formbook | 153a195c32071b454f7c49384a5450aa24a6f1e99ef880716abbdaafe26f62eb

Analysis

max time kernel
74s
max time network
75s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SKM-P2400260589107399.exe
Size

1.0MB
MD5

005d8596d55e4c87271ca9bc09cc222e
SHA1

c61462e7f1b10b24f709e4806a12292914444d7b
SHA256

210b1ec06e035d191a8ea49baee96196a97ac906c1c4f4b03e2db5d50649b36f
SHA512

dc2116ba121610b6c9051650d3f223eb4e952f1f914652fc501c113110d4ceac34886691c7e325e1a35ea6f96197e4af9c1c33418c8c666b8b8d16b0756f284b
SSDEEP

12288:JLkcoxg7v3qnC11ErwIhh0F4qwUgUny5QNJKRmvCWxBvamXu7waBtrZDiwVf2jsX:NfmMv6Ckr7Mny5QNJx8rZXusQabckT

Score

10^/10

formbook e62s discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

e62s

Decoy

ellinksa.shop

uckyspinph.xyz

owdark.net

arriage-therapy-72241.bond

w7ijko4rv4p97b.top

heirbuzzwords.buzz

aspart.shop

ctivemail5-kagoya-com.info

shacertification9.shop

zitcd65k3.buzz

llkosoi.info

ru8.info

rhgtrdjdjykyetrdjftd.buzz

yschoollist.kiwi

oftfolio.online

rograma-de-almacen-2.online

oudoarms.top

mwquas.xyz

orjagaucha.website

nlinechat-mh.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/4388-3-0x0000000000650000-0x000000000067F000-memory.dmp	formbook
behavioral2/memory/4388-7-0x0000000000650000-0x000000000067F000-memory.dmp	formbook
behavioral2/memory/4388-11-0x0000000000650000-0x000000000067F000-memory.dmp	formbook
behavioral2/memory/3296-17-0x00000000006B0000-0x00000000006DF000-memory.dmp	formbook

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3576 set thread context of 4388	3576	SKM-P2400260589107399.exe	86
PID 4388 set thread context of 3516	4388	svchost.exe	56
PID 4388 set thread context of 3516	4388	svchost.exe	56
PID 3296 set thread context of 3516	3296	help.exe	56
PID 3296 set thread context of 1120	3296	help.exe	93
PID 3296 set thread context of 1040	3296	help.exe	103

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	help.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SKM-P2400260589107399.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1120	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5212	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
4388	svchost.exe
4388	svchost.exe
4388	svchost.exe
4388	svchost.exe
4388	svchost.exe
4388	svchost.exe
3296	help.exe
3296	help.exe
3296	help.exe
3296	help.exe
3296	help.exe
3296	help.exe
3296	help.exe
3296	help.exe
3296	help.exe
3296	help.exe
3296	help.exe
3296	help.exe
3296	help.exe
3296	help.exe
5104	chrome.exe
5104	chrome.exe
2140	msedge.exe
2140	msedge.exe
3136	msedge.exe
3136	msedge.exe
3296	help.exe
3296	help.exe
3296	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3516	Explorer.EXE

Suspicious behavior: MapViewOfSection 13 IoCs

pid	Process
3576	SKM-P2400260589107399.exe
3576	SKM-P2400260589107399.exe
4388	svchost.exe
4388	svchost.exe
4388	svchost.exe
4388	svchost.exe
3296	help.exe
3296	help.exe
3296	help.exe
3296	help.exe
3296	help.exe
3296	help.exe
3296	help.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4388	svchost.exe
Token: SeDebugPrivilege	3296	help.exe
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeDebugPrivilege	1624	firefox.exe
Token: SeDebugPrivilege	1624	firefox.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3516	Explorer.EXE
3516	Explorer.EXE
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
3516	Explorer.EXE
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
1624	firefox.exe
2308	AcroRd32.exe
2308	AcroRd32.exe
2308	AcroRd32.exe
2308	AcroRd32.exe
5212	EXCEL.EXE
5212	EXCEL.EXE
5212	EXCEL.EXE
5212	EXCEL.EXE
5212	EXCEL.EXE
5212	EXCEL.EXE
5212	EXCEL.EXE
5212	EXCEL.EXE
5212	EXCEL.EXE
5212	EXCEL.EXE
5212	EXCEL.EXE
5212	EXCEL.EXE
3516	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 4388	3576	SKM-P2400260589107399.exe	86
PID 3576 wrote to memory of 4388	3576	SKM-P2400260589107399.exe	86
PID 3576 wrote to memory of 4388	3576	SKM-P2400260589107399.exe	86
PID 3576 wrote to memory of 4388	3576	SKM-P2400260589107399.exe	86
PID 3516 wrote to memory of 3296	3516	Explorer.EXE	87
PID 3516 wrote to memory of 3296	3516	Explorer.EXE	87
PID 3516 wrote to memory of 3296	3516	Explorer.EXE	87
PID 3296 wrote to memory of 3192	3296	help.exe	88
PID 3296 wrote to memory of 3192	3296	help.exe	88
PID 3296 wrote to memory of 3192	3296	help.exe	88
PID 3516 wrote to memory of 1120	3516	Explorer.EXE	93
PID 3516 wrote to memory of 1120	3516	Explorer.EXE	93
PID 3516 wrote to memory of 5104	3516	Explorer.EXE	100
PID 3516 wrote to memory of 5104	3516	Explorer.EXE	100
PID 5104 wrote to memory of 1040	5104	chrome.exe	103
PID 5104 wrote to memory of 1040	5104	chrome.exe	103
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1404	5104	chrome.exe	104
PID 5104 wrote to memory of 1888	5104	chrome.exe	105
PID 5104 wrote to memory of 1888	5104	chrome.exe	105
PID 5104 wrote to memory of 1772	5104	chrome.exe	106
PID 5104 wrote to memory of 1772	5104	chrome.exe	106
PID 5104 wrote to memory of 1772	5104	chrome.exe	106
PID 5104 wrote to memory of 1772	5104	chrome.exe	106
PID 5104 wrote to memory of 1772	5104	chrome.exe	106
PID 5104 wrote to memory of 1772	5104	chrome.exe	106
PID 5104 wrote to memory of 1772	5104	chrome.exe	106
PID 5104 wrote to memory of 1772	5104	chrome.exe	106
PID 5104 wrote to memory of 1772	5104	chrome.exe	106
PID 5104 wrote to memory of 1772	5104	chrome.exe	106
PID 5104 wrote to memory of 1772	5104	chrome.exe	106
PID 5104 wrote to memory of 1772	5104	chrome.exe	106
PID 5104 wrote to memory of 1772	5104	chrome.exe	106
PID 5104 wrote to memory of 1772	5104	chrome.exe	106
PID 5104 wrote to memory of 1772	5104	chrome.exe	106
PID 5104 wrote to memory of 1772	5104	chrome.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Users\Admin\AppData\Local\Temp\SKM-P2400260589107399.exe
  "C:\Users\Admin\AppData\Local\Temp\SKM-P2400260589107399.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\SKM-P2400260589107399.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4388
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\SysWOW64\svchost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3192
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\passwords.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf4,0x128,0x7ffd415dcc40,0x7ffd415dcc4c,0x7ffd415dcc58
    3⤵
    PID:1040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1884,i,4955321391964617259,16455617098509359390,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1880 /prefetch:2
    3⤵
    PID:1404
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,4955321391964617259,16455617098509359390,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2204 /prefetch:3
    3⤵
    PID:1888
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,4955321391964617259,16455617098509359390,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2436 /prefetch:8
    3⤵
    PID:1772
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,4955321391964617259,16455617098509359390,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:1
    3⤵
    PID:3256
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3248,i,4955321391964617259,16455617098509359390,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3444 /prefetch:1
    3⤵
    PID:4876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4632,i,4955321391964617259,16455617098509359390,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4636 /prefetch:1
    3⤵
    PID:1984
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4908,i,4955321391964617259,16455617098509359390,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4768 /prefetch:8
    3⤵
    PID:1656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4904,i,4955321391964617259,16455617098509359390,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5036 /prefetch:8
    3⤵
    PID:2572
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:2704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1624
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2008 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1900 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de16e6f8-5325-4a22-9f88-938bc91eff0b} 1624 "\\.\pipe\gecko-crash-server-pipe.1624" gpu
      4⤵
      PID:4820
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {074e0eb7-7b49-4929-b771-6d0490f00755} 1624 "\\.\pipe\gecko-crash-server-pipe.1624" socket
      4⤵
      Checks processor information in registry
      PID:2660
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3040 -childID 1 -isForBrowser -prefsHandle 3032 -prefMapHandle 3092 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a744fab-73d7-4827-b86a-aea668fbcbe6} 1624 "\\.\pipe\gecko-crash-server-pipe.1624" tab
      4⤵
      PID:5304
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3872 -childID 2 -isForBrowser -prefsHandle 3948 -prefMapHandle 3944 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {400a7321-6628-4f05-84c2-060685bce5a4} 1624 "\\.\pipe\gecko-crash-server-pipe.1624" tab
      4⤵
      PID:5664
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3180 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4228 -prefMapHandle 4224 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {537d2f16-8ca2-4278-8c92-ff46f8006d57} 1624 "\\.\pipe\gecko-crash-server-pipe.1624" utility
      4⤵
      Checks processor information in registry
      PID:6180
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4980 -childID 3 -isForBrowser -prefsHandle 5276 -prefMapHandle 5288 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce9c9b5b-b42c-4a7b-8b72-cb71f686eb0b} 1624 "\\.\pipe\gecko-crash-server-pipe.1624" tab
      4⤵
      PID:6956
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5432 -childID 4 -isForBrowser -prefsHandle 5508 -prefMapHandle 5504 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5695a3d6-b611-4228-9aa9-a029fcb44206} 1624 "\\.\pipe\gecko-crash-server-pipe.1624" tab
      4⤵
      PID:6968
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 5 -isForBrowser -prefsHandle 5412 -prefMapHandle 5416 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {109fe3b6-d586-40dc-b406-9e5b6a9cbda2} 1624 "\\.\pipe\gecko-crash-server-pipe.1624" tab
      4⤵
      PID:6980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:3136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x11c,0xf8,0x7ffd3d3046f8,0x7ffd3d304708,0x7ffd3d304718
    3⤵
    PID:1632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,12106189049323489655,2345054830556597877,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1884 /prefetch:2
    3⤵
    PID:3016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,12106189049323489655,2345054830556597877,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,12106189049323489655,2345054830556597877,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
    3⤵
    PID:812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,12106189049323489655,2345054830556597877,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
    3⤵
    PID:5184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,12106189049323489655,2345054830556597877,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
    3⤵
    PID:5296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,12106189049323489655,2345054830556597877,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
    3⤵
    PID:7112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,12106189049323489655,2345054830556597877,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
    3⤵
    PID:5884
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2308
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6008
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=606F74E94C2156656FBA8C33B56B13B9 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2552
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F5573ABF7556187A91C8CC572D66E8CC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F5573ABF7556187A91C8CC572D66E8CC --renderer-client-id=2 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:4728
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=95CB4D83407D168F96E034769F9511A7 --mojo-platform-channel-handle=2336 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:6568
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=60C0FF7F1A9B3C2CA782B303F8C3CDDB --mojo-platform-channel-handle=1888 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:6604
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=18B8CDCD4D44DB1BFD668F1A4A4C8264 --mojo-platform-channel-handle=2572 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:7068
- C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:5212

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
285598254c6d22657ea90adec3f6f552

SHA1
ef020a3ca7fc627b2a0b51bebf08551952d0fe48

SHA256
13a1096371196e33dcf1f6fd8384705cfb871b29cfb8d682376e4b6a8917a63c

SHA512
08e98af17388bcf4b1bada581f97d38c26334d281d14f1063276c5827c64eedeb78eb7023f892deaa4ba1d887fc1d7c5e4195bad93a984a28019a429724dcd3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
314c53681aabc2acdbff99425c085e21

SHA1
fa2a86c55810b0887f6df1db9f60bfa28a5ca4b6

SHA256
8c6bbed2b771d5a8b95e9a1be9d2a91b53384648aec0626f0482e61dd49092af

SHA512
96b568dacf26b80d47aaa3d1c25e0054a1c8df5d25da42e499dc4c0e30475ccd7f981dc285f8b126f34016458a7dc7fa0e746b2a0e35aa67b767d9a2642d8673

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7732e2f92c6f98b331455797a7f47f8e

SHA1
fd51f429fd2fe6f8c11d8d3c395b09dde03e0ae0

SHA256
370f217da357e43c6acb7ef73ee91ed5c07556b86469ef44f2a09a63518c5ef3

SHA512
6ef3882fbfd2f368c59391cce814167381546bb6622c4758b6109b89bc10b4b40e0ec28442d5d4af872c2c7d6370f212d76c4e197f36344f1a37a2631d3e1c50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
093de0e952ff18ce9e2ccf88ee95d8e6

SHA1
eeaa8dbc524f187c988763279ac70c7fb7f98690

SHA256
9389fc99323a72aa788d8248065d84bf1491b4d663a9bcbde05c6dd3b88acd88

SHA512
d31fed1125807394011a53b3ea600411c4c4052ba4e897f493f0865fb0c30421139bce840e303411daf725a37a81106dd5e101be4e6098ed98e5053b645ef8e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\908a046e-f4f9-4e6d-9a05-baf5b638e6c6.tmp

Filesize
6KB

MD5
15124caf1acd2dbdef2fd9174cbf8bf9

SHA1
8fa133e8effc8f290fee2faa41b87d8fa91d2156

SHA256
f682dc78dad2f0aaa15754667496a78204e3c0d934c0657e23408f95c68d9dbf

SHA512
b64ef8f972789372f545e091b12c24447927c87d4a1daae173f0de4e2299d35ec52a7b61892a2812dce58d44ac005d2929c80aafb032c6fc6ee35cd833fa368f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dedcd07b57786cc7de10a97058b66f99

SHA1
f541ddf136091181657cc68a2abf42cc92695084

SHA256
8704e3d1bb7710a49e1e560db4fd362c8bdfaa9d4d1f3cd92f7052659ef717c3

SHA512
ba07aba4957e250b6de7afb77a8c9d5fe53ec41a728d62be8fabda0812776dbb07feb472f4fc5fba16986f70cc43b9357cdf9d08b4529f3bc0ee406614a8ce03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f42cd381c381e1502d49451b388dd783

SHA1
d63604a2f1639a51e1747b50888f6693c80a685e

SHA256
7d02a95e7e50eaf4467cac6b7edce160059126f570dd0f5be19642d5f1d4574e

SHA512
7af09a026f1fd49049d068f69cc5c9e7520af2ce4ce074ff31d7f9feecd5a3f33869416e054e523a89a9b137c704c063e9e4a5f72d69878cf07e2f44d64d2bec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
8ab19f32ec851bfd342cb7362705428d

SHA1
2cd4b3ec8da120b831966206ac38bfa76e6a3636

SHA256
69c093028261538827d06738d4ae638c9013c0f3cb06f370bac9948e7e8d9d17

SHA512
d5601a5e6f27e983695f72001317bbd2a8345254e9eb0d728e71e66580dd9e72f8670179a682ab46ad75599fc8984893c5817d8075074ac723f5cc60049380eb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
276511537dbdffaaf51049fdf2ec417e

SHA1
8377f3fd89e31e197534bb24abc7c5ce1ef61e72

SHA256
92822edd91d523efd7b4d1bde0d8fc39ae07e4bec98871ea6c5d3746486be128

SHA512
091c4538bf7914122298b1e6d368d6ea7198373541fa8f371a50c9bb14cc83dd2eae502fba3c69f76ade51c89bac5c2e4ec4e7ccbecf8cc2ba85bd74c5c98eba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\AlternateServices.bin

Filesize
6KB

MD5
4a93f92c264eaad79f764aae70432011

SHA1
3e7e9318db78430418b65987bdfd16032caf9af2

SHA256
fcfe8eb937a6ae6a95b3afc72229e37f9eec36ad36a1973747f693f3698ba179

SHA512
bf227b5e83427b05221cc02f7b7c4f67c2ad84950630008c7c830a3736b0c8891c08768a8e86d9a9c76e58137773dd6598915875885dff6450f82d8c49dec959

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
2039ce76923e775e423a68147cb1ebd8

SHA1
3afd65d075fd0c0427efb70ba9da341bfb9a06b7

SHA256
8873486a4b4f7d5250c0eed98f285f49c94a26f581cf3fa0cc2b25bc0603e71a

SHA512
79477952c8448d6dd38fb4dfdac03905fca9dcd529a6767905de3a196463608ea2b02145427d1e26f4d2e9c2784de8e381f74fdd76e8d6f3ae2df105fc5a3fb4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
e08a30d68c4d4eeee7fc64b04b0d82dc

SHA1
2ccff40aa6f1f72b95b8100f49f39b3a67e9ae2e

SHA256
65d63355a975a221a55230656c71f8cbab17b44323043381ec8b707d9b682d21

SHA512
561873389e196fd7d6386d00d7a9cbb6153e8077442c86dd2b36f5cf68239f59fd3ab2c576eaebdc715bfa9063fbbbf04fb33c065f13d89419b0c9cfad24457c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\04fe72f3-2abf-4bb5-8561-d1da5eb46b30

Filesize
29KB

MD5
04c92202ca91a50a82a64bef9cb918c2

SHA1
1bf9371084465bba1305d3421e987a036b652ad2

SHA256
3ec1cdcb67a9fbed026506ae313da73092f0c560ec2e33ed10f4f9890e894676

SHA512
2144bfcc2ed54c1cdbc51d537c97be4e5c40422a324ee04f4a0cf453de99b9715a0ce29abf7c74ad946ac4b95aa0a7b0268328cc5b70c68e87349a659de23b36

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\6a1168bf-05ba-4639-979c-e2773e4d82d0

Filesize
982B

MD5
4810ae9fa4534d7b80ca3bd90d4d15b0

SHA1
9d52d21137384f18e1e12c2c2b954ad8a103a11c

SHA256
78555ccd598d260082686f35976f04a24ef2111400cacbad214d64b17861c21b

SHA512
f9732dc78830b22677466aec3688885026e87f658afcf7570b0237632d346d5394e515e9a50935fb31387d13dda1a241d9fdbc75314dae88cf186971d708dd29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\701c7e50-f4ce-476b-a5db-5b93c51f4959

Filesize
671B

MD5
fb686e384d5d864c8a280ee87f617b44

SHA1
5048a733c62e5d79b96c809a2bda3ca108e7c4e4

SHA256
9f0c41c3e8094258371edfc4acbfb111384c2bb733850317256b2f6ea981bc31

SHA512
d02abd7999ce6aef4cb15e07e7f1792355ec96b556507af60c7dfb6ade89983d652c9084a6ef131eca10b6db69f2b34d56864169c82b1fedc05f852c84ad2e18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs.js

Filesize
11KB

MD5
a8097729a7f4fa5adbefd443b79ee410

SHA1
2ecf57a8d68763bcd1df237bfd40691f930ecbe7

SHA256
d2932f3fd4efaea9548cb8d762e8f395f033b0d10bb7f364341f95204f368bc0

SHA512
9b5395eab0e8f337ad9d5fc837af2947dd180e871a53d1d87caa137833908608c0e1ca6287cd4e880262c299c08055f3dc4be38cb191eee901f997ac9217f47c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs.js

Filesize
11KB

MD5
a2949fa7679ff0a9220c1a3c7d104e9b

SHA1
d7487210017dba8b7ed530368b8822cc6ace9674

SHA256
d35ae947ab2a85cbbe459a9748d17924c0ec14069ecfff3755ad6a1198a51d78

SHA512
711703524c4ddd8b1c58fcc5c3ef42c5c4297eb713a27d6b1b4c5c70cd2285255129e002903f6975dc9591893db8da2156b76750a27e907a7b5f18410530ae85

Download Submit
memory/3296-17-0x00000000006B0000-0x00000000006DF000-memory.dmp

Filesize
188KB

Download
memory/3296-15-0x00000000007E0000-0x00000000007E7000-memory.dmp

Filesize
28KB

Download
memory/3296-16-0x00000000007E0000-0x00000000007E7000-memory.dmp

Filesize
28KB

Download
memory/3516-22-0x0000000008600000-0x0000000008708000-memory.dmp

Filesize
1.0MB

Download
memory/3516-21-0x0000000008600000-0x0000000008708000-memory.dmp

Filesize
1.0MB

Download
memory/3516-19-0x0000000008600000-0x0000000008708000-memory.dmp

Filesize
1.0MB

Download
memory/3516-18-0x0000000007F30000-0x00000000080BB000-memory.dmp

Filesize
1.5MB

Download
memory/3516-14-0x00000000079E0000-0x0000000007B22000-memory.dmp

Filesize
1.3MB

Download
memory/3516-9-0x00000000079E0000-0x0000000007B22000-memory.dmp

Filesize
1.3MB

Download
memory/3516-13-0x0000000007F30000-0x00000000080BB000-memory.dmp

Filesize
1.5MB

Download
memory/3576-2-0x0000000004000000-0x0000000004200000-memory.dmp

Filesize
2.0MB

Download
memory/4388-12-0x0000000002EF0000-0x0000000002F05000-memory.dmp

Filesize
84KB

Download
memory/4388-11-0x0000000000650000-0x000000000067F000-memory.dmp

Filesize
188KB

Download
memory/4388-8-0x0000000000D90000-0x0000000000DA5000-memory.dmp

Filesize
84KB

Download
memory/4388-7-0x0000000000650000-0x000000000067F000-memory.dmp

Filesize
188KB

Download
memory/4388-6-0x0000000001000000-0x000000000134A000-memory.dmp

Filesize
3.3MB

Download
memory/4388-3-0x0000000000650000-0x000000000067F000-memory.dmp

Filesize
188KB

Download
memory/5212-605-0x00007FFD1FC70000-0x00007FFD1FC80000-memory.dmp

Filesize
64KB

Download
memory/5212-604-0x00007FFD1FC70000-0x00007FFD1FC80000-memory.dmp

Filesize
64KB

Download
memory/5212-606-0x00007FFD1FC70000-0x00007FFD1FC80000-memory.dmp

Filesize
64KB

Download
memory/5212-607-0x00007FFD1FC70000-0x00007FFD1FC80000-memory.dmp

Filesize
64KB

Download
memory/5212-608-0x00007FFD1D390000-0x00007FFD1D3A0000-memory.dmp

Filesize
64KB

Download
memory/5212-629-0x00007FFD1D390000-0x00007FFD1D3A0000-memory.dmp

Filesize
64KB

Download
memory/5212-603-0x00007FFD1FC70000-0x00007FFD1FC80000-memory.dmp

Filesize
64KB

Download