Malware analysis http://d338t84acdk7gn.cloudfront.net/0pzx7$mkrwz70/Baixaki_Adobe%20Acrobat%20Reader%20DC.exe Malicious activity

analyze malware

Huge database of samples and IOCs
Custom VM setup
Unlimited submissions
Interactive approach

Add for printing

URL:	http://d338t84acdk7gn.cloudfront.net/0pzx7$mkrwz70/Baixaki_Adobe%20Acrobat%20Reader%20DC.exe
Full analysis:	https://app.any.run/tasks/09bf9103-86c8-431f-b136-0a4f4ac00ded
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	November 16, 2019, 16:16:03
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	loader adware pup installcore
Indicators:
MD5:	7920E23F0445EA2A3F95D3A58AE54563
SHA1:	23BED38216EEDFB361F65B7D3A8E988EFC5DB522
SHA256:	EA6E032CB4AEB645D9F114E6A460A87BE773E190789C6F7E403B93A5EE406C02
SSDEEP:	3:N1KaWWTdiGwyJ1+l/0k+MdEOM6kBKFFv1RyCEwBLN:CaRRqyfnWEOMPBKzyCEgJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - Baixaki_Adobe Acrobat Reader DC_1711732469.exe (PID: 2088)
  - Baixaki_Adobe Acrobat Reader DC_1711732469.exe (PID: 3204)
  - avastfreeantivirussetuponline.m.exe (PID: 3088)
  - avast_free_antivirus_setup_online.exe (PID: 2868)
  - instup.exe (PID: 2028)
  - Baixaki_Adobe Acrobat Reader DC.exe (PID: 2572)
  - instup.exe (PID: 856)
  - sbr.exe (PID: 2160)
- Downloads executable files from the Internet
  - chrome.exe (PID: 2092)
  - avastfreeantivirussetuponline.m.exe (PID: 3088)
- Connects to CnC server
  - Baixaki_Adobe Acrobat Reader DC_1711732469.exe (PID: 3204)
- INSTALLCORE was detected
  - Baixaki_Adobe Acrobat Reader DC_1711732469.exe (PID: 3204)
- Loads dropped or rewritten executable
  - instup.exe (PID: 2028)
  - instup.exe (PID: 856)
- Changes settings of System certificates
  - Baixaki_Adobe Acrobat Reader DC.exe (PID: 2572)
  - instup.exe (PID: 856)
- Changes the autorun value in the registry
  - instup.exe (PID: 856)
SUSPICIOUS
- Executable content was dropped or overwritten
  - chrome.exe (PID: 2128)
  - chrome.exe (PID: 2092)
  - Baixaki_Adobe Acrobat Reader DC_1711732469.exe (PID: 3204)
  - avastfreeantivirussetuponline.m.exe (PID: 3088)
  - avast_free_antivirus_setup_online.exe (PID: 2868)
  - instup.exe (PID: 2028)
  - instup.exe (PID: 856)
- Cleans NTFS data-stream (Zone Identifier)
  - Baixaki_Adobe Acrobat Reader DC_1711732469.exe (PID: 2088)
- Application launched itself
  - Baixaki_Adobe Acrobat Reader DC_1711732469.exe (PID: 2088)
- Reads the date of Windows installation
  - Baixaki_Adobe Acrobat Reader DC_1711732469.exe (PID: 3204)
- Reads Environment values
  - Baixaki_Adobe Acrobat Reader DC_1711732469.exe (PID: 3204)
- Reads internet explorer settings
  - Baixaki_Adobe Acrobat Reader DC_1711732469.exe (PID: 3204)
  - Baixaki_Adobe Acrobat Reader DC.exe (PID: 2572)
- Creates files in the user directory
  - Baixaki_Adobe Acrobat Reader DC_1711732469.exe (PID: 3204)
- Low-level read access rights to disk partition
  - avastfreeantivirussetuponline.m.exe (PID: 3088)
  - avast_free_antivirus_setup_online.exe (PID: 2868)
  - instup.exe (PID: 2028)
  - instup.exe (PID: 856)
- Creates files in the Windows directory
  - avast_free_antivirus_setup_online.exe (PID: 2868)
  - avastfreeantivirussetuponline.m.exe (PID: 3088)
  - instup.exe (PID: 2028)
  - instup.exe (PID: 856)
- Creates files in the program directory
  - avast_free_antivirus_setup_online.exe (PID: 2868)
  - instup.exe (PID: 2028)
- Creates or modifies windows services
  - instup.exe (PID: 2028)
  - instup.exe (PID: 856)
- Removes files from Windows directory
  - instup.exe (PID: 2028)
  - instup.exe (PID: 856)
- Starts itself from another location
  - instup.exe (PID: 2028)
- Adds / modifies Windows certificates
  - Baixaki_Adobe Acrobat Reader DC.exe (PID: 2572)
  - instup.exe (PID: 856)
- Starts Internet Explorer
  - Baixaki_Adobe Acrobat Reader DC.exe (PID: 2572)
INFO
- Application launched itself
  - chrome.exe (PID: 2128)
  - iexplore.exe (PID: 4000)
- Reads the hosts file
  - chrome.exe (PID: 2092)
  - chrome.exe (PID: 2128)
  - instup.exe (PID: 2028)
  - instup.exe (PID: 856)
- Reads Internet Cache Settings
  - chrome.exe (PID: 2128)
  - iexplore.exe (PID: 3900)
- Reads settings of System Certificates
  - instup.exe (PID: 2028)
  - chrome.exe (PID: 2092)
- Reads internet explorer settings
  - iexplore.exe (PID: 3900)
- Dropped object may contain Bitcoin addresses
  - instup.exe (PID: 856)
- Creates files in the user directory
  - iexplore.exe (PID: 3900)
- Changes internet zones settings
  - iexplore.exe (PID: 4000)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2128

