
232bbb8f6f028d474c7a12f765bdac7e

SHA1
e3a20567c383426cf62191b98320c8def9545123

SHA256
3bdaaca2b35c586f7ab1bb080ca7f0088c625982389072058df98fb450177897

SHA512
aef5fbf3bb8f06fb6a4ac9f7f6f6eaceac59cfb545c6ed38651539f8b839f0197e2a9f815342475cb2191e70ee9de505119ecb2ecab9535ae8c58893e56b811c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
739b29faf776c0f62e1ae17364d96261

SHA1
ce24018fdf67ccddd79fa81bbc77e7f5bf681881

SHA256
f954b4ee42583835257a0cd2c0a9aa4e3d63c4a434d2071293bb8344a2e34092

SHA512
deab657955c8d5e5f0a0235aaba5c4972fe6e8bfddf91209c7307a4afb0cade71e15df606cd17d82852342350763bc4c798dfc17c908ccda3963b83cb00b6371

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
197KB

MD5
8aac8324fcaa090aafa5a934ea684ec0

SHA1
b62948f08919e40a0ba2435a9731e4938358e918

SHA256
17838b2fced196de3879c042565b5dff142ca16650f20a9cc19a7bb68488bf00

SHA512
d5d18b23ddb3e9a250fd3ad77a20028d5a4db7979a9f1c152dfa4699424db60af742b1104dc360580475e73e4fed30b0dcb02c5f93af3b167396b5441ca1c1c2

Download Submit
\??\pipe\crashpad_2636_TDFXGXMCXYYWIIOL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit