danabot | 9cbaec7eb2c14ecdc39095c2deae0c20cb42e9f28466307c44f5848de49a58ef

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2025 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

B6F6C74F86A145460F03AC3A0520D3345FC7FCC1.msi
Size

8.9MB
MD5

e1438c21e6de91615a6a5e2a48f274fc
SHA1

b6f6c74f86a145460f03ac3a0520d3345fc7fcc1
SHA256

9cbaec7eb2c14ecdc39095c2deae0c20cb42e9f28466307c44f5848de49a58ef
SHA512

9be5f304259a2bbc488cde3a9a5cf09b2019a14e32538d79e88e3d1785bce5a3dcfca6702d235d5ec87b4bdf043f3c6a41762ccc2ba6fed8ee63366c0f2e0879
SSDEEP

196608:9n520ZroZkRsj6N+gdC1fcmwz/MIpqPuJS8ErZ/0jCi:9n52eSFjG+aAfcRo4Kz8W0j

Score

10^/10

danabot banker discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

danabot

Attributes

embedded_hash
5059953BB045843A520147F73664DC78
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Danabot family
danabot

Blocklisted process makes network request 1 IoCs

flow	pid	Process
17	1252	rundll32.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e58395b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI39B8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B11.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{27B611CD-7B17-41F6-B60D-D59C81B6D3AC}	msiexec.exe
File created	C:\Windows\Installer\e58395f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI43CF.tmp	msiexec.exe
File created	C:\Windows\Installer\e58395b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B7F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3BBF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C9B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI43D0.tmp	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
3900	MSI43CF.tmp
5428	MSI43D0.tmp

Loads dropped DLL 6 IoCs

pid	Process
4540	MsiExec.exe
4540	MsiExec.exe
4540	MsiExec.exe
4540	MsiExec.exe
1252	rundll32.exe
1252	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4472	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI43D0.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI43CF.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Checks processor information in registry 2 TTPs 19 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1172	msiexec.exe
1172	msiexec.exe
4564	AcroRd32.exe
4564	AcroRd32.exe
4564	AcroRd32.exe
4564	AcroRd32.exe
4564	AcroRd32.exe
4564	AcroRd32.exe
4564	AcroRd32.exe
4564	AcroRd32.exe
4564	AcroRd32.exe
4564	AcroRd32.exe
4564	AcroRd32.exe
4564	AcroRd32.exe
4564	AcroRd32.exe
4564	AcroRd32.exe
4564	AcroRd32.exe
4564	AcroRd32.exe
4564	AcroRd32.exe
4564	AcroRd32.exe
4564	AcroRd32.exe
4564	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4472	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4472	msiexec.exe
Token: SeSecurityPrivilege	1172	msiexec.exe
Token: SeCreateTokenPrivilege	4472	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4472	msiexec.exe
Token: SeLockMemoryPrivilege	4472	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4472	msiexec.exe
Token: SeMachineAccountPrivilege	4472	msiexec.exe
Token: SeTcbPrivilege	4472	msiexec.exe
Token: SeSecurityPrivilege	4472	msiexec.exe
Token: SeTakeOwnershipPrivilege	4472	msiexec.exe
Token: SeLoadDriverPrivilege	4472	msiexec.exe
Token: SeSystemProfilePrivilege	4472	msiexec.exe
Token: SeSystemtimePrivilege	4472	msiexec.exe
Token: SeProfSingleProcessPrivilege	4472	msiexec.exe
Token: SeIncBasePriorityPrivilege	4472	msiexec.exe
Token: SeCreatePagefilePrivilege	4472	msiexec.exe
Token: SeCreatePermanentPrivilege	4472	msiexec.exe
Token: SeBackupPrivilege	4472	msiexec.exe
Token: SeRestorePrivilege	4472	msiexec.exe
Token: SeShutdownPrivilege	4472	msiexec.exe
Token: SeDebugPrivilege	4472	msiexec.exe
Token: SeAuditPrivilege	4472	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4472	msiexec.exe
Token: SeChangeNotifyPrivilege	4472	msiexec.exe
Token: SeRemoteShutdownPrivilege	4472	msiexec.exe
Token: SeUndockPrivilege	4472	msiexec.exe
Token: SeSyncAgentPrivilege	4472	msiexec.exe
Token: SeEnableDelegationPrivilege	4472	msiexec.exe
Token: SeManageVolumePrivilege	4472	msiexec.exe
Token: SeImpersonatePrivilege	4472	msiexec.exe
Token: SeCreateGlobalPrivilege	4472	msiexec.exe
Token: SeRestorePrivilege	1172	msiexec.exe
Token: SeTakeOwnershipPrivilege	1172	msiexec.exe
Token: SeRestorePrivilege	1172	msiexec.exe
Token: SeTakeOwnershipPrivilege	1172	msiexec.exe
Token: SeRestorePrivilege	1172	msiexec.exe
Token: SeTakeOwnershipPrivilege	1172	msiexec.exe
Token: SeRestorePrivilege	1172	msiexec.exe
Token: SeTakeOwnershipPrivilege	1172	msiexec.exe
Token: SeRestorePrivilege	1172	msiexec.exe
Token: SeTakeOwnershipPrivilege	1172	msiexec.exe
Token: SeRestorePrivilege	1172	msiexec.exe
Token: SeTakeOwnershipPrivilege	1172	msiexec.exe
Token: SeRestorePrivilege	1172	msiexec.exe
Token: SeTakeOwnershipPrivilege	1172	msiexec.exe
Token: SeRestorePrivilege	1172	msiexec.exe
Token: SeTakeOwnershipPrivilege	1172	msiexec.exe
Token: SeRestorePrivilege	1172	msiexec.exe
Token: SeTakeOwnershipPrivilege	1172	msiexec.exe
Token: SeRestorePrivilege	1172	msiexec.exe
Token: SeTakeOwnershipPrivilege	1172	msiexec.exe
Token: SeRestorePrivilege	1172	msiexec.exe
Token: SeTakeOwnershipPrivilege	1172	msiexec.exe
Token: SeRestorePrivilege	1172	msiexec.exe
Token: SeTakeOwnershipPrivilege	1172	msiexec.exe
Token: SeRestorePrivilege	1172	msiexec.exe
Token: SeTakeOwnershipPrivilege	1172	msiexec.exe
Token: SeRestorePrivilege	1172	msiexec.exe
Token: SeTakeOwnershipPrivilege	1172	msiexec.exe
Token: SeRestorePrivilege	1172	msiexec.exe
Token: SeTakeOwnershipPrivilege	1172	msiexec.exe
Token: SeRestorePrivilege	1172	msiexec.exe
Token: SeTakeOwnershipPrivilege	1172	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4472	msiexec.exe
4472	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4564	AcroRd32.exe
4564	AcroRd32.exe
4564	AcroRd32.exe
4564	AcroRd32.exe
4564	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 4540	1172	msiexec.exe	87
PID 1172 wrote to memory of 4540	1172	msiexec.exe	87
PID 1172 wrote to memory of 4540	1172	msiexec.exe	87
PID 1172 wrote to memory of 3900	1172	msiexec.exe	89
PID 1172 wrote to memory of 3900	1172	msiexec.exe	89
PID 1172 wrote to memory of 3900	1172	msiexec.exe	89
PID 1172 wrote to memory of 5428	1172	msiexec.exe	90
PID 1172 wrote to memory of 5428	1172	msiexec.exe	90
PID 1172 wrote to memory of 5428	1172	msiexec.exe	90
PID 4484 wrote to memory of 1252	4484	rundll32.exe	93
PID 4484 wrote to memory of 1252	4484	rundll32.exe	93
PID 4484 wrote to memory of 1252	4484	rundll32.exe	93
PID 4564 wrote to memory of 5236	4564	AcroRd32.exe	94
PID 4564 wrote to memory of 5236	4564	AcroRd32.exe	94
PID 4564 wrote to memory of 5236	4564	AcroRd32.exe	94
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 5616	5236	RdrCEF.exe	95
PID 5236 wrote to memory of 836	5236	RdrCEF.exe	96
PID 5236 wrote to memory of 836	5236	RdrCEF.exe	96
PID 5236 wrote to memory of 836	5236	RdrCEF.exe	96
PID 5236 wrote to memory of 836	5236	RdrCEF.exe	96
PID 5236 wrote to memory of 836	5236	RdrCEF.exe	96
PID 5236 wrote to memory of 836	5236	RdrCEF.exe	96
PID 5236 wrote to memory of 836	5236	RdrCEF.exe	96
PID 5236 wrote to memory of 836	5236	RdrCEF.exe	96

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\B6F6C74F86A145460F03AC3A0520D3345FC7FCC1.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4472

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 487355791660DE2B115D24C4BE5EA83E
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4540
- C:\Windows\Installer\MSI43CF.tmp
  "C:\Windows\Installer\MSI43CF.tmp" /DontWait "C:\Users\Admin\AppData\Roaming\TypeFasterPortable\reportsummary.pdf"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3900
- C:\Windows\Installer\MSI43D0.tmp
  "C:\Windows\Installer\MSI43D0.tmp" /DontWait /HideWindow /dir "C:\Users\Admin\AppData\Roaming\TypeFasterPortable\" C:\Windows\System32\rundll32.exe "C:\Users\Admin\AppData\Roaming\TypeFasterPortable\meitneriumatm.dll",muirent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5428

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Roaming\TypeFasterPortable\meitneriumatm.dll",muirent
1⤵
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Roaming\TypeFasterPortable\meitneriumatm.dll",muirent
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1252

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\TypeFasterPortable\reportsummary.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5236
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=79567E994AE15C83E9E19111BFA80411 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5616
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C5DCDEC8F4A9E775CECB6E346B80705F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C5DCDEC8F4A9E775CECB6E346B80705F --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:836
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CC25C62CC48AAF99EBFAC1930CB94E78 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5768
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C91CCE5684D16E57DD47506A9BE0D132 --mojo-platform-channel-handle=1964 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4508
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EFC514E75872E2A69BFA105E5ADCF8AB --mojo-platform-channel-handle=1832 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58395e.rbs

Filesize
897KB

MD5
cefd2d827f5f85ce48fde63e63a599da

SHA1
8ae4cfb28a3f1d501ca2de57aec081181c5ee989

SHA256
7410ec100388a6151e06571574e4046691b5d53d7f6a61bc883b015853fac0cb

SHA512
acb8e9f428f4429c933e34000025b676d5c129c2237a7c136f2eabc457c06eb5843d2d39d4a84d6dc7fc034fd7c023ecaf7878c49121f3d1e100e7051777e293

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
a157d2a719f3f60016bbb66d0483951f

SHA1
d3a1dd74200ae3dbc9c4e7ac2f1778469cf23bfb

SHA256
7007f6a1c291edb0dc61f0f7eef0a188917a9805ac56825bbdb4312a5d56b874

SHA512
e22fa733a0ed04ecca8011850d5f053e848a2ff0790678316107f1b38e3574592e64e6aa41c273094a0f56e2f368f478953a5c2fd4c119cc6501b3c7587cd28d

Download Submit
C:\Users\Admin\AppData\Roaming\TypeFasterPortable\App\AppInfo\Launcher\TypeFasterPortable.ini

Filesize
93B

MD5
f9186b93e2ae8b298b2e6297c052e62b

SHA1
de07e38fb4d6e104ce47895f4116691bacd56e17

SHA256
091e3fc55b8bc2ebf9ca278b34c355fc005b209e9370efdcbd87028cb5b1c1a4

SHA512
d40383cf7b3fbc29087ba9a4277c7efc271aa86de8300a9085ce1bed011f420f3d362f6c2d0b221143555c6c26eeb6ae999314f2925415d22a396ca7a2eabaa1

Download Submit
C:\Users\Admin\AppData\Roaming\TypeFasterPortable\App\AppInfo\appinfo.ini

Filesize
272B

MD5
6a3660855c3132922543ce4cdf552999

SHA1
5025a8eb877abb57452fbb1217b7659e6778adaf

SHA256
e2ce1ac183d74e4d233fc2117a44f2aeb2dd4c7ef4f12d4797a76cc98007f505

SHA512
a2232e4dde8deb2b32890114f3da05e0acf21490fec2846ce050c03f0314e32bae1ef72e145d112509fc90986d437f3df0f1cae0f776ff6002242dd46d7da216

Download Submit
C:\Users\Admin\AppData\Roaming\TypeFasterPortable\App\AppInfo\pac_installer_log.ini

Filesize
445B

MD5
f3d5358bb9a46ce148356d3d2dc7c195

SHA1
03165cbc0ece84440bffddc3fb109d4a655afe45

SHA256
0293f1e990b5a95c75360c9cc2ec197be2373d7d9de012a5e380ee6c4bbc5f6e

SHA512
c6172c146d74a0bdfb95ed4fe1f00cdfea487e46e4d07e100475389468d1740184829fe3d056898888c56aa154084cf0bf6c41f5014e49fd6c7987f01221c015

Download Submit
C:\Users\Admin\AppData\Roaming\TypeFasterPortable\meitneriumatm.dll

Filesize
7.7MB

MD5
043dae1b817ae561da9d6654b6354696

SHA1
a9f62f9ca8faa6023c4ef755d3b1f5aed2914516

SHA256
9de78011f776d2f3c963c6c3f77bc7af98ac51b4dbd11350850a8416bf767c36

SHA512
b7b44df89e93de8f31a35a22ed7b2d292cbad83ef564281af8e50aedade2f3ed4560b1e2ee9d91a5f1b270c407eafbef0f983895f8ed6651428ec5fe7389198e

Download Submit
C:\Users\Admin\AppData\Roaming\TypeFasterPortable\reportsummary.pdf

Filesize
19B

MD5
138994255ba043be1c37715fd931b1f3

SHA1
a39ed185ae5c91a59f9ae7bddce84cdcccb766cf

SHA256
6df84c79758b9f79709bd9292563dbda3fc7c726180ec6d394dd4e54b4427beb

SHA512
b26f7ea2c106852044b3a014ea91555a50ba43d4305a61c796926718da78d7dce335e9bb9613f0275ede4c961cc49f9a38e4bd59cc1504ba28457b364e3ee0cc

Download Submit
C:\Windows\Installer\MSI39B8.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI43D0.tmp

Filesize
418KB

MD5
dd31c60eedf38fe4704ac9293614afee

SHA1
48b7ad49bfcba2906834324548e731729ead34bc

SHA256
6e8b9a6e7497d88421fa446ec1c2312fcf61d7f340364c61bd02b0bb4684b94f

SHA512
66f4642b3c0a92c2fc8e7cc7d0a61e7132d5193b90b7d4b2554a4a7bfff0fd990b47157d1f2af05ed177dc7dc920984f56b81e114e17de389d20fa5e51fa19e9

Download Submit
C:\Windows\Installer\e58395b.msi

Filesize
8.9MB

MD5
e1438c21e6de91615a6a5e2a48f274fc

SHA1
b6f6c74f86a145460f03ac3a0520d3345fc7fcc1

SHA256
9cbaec7eb2c14ecdc39095c2deae0c20cb42e9f28466307c44f5848de49a58ef

SHA512
9be5f304259a2bbc488cde3a9a5cf09b2019a14e32538d79e88e3d1785bce5a3dcfca6702d235d5ec87b4bdf043f3c6a41762ccc2ba6fed8ee63366c0f2e0879

Download Submit
memory/1252-591-0x0000000002D40000-0x000000000388B000-memory.dmp

Filesize
11.3MB

Download
memory/1252-588-0x0000000002D40000-0x000000000388B000-memory.dmp

Filesize
11.3MB

Download
memory/1252-573-0x0000000002D40000-0x000000000388B000-memory.dmp

Filesize
11.3MB

Download
memory/1252-590-0x0000000002D40000-0x000000000388B000-memory.dmp

Filesize
11.3MB

Download
memory/1252-571-0x0000000003B50000-0x0000000003B51000-memory.dmp

Filesize
4KB

Download
memory/1252-589-0x0000000002D40000-0x000000000388B000-memory.dmp

Filesize
11.3MB

Download
memory/1252-594-0x0000000002D40000-0x000000000388B000-memory.dmp

Filesize
11.3MB

Download
memory/1252-592-0x0000000002D40000-0x000000000388B000-memory.dmp

Filesize
11.3MB

Download
memory/1252-586-0x0000000002D40000-0x000000000388B000-memory.dmp

Filesize
11.3MB

Download
memory/1252-572-0x0000000002D40000-0x000000000388B000-memory.dmp

Filesize
11.3MB

Download
memory/1252-587-0x0000000002D40000-0x000000000388B000-memory.dmp

Filesize
11.3MB

Download
memory/1252-584-0x0000000002D40000-0x000000000388B000-memory.dmp

Filesize
11.3MB

Download
memory/1252-585-0x0000000002D40000-0x000000000388B000-memory.dmp

Filesize
11.3MB

Download
memory/1252-593-0x0000000002D40000-0x000000000388B000-memory.dmp

Filesize
11.3MB

Download
memory/1252-595-0x0000000002D40000-0x000000000388B000-memory.dmp

Filesize
11.3MB

Download
memory/1252-619-0x0000000001FC0000-0x000000000278C000-memory.dmp

Filesize
7.8MB

Download
memory/1252-570-0x0000000002D40000-0x000000000388B000-memory.dmp

Filesize
11.3MB

Download
memory/1252-552-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/1252-539-0x0000000001FC0000-0x000000000278C000-memory.dmp

Filesize
7.8MB

Download
memory/1252-717-0x0000000002D40000-0x000000000388B000-memory.dmp

Filesize
11.3MB

Download