7167f8dde8c75ec4ce17d67363d6b746cc2337b7b0ddfd649b975479d6bfb894

Analysis

max time kernel
149s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
29/09/2024, 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

patch.xp3
Size

28.9MB
MD5

86cd9cc083018ca45c79ac489e6c1184
SHA1

afcc81bb5d1035941f03318abdf705ba906bb561
SHA256

7167f8dde8c75ec4ce17d67363d6b746cc2337b7b0ddfd649b975479d6bfb894
SHA512

c3ca7577da1fb4a054576bb9330fbfe5b4c765d2cace186597480803f9a4f2d58a364bee8d0794ad2690f90ef39b5028e10e629ccfa8349531c40d8a28d28f5d
SSDEEP

786432:w17uFLmCeV8NAP8aYhIK7cDdgzyxbcwQAastZ9j3ykjLmMnjo:4yQCRSPD8IkchgOxIs/3yUvjo

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133720683032769185"	chrome.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\瑴i	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\xp3_auto_file\shell\Read	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\xp3_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\""	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\.xp3\ = "xp3_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\.xp3	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\xp3_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\⪣ǳ	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\⪣ǳ\ = "xp3_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\瑴i\ = "xp3_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\xp3_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\xp3_auto_file\shell\Read\command	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4352	chrome.exe
4352	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2080	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe

Suspicious use of SetWindowsHookEx 43 IoCs

pid	Process
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
2080	OpenWith.exe
4048	AcroRd32.exe
4048	AcroRd32.exe
4048	AcroRd32.exe
4048	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 4048	2080	OpenWith.exe	81
PID 2080 wrote to memory of 4048	2080	OpenWith.exe	81
PID 2080 wrote to memory of 4048	2080	OpenWith.exe	81
PID 4048 wrote to memory of 1184	4048	AcroRd32.exe	85
PID 4048 wrote to memory of 1184	4048	AcroRd32.exe	85
PID 4048 wrote to memory of 1184	4048	AcroRd32.exe	85
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 3040	1184	RdrCEF.exe	86
PID 1184 wrote to memory of 2416	1184	RdrCEF.exe	87
PID 1184 wrote to memory of 2416	1184	RdrCEF.exe	87
PID 1184 wrote to memory of 2416	1184	RdrCEF.exe	87
PID 1184 wrote to memory of 2416	1184	RdrCEF.exe	87
PID 1184 wrote to memory of 2416	1184	RdrCEF.exe	87
PID 1184 wrote to memory of 2416	1184	RdrCEF.exe	87
PID 1184 wrote to memory of 2416	1184	RdrCEF.exe	87
PID 1184 wrote to memory of 2416	1184	RdrCEF.exe	87
PID 1184 wrote to memory of 2416	1184	RdrCEF.exe	87
PID 1184 wrote to memory of 2416	1184	RdrCEF.exe	87
PID 1184 wrote to memory of 2416	1184	RdrCEF.exe	87
PID 1184 wrote to memory of 2416	1184	RdrCEF.exe	87
PID 1184 wrote to memory of 2416	1184	RdrCEF.exe	87
PID 1184 wrote to memory of 2416	1184	RdrCEF.exe	87
PID 1184 wrote to memory of 2416	1184	RdrCEF.exe	87
PID 1184 wrote to memory of 2416	1184	RdrCEF.exe	87
PID 1184 wrote to memory of 2416	1184	RdrCEF.exe	87

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\patch.xp3
1⤵
- Modifies registry class
PID:2012

