Analysis
-
max time kernel
294s -
max time network
263s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250217-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
05/03/2025, 00:15
Static task
static1
Behavioral task
behavioral1
Sample
B6F6C74F86A145460F03AC3A0520D3345FC7FCC1.msi
Resource
win10v2004-20250217-en
Behavioral task
behavioral2
Sample
B6F6C74F86A145460F03AC3A0520D3345FC7FCC1.msi
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
B6F6C74F86A145460F03AC3A0520D3345FC7FCC1.msi
Resource
win10v2004-20250217-en
Behavioral task
behavioral4
Sample
B6F6C74F86A145460F03AC3A0520D3345FC7FCC1.msi
Resource
win10ltsc2021-20250217-en
Behavioral task
behavioral5
Sample
B6F6C74F86A145460F03AC3A0520D3345FC7FCC1.msi
Resource
win11-20250217-en
General
-
Target
B6F6C74F86A145460F03AC3A0520D3345FC7FCC1.msi
-
Size
8.9MB
-
MD5
e1438c21e6de91615a6a5e2a48f274fc
-
SHA1
b6f6c74f86a145460f03ac3a0520d3345fc7fcc1
-
SHA256
9cbaec7eb2c14ecdc39095c2deae0c20cb42e9f28466307c44f5848de49a58ef
-
SHA512
9be5f304259a2bbc488cde3a9a5cf09b2019a14e32538d79e88e3d1785bce5a3dcfca6702d235d5ec87b4bdf043f3c6a41762ccc2ba6fed8ee63366c0f2e0879
-
SSDEEP
196608:9n520ZroZkRsj6N+gdC1fcmwz/MIpqPuJS8ErZ/0jCi:9n52eSFjG+aAfcRo4Kz8W0j
Malware Config
Extracted
danabot
-
embedded_hash
5059953BB045843A520147F73664DC78
-
type
loader
Signatures
-
Danabot family
-
Blocklisted process makes network request 5 IoCs
flow pid Process 22 4672 rundll32.exe 23 4672 rundll32.exe 36 4672 rundll32.exe 38 4672 rundll32.exe 41 4672 rundll32.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\D: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\B: msiexec.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI9A1D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9C51.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9C91.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{27B611CD-7B17-41F6-B60D-D59C81B6D3AC} msiexec.exe File opened for modification C:\Windows\Installer\e5799bf.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9BD3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9D8C.tmp msiexec.exe File created C:\Windows\Installer\e5799c3.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIA703.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA704.tmp msiexec.exe File created C:\Windows\Installer\e5799bf.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 664 MSIA703.tmp 556 MSIA704.tmp -
Loads dropped DLL 6 IoCs
pid Process 4740 MsiExec.exe 4740 MsiExec.exe 4740 MsiExec.exe 4740 MsiExec.exe 4672 rundll32.exe 4672 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 4044 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIA704.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIA703.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe -
Checks processor information in registry 2 TTPs 22 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 3200 msiexec.exe 3200 msiexec.exe 4844 AcroRd32.exe 4844 AcroRd32.exe 4844 AcroRd32.exe 4844 AcroRd32.exe 4844 AcroRd32.exe 4844 AcroRd32.exe 4844 AcroRd32.exe 4844 AcroRd32.exe 4844 AcroRd32.exe 4844 AcroRd32.exe 4844 AcroRd32.exe 4844 AcroRd32.exe 4844 AcroRd32.exe 4844 AcroRd32.exe 4844 AcroRd32.exe 4844 AcroRd32.exe 4844 AcroRd32.exe 4844 AcroRd32.exe 4844 AcroRd32.exe 4844 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4044 msiexec.exe Token: SeIncreaseQuotaPrivilege 4044 msiexec.exe Token: SeSecurityPrivilege 3200 msiexec.exe Token: SeCreateTokenPrivilege 4044 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4044 msiexec.exe Token: SeLockMemoryPrivilege 4044 msiexec.exe Token: SeIncreaseQuotaPrivilege 4044 msiexec.exe Token: SeMachineAccountPrivilege 4044 msiexec.exe Token: SeTcbPrivilege 4044 msiexec.exe Token: SeSecurityPrivilege 4044 msiexec.exe Token: SeTakeOwnershipPrivilege 4044 msiexec.exe Token: SeLoadDriverPrivilege 4044 msiexec.exe Token: SeSystemProfilePrivilege 4044 msiexec.exe Token: SeSystemtimePrivilege 4044 msiexec.exe Token: SeProfSingleProcessPrivilege 4044 msiexec.exe Token: SeIncBasePriorityPrivilege 4044 msiexec.exe Token: SeCreatePagefilePrivilege 4044 msiexec.exe Token: SeCreatePermanentPrivilege 4044 msiexec.exe Token: SeBackupPrivilege 4044 msiexec.exe Token: SeRestorePrivilege 4044 msiexec.exe Token: SeShutdownPrivilege 4044 msiexec.exe Token: SeDebugPrivilege 4044 msiexec.exe Token: SeAuditPrivilege 4044 msiexec.exe Token: SeSystemEnvironmentPrivilege 4044 msiexec.exe Token: SeChangeNotifyPrivilege 4044 msiexec.exe Token: SeRemoteShutdownPrivilege 4044 msiexec.exe Token: SeUndockPrivilege 4044 msiexec.exe Token: SeSyncAgentPrivilege 4044 msiexec.exe Token: SeEnableDelegationPrivilege 4044 msiexec.exe Token: SeManageVolumePrivilege 4044 msiexec.exe Token: SeImpersonatePrivilege 4044 msiexec.exe Token: SeCreateGlobalPrivilege 4044 msiexec.exe Token: SeRestorePrivilege 3200 msiexec.exe Token: SeTakeOwnershipPrivilege 3200 msiexec.exe Token: SeRestorePrivilege 3200 msiexec.exe Token: SeTakeOwnershipPrivilege 3200 msiexec.exe Token: SeRestorePrivilege 3200 msiexec.exe Token: SeTakeOwnershipPrivilege 3200 msiexec.exe Token: SeRestorePrivilege 3200 msiexec.exe Token: SeTakeOwnershipPrivilege 3200 msiexec.exe Token: SeRestorePrivilege 3200 msiexec.exe Token: SeTakeOwnershipPrivilege 3200 msiexec.exe Token: SeRestorePrivilege 3200 msiexec.exe Token: SeTakeOwnershipPrivilege 3200 msiexec.exe Token: SeRestorePrivilege 3200 msiexec.exe Token: SeTakeOwnershipPrivilege 3200 msiexec.exe Token: SeRestorePrivilege 3200 msiexec.exe Token: SeTakeOwnershipPrivilege 3200 msiexec.exe Token: SeRestorePrivilege 3200 msiexec.exe Token: SeTakeOwnershipPrivilege 3200 msiexec.exe Token: SeRestorePrivilege 3200 msiexec.exe Token: SeTakeOwnershipPrivilege 3200 msiexec.exe Token: SeRestorePrivilege 3200 msiexec.exe Token: SeTakeOwnershipPrivilege 3200 msiexec.exe Token: SeRestorePrivilege 3200 msiexec.exe Token: SeTakeOwnershipPrivilege 3200 msiexec.exe Token: SeRestorePrivilege 3200 msiexec.exe Token: SeTakeOwnershipPrivilege 3200 msiexec.exe Token: SeRestorePrivilege 3200 msiexec.exe Token: SeTakeOwnershipPrivilege 3200 msiexec.exe Token: SeRestorePrivilege 3200 msiexec.exe Token: SeTakeOwnershipPrivilege 3200 msiexec.exe Token: SeRestorePrivilege 3200 msiexec.exe Token: SeTakeOwnershipPrivilege 3200 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4044 msiexec.exe 4044 msiexec.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4844 AcroRd32.exe 4844 AcroRd32.exe 4844 AcroRd32.exe 4844 AcroRd32.exe 4844 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3200 wrote to memory of 4740 3200 msiexec.exe 82 PID 3200 wrote to memory of 4740 3200 msiexec.exe 82 PID 3200 wrote to memory of 4740 3200 msiexec.exe 82 PID 3200 wrote to memory of 664 3200 msiexec.exe 86 PID 3200 wrote to memory of 664 3200 msiexec.exe 86 PID 3200 wrote to memory of 664 3200 msiexec.exe 86 PID 3200 wrote to memory of 556 3200 msiexec.exe 87 PID 3200 wrote to memory of 556 3200 msiexec.exe 87 PID 3200 wrote to memory of 556 3200 msiexec.exe 87 PID 3248 wrote to memory of 4672 3248 rundll32.exe 92 PID 3248 wrote to memory of 4672 3248 rundll32.exe 92 PID 3248 wrote to memory of 4672 3248 rundll32.exe 92 PID 4844 wrote to memory of 3416 4844 AcroRd32.exe 94 PID 4844 wrote to memory of 3416 4844 AcroRd32.exe 94 PID 4844 wrote to memory of 3416 4844 AcroRd32.exe 94 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 4448 3416 RdrCEF.exe 95 PID 3416 wrote to memory of 2128 3416 RdrCEF.exe 96 PID 3416 wrote to memory of 2128 3416 RdrCEF.exe 96 PID 3416 wrote to memory of 2128 3416 RdrCEF.exe 96 PID 3416 wrote to memory of 2128 3416 RdrCEF.exe 96 PID 3416 wrote to memory of 2128 3416 RdrCEF.exe 96 PID 3416 wrote to memory of 2128 3416 RdrCEF.exe 96
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\B6F6C74F86A145460F03AC3A0520D3345FC7FCC1.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4044
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 33A50D7D93BCA70248A84C05C472F8AD2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4740
-
-
C:\Windows\Installer\MSIA703.tmp"C:\Windows\Installer\MSIA703.tmp" /DontWait "C:\Users\Admin\AppData\Roaming\TypeFasterPortable\reportsummary.pdf"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:664
-
-
C:\Windows\Installer\MSIA704.tmp"C:\Windows\Installer\MSIA704.tmp" /DontWait /HideWindow /dir "C:\Users\Admin\AppData\Roaming\TypeFasterPortable\" C:\Windows\System32\rundll32.exe "C:\Users\Admin\AppData\Roaming\TypeFasterPortable\meitneriumatm.dll",muirent2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:556
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\TypeFasterPortable\reportsummary.pdf"1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B2AFE1B368F3476A91CEF004082FCC59 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B2AFE1B368F3476A91CEF004082FCC59 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:13⤵
- System Location Discovery: System Language Discovery
PID:4448
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E7C68EFDB2B0A824DCEC49A7A7CF4B06 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:2128
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=717A2FCB2219565723C7E197130BD8DB --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:4568
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FD0FC71E48E706AC675EDB02248A247F --mojo-platform-channel-handle=2024 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:2300
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4864B2D3C0935BE15EEF9E4304752D89 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:1256
-
-
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Roaming\TypeFasterPortable\meitneriumatm.dll",muirent1⤵
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Roaming\TypeFasterPortable\meitneriumatm.dll",muirent2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:4672
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1284
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
897KB
MD512d15194e2254744df3a95aebcb3355a
SHA135222d22648c8221fb23f46e4d2323849ea4e4a7
SHA25681d9420d8a1bd9b38f27042d11168facaa9b9ea01f02b71cf28e80bb6e44a0bd
SHA5125487b03d27182f2ad49ef2446f0658cf4f76bbf2825f414432780992a02e13160edea3da81c84d0b5832201a7b643b686c0789df2f13a1cc665f2a1c7069d240
-
Filesize
56KB
MD5c26ed30e7d5ab440480838636efc41db
SHA1c66e0d00b56abebfb60d2fcc5cf85ad31a0d6591
SHA2566a3c5c4a8e57f77ecc22078fbf603ecc31fb82d429bd87b7b4b9261447092aef
SHA51296cdb78bca3e01d4513c31661987e5646e6a8ff24708918aa0d66dfa3ca5d98af4862c9f38c4f41f933c345d2d3adfb1d34d1430b33f45f916f41a9872a030df
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD5e9f19ac7fe8b751a68d48763d5f9b1a5
SHA1b8122bee3415d30210cd885f0ebb7560c9c9ff2a
SHA2564579a3c321d2ef99545e631d018901bee3aaf1583ce18a704ba1ff00ab081d0d
SHA51272dc850f4189e0febb77740ea3c26e01cecf3ddbb73c4383a270e77dc11d63711381baf52aec5ce0961119762792ef01c271db1fb1518de4d4ae27c672b3818b
-
Filesize
63KB
MD5e516a60bc980095e8d156b1a99ab5eee
SHA1238e243ffc12d4e012fd020c9822703109b987f6
SHA256543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7
SHA5129b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58
-
Filesize
203B
MD5a3405b7d94dd1e19fe6a5aef21d93111
SHA15ba4ff637232dd35d88de1112ac302775cb2c2cd
SHA256204e328badd4b673662bf7540e6eedcf4e17ef500381df36e25071fb9cf1d505
SHA512dedcfb351326b0bd9abfc424e9c381e462282135a10720d263b8367b59782f1fd4645314cab210c14621ae61ab809a0af4d8a79171c75b0d90ba8698c9ab909a
-
Filesize
220B
MD5660f341fa878ff15b5d6a4d2b6611f27
SHA1a67647f6b19b3318c6bbe5ff17a5c12b5941d958
SHA25634ae19c668c6e8bbde710952db333b7cf491238c4a517fe97d03c525866bdb9f
SHA51260d26599197e014b498cf81670d7ac4386ff2419e54b85aaf63d78823cdcb9208afd68b6506cecbbc8be7f72eb31118ff30aabdedea16248ee778252cb43c79f
-
Filesize
240B
MD520800eefa5d2e262a658d6c13cdf1800
SHA1a35af3a4955a5f65433a50f21445393526f290d0
SHA2567e1aec44935782ccdceadf78fc4d58bf0c4823cec690e3854b012323de3be939
SHA512857703cb33452cfa74492d6eb2e0c228ffee98b6eaa3854a707fd50a1cb560ba0591af89e0a6fe4c3901599cc6a01912e0ed4a73725f9d951351fe4a7ff49cbe
-
Filesize
493B
MD5e8c6dd0514fc53159983b6df23bc2b47
SHA1d099b68f015317112117f64e79a6c719daf55ea4
SHA2563e0f10363d2ba2acdaad49ea7562a3d3dc820ac6fdf8b5aea18bf7a6d80df636
SHA51274904356fb1c30482666ca8ebcf1301789d9d59a06c1d62e0b9959d71d419e103f04f158b10b50f576cbadf23e7b128fd2738452e75ad3a388d2b1c1db9c1f3c
-
Filesize
327B
MD5b2fd2f591942ac6c66d8890c32b1f245
SHA1913fadbced56b78b7da7c1df4f0ead4f21338bff
SHA256b504348c5b7d38fea062a4f770f401ea0bc29ac1462680c338932845e5fe62fc
SHA512184409ee07715da83a19a0b913988c7da3cabccece700a94395cc5c268115c8d89ff41f954cadad3028238b6da8085a99f66f565465c253da36f4e33d48f22d7
-
Filesize
551B
MD59afa4d76710c10fccd6769fa23b5b695
SHA1b10f230a298e0cca3353ee3385f06a41194dca7d
SHA256ff25900b37e613614d57aec89d8286291b6256bac56e90bbfcb5f1cd3d843807
SHA51205cdfb9319eb4145f6c663d8383e50116bd98eb905855a8f90ce695c3a5cfb46dcd31b40c5b2794d64dbed4a308f1c67d659365980383d43774ac3c6583cc777
-
Filesize
7.7MB
MD5043dae1b817ae561da9d6654b6354696
SHA1a9f62f9ca8faa6023c4ef755d3b1f5aed2914516
SHA2569de78011f776d2f3c963c6c3f77bc7af98ac51b4dbd11350850a8416bf767c36
SHA512b7b44df89e93de8f31a35a22ed7b2d292cbad83ef564281af8e50aedade2f3ed4560b1e2ee9d91a5f1b270c407eafbef0f983895f8ed6651428ec5fe7389198e
-
Filesize
19B
MD5138994255ba043be1c37715fd931b1f3
SHA1a39ed185ae5c91a59f9ae7bddce84cdcccb766cf
SHA2566df84c79758b9f79709bd9292563dbda3fc7c726180ec6d394dd4e54b4427beb
SHA512b26f7ea2c106852044b3a014ea91555a50ba43d4305a61c796926718da78d7dce335e9bb9613f0275ede4c961cc49f9a38e4bd59cc1504ba28457b364e3ee0cc
-
Filesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
Filesize
418KB
MD5dd31c60eedf38fe4704ac9293614afee
SHA148b7ad49bfcba2906834324548e731729ead34bc
SHA2566e8b9a6e7497d88421fa446ec1c2312fcf61d7f340364c61bd02b0bb4684b94f
SHA51266f4642b3c0a92c2fc8e7cc7d0a61e7132d5193b90b7d4b2554a4a7bfff0fd990b47157d1f2af05ed177dc7dc920984f56b81e114e17de389d20fa5e51fa19e9
-
Filesize
8.9MB
MD5e1438c21e6de91615a6a5e2a48f274fc
SHA1b6f6c74f86a145460f03ac3a0520d3345fc7fcc1
SHA2569cbaec7eb2c14ecdc39095c2deae0c20cb42e9f28466307c44f5848de49a58ef
SHA5129be5f304259a2bbc488cde3a9a5cf09b2019a14e32538d79e88e3d1785bce5a3dcfca6702d235d5ec87b4bdf043f3c6a41762ccc2ba6fed8ee63366c0f2e0879