[New WTFBin]: reader_sl.exe" launches "I run" for no damn reason

59e5aaf4 commented 2 years ago

Contributor Name:

59e5aaf4

Application/Executable:

Adobe Reader (in this example, reader_sl.exe from Adobe Reader 11, events are from 2020, maybe this stopped now)

WTF Behavior Description:

Adobe Reader for no reason starts a subprocess using the command line "I run".

{
    "eventType": "start",
    "processPath": "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader\\reader_sl.exe",
    "process": "reader_sl.exe",
    "parentProcessPath": "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader\\reader_sl.exe",
    "parentProcess": "reader_sl.exe",
    "md5": "58b8702c20de211d1fcb248d2fdd71d1",
    "processCmdLine": "I run",
    "audit": "stateagentinspector",
    "type": "processEvent",
}

https://www.virustotal.com/gui/file/b2f6e3ba6fb5250f0e70555b39d34f19ada760bdda7e1a44113b97c3a1fd3f8b/detection
Link to Documentation of Behavior:

Haha there's none :')

It's really wtf.

HuskyHacks commented 2 years ago

KEKW. this is what WTFbins was made for

mttaggart commented 2 years ago

What da

Yeah this is perfect. Approved and will be added shortly!

mttaggart commented 2 years ago

Added in 23ad1ccefa88aed43346e098aa8e1ecc961e987b

mttaggart / wtfbins

[New WTFBin]: reader_sl.exe" launches "I run" for no damn reason #7