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\patch.xp3"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D4D36207A21A01B0DD6451FB4A672BC3 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3040
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A75C09EFF2FE466166D8DC2B75798F4E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A75C09EFF2FE466166D8DC2B75798F4E --renderer-client-id=2 --mojo-platform-channel-handle=1784 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:2416
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E8A131D396298FDFF6117216FC9C5E22 --mojo-platform-channel-handle=2352 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4488
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2B15E395560AB5EB4D910893D8BF2D3C --mojo-platform-channel-handle=1880 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:784
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FE25DAB389AD9A6D7FC96D59622C2386 --mojo-platform-channel-handle=1972 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff8f56cc40,0x7fff8f56cc4c,0x7fff8f56cc58
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1976,i,5098900563462076475,2202072270727641140,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1968 /prefetch:2
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1724,i,5098900563462076475,2202072270727641140,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2080 /prefetch:3
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,5098900563462076475,2202072270727641140,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2240 /prefetch:8
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,5098900563462076475,2202072270727641140,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,5098900563462076475,2202072270727641140,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4512,i,5098900563462076475,2202072270727641140,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4504 /prefetch:1
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4652,i,5098900563462076475,2202072270727641140,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4688,i,5098900563462076475,2202072270727641140,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5060,i,5098900563462076475,2202072270727641140,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5108,i,5098900563462076475,2202072270727641140,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5068,i,5098900563462076475,2202072270727641140,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4308 /prefetch:1
  2⤵
  PID:1536

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1dc33cc6-050b-4551-be53-3214ea9f2035.tmp

Filesize
9KB

MD5
54e3c3b3b99a570545f7bdecb79c97d4

SHA1
534cfa8ad8b2f4c7af3ad081dd06850b1e780b7a

SHA256
aa03ff77bfe21093da5af187b4a0f86cba766ce5410c0939e20705157f663f61

SHA512
6fc8cd14c8a6febafc01938b1dabe861fcd9fa4cbd099cf42b7f301b610dfd1e71830e02ccb123a64a8c1e73efc564ead7ee1e1a91fba2067d0795adfc1de341

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
1ec02fe49a36bd79abffe24a198b7b1f

SHA1
b9550388064859e4e559ae9d1fb5cf12a3b38acc

SHA256
e8d1fcb690fa7e2891c978e994f525fb51bfe310e201e1a3efd69bad6a7f642c

SHA512
8f5cb7eab23ee2342ced6d42883de70af9c39644f2613061da1f8195ad239be542a64cede2a6b472ed706226ef8a72a2ace3fd9952f151b7c1feb7f5278691ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
6771ab6b555b9ce25210315f5b774a8d

SHA1
027265bd0cef8fd74f1acfbb5372c7b15bb88bd4

SHA256
bae8a24c5bba8819a70b896322bbe91b8904abe4c305a85d87fd794c29537dd3

SHA512
9e1bce83a34d49dbf9f9f19790c166f5475542291e149706ed20a6b68eb721cd372581a59fd92a36aeb48e6477dbed4646c58b4e5b0b4b195eb87c0d6e343351

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
66bf671e5b90fab85c2c6ad03c3bc693

SHA1
43736369f6aa0927b5d7a32e164118160bf2def9

SHA256
bfcacaba500e1d636b2e1e771012c851179d05de3b5dbdae72126971f935b7c5

SHA512
0fd48fbac382d2cc50e65a479c01fefa1503309d662b9ddd5dbc6afe726a69666f8541c4636445767fe89292b86e5195f93393088050a3c30aaa747cc9e93bba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
39192e3c47491cbddb9126b4710114ba

SHA1
913ee25efbcf31aca2df6d44b292c388c4781b0c

SHA256
01aa6d5fb9d8f17cf2af6c814c5b399ddcdb671b802a59267194e9915d31ca15

SHA512
c5c8ffc53ebc02e9585f18b3dbae0bfa7ec6fc08b6e6d0daf7b5250067800cf8c8090f14312dec92f6e3f3917b3f5b2e277af56b0d44e0da71ecf5f6c59e5773

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
bb44d31b03b67d744d0978efd2562321

SHA1
6a188351bc8b5703a4281278e2891fcb4c601612

SHA256
9b64cc39b994a57990efe241742102b08b5d9485f399175cda4f28b5b60532bd

SHA512
1d3f9e7bd92d7f32a7420d3c9f7f89ff50e23df102e9aefb239025adfbb3edb36b3b913f00a1992ef9ccc78190cfd90882a118f6eba5d07b0a19addee0291f42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
3d7d12a6a47f4dbb539eeb4b01b8aac7

SHA1
1a7abe81a959a6b741c2206c96e08d4b0917d97f

SHA256
77dc3562822e5c4d36953d28c8f846a8e8a6d6ab74b1587ad4adebd554fcc8fe

SHA512
2e74ed161e356aff06f005506cca500773d1f5dacb5ada58a0a51e61df1d886375b2f704f254f3cb9ff25124a88430ccaac66c1511af6dbee35489e1f0b320b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
35c8d30d50177b30680613538bfb6f65

SHA1
4aa03bcb1ac93e915ccaffb2017a6e6620a50538

SHA256
48cbf3611f7099f232c10ee992e8208bd4b0916da623ea5673620db700be399f

SHA512
81750ca7a9ceb47b8760ea9046c8e3f8b9b39563b52185daba29c2daa7cfe83550eeef45c37d39fbc84b967c2d910da78579759cb963959b86bbf3ec2c55c849

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6ac5c4ac3248a848481ab3f6f9f42bc5

SHA1
ff0b11bfbd28ee0171e3800fb7276c50ed452abc

SHA256
907b612c297a91e3ef5f056c66ad68c44bcb5fe9f26f4b05d3ffe1c6757aaade

SHA512
25cb2eb160e2d0bfd18a036bd25dac122acf991acd0e3fcb92d6819d29efd4cce4a1e5a8efa345ba25f044a62643e24629ef0ee03ba51f0d2c21c0c353057a79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e07ee4f7c93f43832562126f017e5c41

SHA1
a5c69eeabbeea307fd0513f5dc4fba47ee650b08

SHA256
d373117ecf0594a2b335d40c7ac0a8b478e45198d0a6f3ec4deed026e493d82f

SHA512
09c77a6333b697ba208f27d08c2a86e09b70709034471d2faf000386798e2e087509e649c9ee60f229ef869e71792e39116a6c589598d3ba34ca37f96d44e24c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0aeaf5e37df5c48bab4bbd9929364aa6

SHA1
cab3134ef495bdf3f53fd5531993efabe8ff7245

SHA256
c4afc7e762e0fd25a42d888afcce196dd6b8f6feaa3fcc94fb652a9d564e483e

SHA512
338565a24ba8d8214eb3b6e53c23fe12907694ebf5580d09c20413f8847a846f322fe535ef3f1c4ab35fadb293d0ccfff70ab84c3332d40744a3d96154f1cea6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5a35bb0679b74cb7cce6283ebb7a25a6

SHA1
97354e3321d2b9875319500edfabef2b7243a584

SHA256
0f641e2fac0b48204d1e8e3f659efb348e3a536827e186d5289e6d8d54d6c140

SHA512
82c54a63a5653710cb0972da169ea887becae52803856f99695765844fd7403999cd6e906b787fd104e5067c876c4d719794d0c88c1e3663ed38d53f627b4c54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
3283996a723ca9add1d6432b4adafa94

SHA1
56275168f248630cd13aad34684adfdf97b8b026

SHA256
43d825bf34f815e0ce011861deb3b951dfa8c437ef23deaad5272923c8dbe8fc

SHA512
6cf743042bfd10f5b74655ca3167bbda8fdd51150b7645420fac9064593185b5d48b4a48e55ce7f3e043a6edfcf4ffae0ca579d2f61e05736315841dcc85d373

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
78d32a9d951b300d96b5f1eec6c51e83

SHA1
41b7d0114972f3c3ff526d720e6a22974ff9ab2d

SHA256
916d0fadb2406faea0721aafb6384cf559b1a66316d7d788ff00dc2f849aa083

SHA512
559e8b59a74c2dbac3dc6ca688ae9956758004f54a4dbbf5b1a04a6493c657de7553694e4e2e25b15e7e5990e9b00931c13a71cab3e1c1dedc1e39b623a99d28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
1cea1f906017b399859aca7c2362d3d2

SHA1
7b981545818919d8969b280f9d4b66fdffabba78

SHA256
8d55e8f72ebd538ef84a27ca6091c08104035aeeb76e6c92d83271a476ade7b3

SHA512
350787345d0c89737667ac7d07f25c30274ce9d8f0a6efedb09ec2046b2725a473303fd09b74d6788a3362063e9e3df2fa7cdda2def69470d8df1b2b6bcf9df7

Download Submit