"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://d338t84acdk7gn.cloudfront.net/0pzx7$mkrwz70/Baixaki_Adobe%20Acrobat%20Reader%20DC.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

explorer.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

3736

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6ed2a9d0,0x6ed2a9e0,0x6ed2a9ec

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

1416

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2504 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

2252

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=996,4198997608123166998,9124215211456340905,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=3491870220119411935 --mojo-platform-channel-handle=1004 --ignored=" --type=renderer " /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

2092

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=996,4198997608123166998,9124215211456340905,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=15198493775065351262 --mojo-platform-channel-handle=1640 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

2800

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=996,4198997608123166998,9124215211456340905,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3190828341919639682 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2216 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

2608

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=996,4198997608123166998,9124215211456340905,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=16727880228429471357 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2248 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

2772

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=996,4198997608123166998,9124215211456340905,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=16688627134936131349 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2468 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

2088

"C:\Users\admin\Downloads\Baixaki_Adobe Acrobat Reader DC_1711732469.exe"

C:\Users\admin\Downloads\Baixaki_Adobe Acrobat Reader DC_1711732469.exe

—

chrome.exe

User:

admin

Company:

Wizard installer

Integrity Level:

MEDIUM

Description:

Internet Setup

Exit code:

Version:

3.3.4.3

Modules

Images
c:\users\admin\downloads\baixaki_adobe acrobat reader dc_1711732469.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

3204

"C:\Users\admin\Downloads\Baixaki_Adobe Acrobat Reader DC_1711732469.exe" /RSF /ppn:YHhybg0dXAt1eGqREw /ads:1 /mnl

C:\Users\admin\Downloads\Baixaki_Adobe Acrobat Reader DC_1711732469.exe

Baixaki_Adobe Acrobat Reader DC_1711732469.exe

User:

admin

Company:

Wizard installer

Integrity Level:

HIGH

Description:

Internet Setup

Exit code:

Version:

3.3.4.3

Modules

Images
c:\users\admin\downloads\baixaki_adobe acrobat reader dc_1711732469.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

Add for printing

Total events

6 297

Read events

2 739

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

179

Text files

246

Unknown types

Dropped files

PID	Process	Filename		Type
2128	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\8ec9aaab-52ef-4d2f-add2-a8b96999ec61.tmp		—
		MD5:—	SHA256:—
2128	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000020.dbtmp		—
		MD5:—	SHA256:—
2128	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old		text
		MD5:A519780ED0A2F4336DB4F5651D79C369	SHA256:DA5B71BD0075B55757BF757BF5F4D4A1DCBCF0762CDA5B31B28680963E068C75
2128	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF39a8cd.TMP		text
		MD5:DC32343F45B01764B6267AD36548102A	SHA256:A250F5AD57D4BD58AAE92810D50278E3BE2DBF869F126A3A3519691BCDFC2075
2128	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old		text
		MD5:C4D6CBB269C626168A5D6D0D8CCE6C30	SHA256:B62CDBB758278A0C2E50593357390119441D8DE09428EB29027F3DFD1332E348
2128	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old		—
		MD5:—	SHA256:—
2128	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF39a8cd.TMP		text
		MD5:213AE3DA120D7862D60B5763B6C9D466	SHA256:5736534D6EE654C1BF1A8E79E73330AF58F622E8657285330D2C7189A55604F4
2128	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old		text
		MD5:0ACECCA4CF9ADE756DA7CC9DCDF02D50	SHA256:18F910775132B4FEE014EA0FAB836D857F367E76232FAB4AE6A86A92E4C3EBEE
2128	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1		—
		MD5:—	SHA256:—
2128	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\MANIFEST-000001		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

196

DNS requests

165

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2092	chrome.exe	GET	200	52.222.149.11:80	http://d338t84acdk7gn.cloudfront.net/0pzx7$mkrwz70/Baixaki_Adobe%20Acrobat%20Reader%20DC.exe	US	executable	1.62 Mb	whitelisted
3204	Baixaki_Adobe Acrobat Reader DC_1711732469.exe	POST	200	52.210.197.124:80	http://server.garefnetu.com/	IE	—	—	malicious
3204	Baixaki_Adobe Acrobat Reader DC_1711732469.exe	GET	200	199.201.110.78:80	http://remote.garefnetu.com/img/Tavasat/15Feb17/v2/EN.png	US	image	43.9 Kb	malicious
3204	Baixaki_Adobe Acrobat Reader DC_1711732469.exe	GET	200	199.201.110.78:80	http://remote.garefnetu.com/img/Sibarasawi/bg_comp.png	US	image	25.2 Kb	malicious
3204	Baixaki_Adobe Acrobat Reader DC_1711732469.exe	HEAD	200	185.59.222.148:80	http://dev.garefnetu.com/ofr/Solululadul/icut_v2_2	NL	—	—	malicious
3204	Baixaki_Adobe Acrobat Reader DC_1711732469.exe	HEAD	200	185.59.222.148:80	http://dev.garefnetu.com/ofr/Niniwic/YL/Niniwic_yl_10Apr16	NL	—	—	malicious
3204	Baixaki_Adobe Acrobat Reader DC_1711732469.exe	HEAD	200	199.201.110.78:80	http://remote.garefnetu.com/ofr/Niniwic/YL/Niniwic_Tefenece_12Apr16	US	image	43.9 Kb	malicious
3204	Baixaki_Adobe Acrobat Reader DC_1711732469.exe	GET	200	199.201.110.78:80	http://remote.garefnetu.com/img/Jimomoromoj/Jimomoromoj_logo.png	US	image	2.10 Kb	malicious
3204	Baixaki_Adobe Acrobat Reader DC_1711732469.exe	POST	200	52.210.197.124:80	http://server.garefnetu.com/	IE	—	—	malicious
3204	Baixaki_Adobe Acrobat Reader DC_1711732469.exe	GET	200	199.201.110.78:80	http://remote.garefnetu.com/img/Sibarasawi/logo_comp.png	US	image	12.4 Kb	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2092	chrome.exe	172.217.23.163:443	clientservices.googleapis.com	Google Inc.	US	whitelisted
2092	chrome.exe	172.217.22.45:443	accounts.google.com	Google Inc.	US	whitelisted
2092	chrome.exe	172.217.16.196:443	www.google.com	Google Inc.	US	whitelisted
2092	chrome.exe	52.222.149.11:80	d338t84acdk7gn.cloudfront.net	Amazon.com, Inc.	US	whitelisted
2092	chrome.exe	172.217.21.238:443	sb-ssl.google.com	Google Inc.	US	whitelisted
2092	chrome.exe	216.58.207.35:443	ssl.gstatic.com	Google Inc.	US	whitelisted
3204	Baixaki_Adobe Acrobat Reader DC_1711732469.exe	199.201.110.78:80	remote.garefnetu.com	Namecheap, Inc.	US	malicious
3204	Baixaki_Adobe Acrobat Reader DC_1711732469.exe	52.210.197.124:80	server.garefnetu.com	Amazon.com, Inc.	IE	malicious
3204	Baixaki_Adobe Acrobat Reader DC_1711732469.exe	151.80.204.60:443	img.ibxk.com.br	OVH SAS	FR	unknown
3204	Baixaki_Adobe Acrobat Reader DC_1711732469.exe	54.246.196.116:80	host.garefnetu.com	Amazon.com, Inc.	IE	malicious

DNS requests

Domain	IP	Reputation
d338t84acdk7gn.cloudfront.net	52.222.149.11 52.222.149.121 52.222.149.108 52.222.149.130	whitelisted
clientservices.googleapis.com	172.217.23.163	whitelisted
accounts.google.com	172.217.22.45	shared
sb-ssl.google.com	172.217.21.238	whitelisted
www.google.com	172.217.16.196	whitelisted
ssl.gstatic.com	216.58.207.35	whitelisted
server.garefnetu.com	52.210.197.124 52.51.217.55	malicious
host.garefnetu.com	54.246.196.116 52.19.168.111 52.16.29.135	malicious
ww1.garefnetu.com	52.51.129.59 52.50.98.206 52.212.215.62	malicious
img.ibxk.com.br	151.80.204.60	suspicious

Threats

PID	Process	Class	Message
2092	chrome.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2092	chrome.exe	Misc activity	ET INFO EXE - Served Attached HTTP
3204	Baixaki_Adobe Acrobat Reader DC_1711732469.exe	Misc activity	ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M2
3204	Baixaki_Adobe Acrobat Reader DC_1711732469.exe	Misc activity	ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1
3204	Baixaki_Adobe Acrobat Reader DC_1711732469.exe	Misc activity	ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M4
3204	Baixaki_Adobe Acrobat Reader DC_1711732469.exe	Misc activity	ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M3
3088	avastfreeantivirussetuponline.m.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

http://d338t84acdk7gn.cloudfront.net/0pzx7$mkrwz70/Baixaki_Adobe%20Acrobat%20Reader%20DC.exe

7920E23F0445EA2A3F95D3A58AE54563

23BED38216EEDFB361F65B7D3A8E988EFC5DB522

EA6E032CB4AEB645D9F114E6A460A87BE773E190789C6F7E403B93A5EE406C02

3:N1KaWWTdiGwyJ1+l/0k+MdEOM6kBKFFv1RyCEwBLN:CaRRqyfnWEOMPBKzyCEgJ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Downloads executable files from the Internet

Connects to CnC server

INSTALLCORE was detected

Loads dropped or rewritten executable

Changes settings of System certificates

Changes the autorun value in the registry

SUSPICIOUS

Executable content was dropped or overwritten

Cleans NTFS data-stream (Zone Identifier)

Application launched itself

Reads the date of Windows installation

Reads Environment values

Reads internet explorer settings

Creates files in the user directory

Low-level read access rights to disk partition

Creates files in the Windows directory

Creates files in the program directory

Creates or modifies windows services

Removes files from Windows directory

Starts itself from another location

Adds / modifies Windows certificates

Starts Internet Explorer

INFO

Application launched itself

Reads the hosts file

Reads Internet Cache Settings

Reads settings of System Certificates

Reads internet explorer settings

Dropped object may contain Bitcoin addresses

Creates files in the user directory

Changes internet zones settings

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats