Behavioral Report

Analysis

max time kernel
150s
max time network
147s
platform
windows10_x64
resource
win10-en-20211104
submitted
12-11-2021 12:00

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

1618b9276bdb64---confirm.pdf
Size

19KB
MD5

52e11fe870ff8acb8abc5c304b5d0222
SHA1

d1edf63fa3bacbd12423634509902ac82b8cd31f
SHA256

71bf6701266abf388ede6281d4b7fdfb9cd8141da8f2e844ebb13d93a7e685c1
SHA512

c19be9f5f937e534131c4a03b0f391cccd1ab7f44dac914d7ebd1c7a87d8abb6236339e9c675d020901cc850e2094ec691e7e6a1c5f8e5f2614d6b62aa8d72b9

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

TTPs:

Query Registry System Information Discovery

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

TTPs:

Modify Registry

Processes:

AcroRd32.exeMicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\members.tonightshookup.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\fckme8.com\Total = "42"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "qeihknr"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "342496514"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a0e186c33ed4d701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersio = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\tonightshookup.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\tonightshookup.com\Total = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 0100000085b0f93335e1abc83fcb90f14e99df02dd8a2a2839a213751a98aabe7602dfdc6cdf85ad7ef4342541b1ec7e95be003a729a1403304e52caf08e	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "118"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\MrtCache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompleted = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\fckme8.com	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = d0c3e58225f5d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\tonightshookup.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\fckme8.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

AcroRd32.exe

pid	process
2824	AcroRd32.exe
2824	AcroRd32.exe
2824	AcroRd32.exe
2824	AcroRd32.exe
2824	AcroRd32.exe
2824	AcroRd32.exe
2824	AcroRd32.exe
2824	AcroRd32.exe
2824	AcroRd32.exe
2824	AcroRd32.exe
2824	AcroRd32.exe
2824	AcroRd32.exe
2824	AcroRd32.exe
2824	AcroRd32.exe
2824	AcroRd32.exe
2824	AcroRd32.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

860 MicrosoftEdgeCP.exe
860 MicrosoftEdgeCP.exe
860 MicrosoftEdgeCP.exe
860 MicrosoftEdgeCP.exe
860 MicrosoftEdgeCP.exe
860 MicrosoftEdgeCP.exe

pid	process
860	MicrosoftEdgeCP.exe
860	MicrosoftEdgeCP.exe
860	MicrosoftEdgeCP.exe
860	MicrosoftEdgeCP.exe
860	MicrosoftEdgeCP.exe
860	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	592	MicrosoftEdge.exe
Token: SeDebugPrivilege	592	MicrosoftEdge.exe
Token: SeDebugPrivilege	592	MicrosoftEdge.exe
Token: SeDebugPrivilege	592	MicrosoftEdge.exe
Token: SeDebugPrivilege	664	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	664	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	664	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	664	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1884	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1884	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	4296	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	4296	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	4296	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	4296	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	4296	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	4296	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	4296	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	4296	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	4296	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	4296	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	4296	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	4296	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	4296	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	4296	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	4296	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	4296	MicrosoftEdgeCP.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

2824 AcroRd32.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

AcroRd32.exe

pid process

2824 AcroRd32.exe
2824 AcroRd32.exe
2824 AcroRd32.exe
2824 AcroRd32.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

AcroRd32.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid	process
2824	AcroRd32.exe
2824	AcroRd32.exe
2824	AcroRd32.exe
2824	AcroRd32.exe
2824	AcroRd32.exe
592	MicrosoftEdge.exe
860	MicrosoftEdgeCP.exe
860	MicrosoftEdgeCP.exe
2824	AcroRd32.exe
592	MicrosoftEdge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2824 wrote to memory of 3668	2824	AcroRd32.exe	RdrCEF.exe
PID 2824 wrote to memory of 3668	2824	AcroRd32.exe	RdrCEF.exe
PID 2824 wrote to memory of 3668	2824	AcroRd32.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 1336	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2688	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2688	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2688	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2688	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2688	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2688	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2688	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2688	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2688	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2688	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2688	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2688	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2688	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2688	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2688	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2688	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2688	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2688	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2688	3668	RdrCEF.exe	RdrCEF.exe
PID 3668 wrote to memory of 2688	3668	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\1618b9276bdb64---confirm.pdf"

Checks processor information in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:2824

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

Suspicious use of WriteProcessMemory

PID:3668

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4CD0EE742E94ECB4617DE304606BD9EE --mojo-platform-channel-handle=1636 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

PID:1336

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F4B7413370949BFD0464FCF730FDD5B5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F4B7413370949BFD0464FCF730FDD5B5 --renderer-client-id=2 --mojo-platform-channel-handle=1648 --allow-no-sandbox-job /prefetch:1

PID:2688

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B4FA409640C5EA06308A58BA32D6BDF6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B4FA409640C5EA06308A58BA32D6BDF6 --renderer-client-id=4 --mojo-platform-channel-handle=2080 --allow-no-sandbox-job /prefetch:1

PID:800

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D04BABF8ACA1E545D69054B1C04384BA --mojo-platform-channel-handle=2468 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

PID:1072

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8BDA9CA8E74DA2B346ADCB2EE6DE55AA --mojo-platform-channel-handle=1804 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

PID:3116

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6A4305075C81D826D56E36EAA25D895E --mojo-platform-channel-handle=2556 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

PID:1140

C:\Windows\SysWOW64\LaunchWinApp.exe

"C:\Windows\system32\LaunchWinApp.exe" "https://findhotlocal.life/?u=2vtpd0d&o=ywuguu9&m=1"

PID:1796

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

Drops file in Windows directory
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx

PID:592

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

Modifies Internet Explorer settings

PID:1924

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx

PID:860

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

Drops file in Windows directory
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of AdjustPrivilegeToken

PID:664

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

Modifies registry class
Suspicious use of AdjustPrivilegeToken

PID:1884

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

Drops file in Windows directory
Modifies registry class
Suspicious use of AdjustPrivilegeToken

PID:4296

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

Modifies registry class

PID:4648

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

T1112

Discovery

Query Registry

T1012

System Information Discovery

T1082

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\H3SGC0RL\1Ptxg8zYS_SKggPN4iEgvnHyvveLxVs9pbCIPrE[1].woff2
MD5
01a273e07cf0950b760ee6cd9540a72f

SHA1
270bb462018cc354ee6ff44d8e1b8b8fcb0e8641

SHA256
0d3b3a3f34ffd3526eea2f77aebe34caa8e86c59002dfd89aa834b0986feeaa2

SHA512
e29af272aaa2f98c651070b6063cdb6aeda0ecb1f3c2c6572f9d263bbbf6bb91314251db13e391d4f1fdb5a2b1c5f2cf93bc73b7c4033eb85a003e2d8b2b3230

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\H3SGC0RL\1Ptxg8zYS_SKggPN4iEgvnHyvveLxVvaorCIPrE[1].woff2
MD5
131f660715196288a68bd84296ada895

SHA1
b7509bd4352f0b015c8b7d7f27157ffbab0cc3a1

SHA256
1d94fd1a3793df0abe10fb36e59825864e1ec9623496e1e04c9cca624be01394

SHA512
9405f4d259d5b17a66e397ff4acfab137e5287ecf49c22880fb9c12d71b40994aa14fe971723b3894ff9704a219a61a8bbec86c1ab65bb1da70fe630e678634d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\H3SGC0RL\css[1].css
MD5
566208afdecfb10aa0a8b9acfd9206ab

SHA1
f00de31078cfa09ec40a2df27145ccd5f601e3f3

SHA256
e6ba4e538d502d82a710715e7738963843a38f471dc1baa1103e039063d0b84c

SHA512
65e824e9565dc91831b09d87a15273f7dae1b26ce5a94a916fc377c7a8f8a31a050d59e232a2060a6b9b9fcfb532ffcb9c5ca2b3e3e39abca51cffb27bbc4c3b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\Z7NBA433\KFOlCnqEu92Fr1MmSU5fBBc4[1].woff2
MD5
80fe119e5efa3911b9d61b265f723b3d

SHA1
34f751a1b1a0c1c0b5264b99f490e689db939657

SHA256
33530b007071281a97e79baab13ddf7cc4b9de942ebd3e212224857335f7cb97

SHA512
110d6709958ad101466ad1e2516c91767a6f35cc947445c879b7f659f3fce62db8e3f07ebf04b7d095b076ca568b4270a069ea0afb408c6e301f7f4dba636334

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\Z7NBA433\KFOlCnqEu92Fr1MmWUlfBBc4[1].woff2
MD5
bf28241e67511184c14dbd0ef7d39f91

SHA1
c706e0a4122ab727645b744c21667390e8898a4d

SHA256
0eaeadb58e6995ba85eccb6198aaef77eeb1d4b66699e4e1f3fc10eb6adfcdb9

SHA512
087a4904dc848706084f212eca1d5f6653e6fe0a7682da9c808cab8c8c45634033aabc9b5a3ba19ec4bbdf6c2f728ddc059ca93a7442b7e1e84ca48c22f41814

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\0E8F14674E5E8EE73630421B6647F71A
MD5
49e7492aac7ab0e9f81a1ae2bfec3eb3

SHA1
958846521c92f169bc4f8f7f8f8841ba4764c08d

SHA256
2cbcf2df554737de66428da5068ad33a2ee8018e2145f2988e503d605ba700da

SHA512
22aa44822ff294db89d03a4c14a15f3959e770396711c3e15006bfa79c2a82b6bdf5bf84f7066ba7102644d3e06c2d70a6de8ab3c3a6d6fd03c8366a45ede123

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
MD5
cefef58a437c01b6704a227107c7bbe8

SHA1
35f4c980e5b688b44fd359acecc8616791c2e47e

SHA256
08e0b3e398e35b284e3661ae485a863ca0339767a2e7b84517b4800eb966fac3

SHA512
a540108749e115f4d6c9b432da3e8e10c696db2a5c477a9d0b49cd7739732d9fd39c57b75d6bf7898ad8873103a0c76d49aea046ccce22064ba9a8b2a35ab8d6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_4643E2F01AB2AF262C11881642F53436
MD5
2d86c5bb686f2b785062ba1a8659b55b

SHA1
1f7b8cdb061bdc448b75887ac3cb9766511955a7

SHA256
353b68706f285f213d9a4323649c16365771fac4a841e1dcd89763173c154340

SHA512
16a6949693a4221ed33a233b6b4b06b630ebd959a72264970854e0694ab89affe3e6ac09a9d6011ec30f7c2101cd47a21b7e7cb47875d66eea6cccbb090b9674

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
MD5
64e9b8bb98e2303717538ce259bec57d

SHA1
2b07bf8e0d831da42760c54feff484635009c172

SHA256
76bd459ec8e467efc3e3fb94cb21b9c77a2aa73c9d4c0f3faf823677be756331

SHA512
8980af4a87a009f1ae165182d1edd4ccbd12b40a5890de5dbaea4dbf3aeb86edffd58b088b1e35e12d6b1197cc0db658a9392283583b3cb24a516ebc1f736c56

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_F77EF3C2B32BF1AA808568B05E417354
MD5
0e21e3bb5d646e0b39858f7bf81318af

SHA1
33e500bdbfe2e45c8e2075a4be548535fd96992e

SHA256
3a1abd55a1349775d61b629bde7be3eb676245b31d16c3a5461fe46877903ff4

SHA512
03f0cc92b8e3e24dabc0391b5fe9fad2e759a0afd2b2695d12747cad531e847d65481cf945f047395e8e145bb0d27b11d24d24a3e95d49dbcffa047bfff53fe9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\0E8F14674E5E8EE73630421B6647F71A
MD5
6fd1a5800f641c7d4f317723ea0a6ad3

SHA1
34fd16797d5849e96346c0e19c9ea99f4fd467fc

SHA256
2608d1e0dbc631379e4895052705387805a2aa5d4a3ba8fac5b02ce91f134c6f

SHA512
76aa5f01c08901a2432ccb9b44f780b1d464fe5451a6ae7af86e5d48c8e465179362e2ab67cb084c249bdb527d93e00d3390fea28c86f0d4decbde6be27876c0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
56e6fdd3d4a6e899fb141a1ed0bca31d

SHA1
95849ed1995eee13a8eab740d07609327967d624

SHA256
e44c8cc5d33993eebd6a052b4ceb63bbab7677157b16e7ddee2d97d2b8ea4e3d

SHA512
35e9af14353d0e196824a5aa255ca50a6363c2ef6205e853b090551117042aa60508a56aa4b1f22a9c63dafe6c33be22eacefc63e143ddea0c450f2e5de866f2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
MD5
28077722668e75da4445701c87cca6ed

SHA1
df12848b6fbec29294a36c36f05ea8a2d945b4ae

SHA256
d5722aebfa77657216e67cdde4e227af5246d917b701592048d69d23ef5156a9

SHA512
da2bd379f628f8c151599cfd04b84b092ddfb232706a42711371f68ae8efc49ec5b8ff05e02981cc9eb84b07e18bc90dea9d0424ec494213be6c8bc7f779015a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_4643E2F01AB2AF262C11881642F53436
MD5
ffce18534fd64975de697facbe2b48c2

SHA1
ba9ba82214228182105c4fd95949c5e9de89baa3

SHA256
12336f46658a0d61e4a742c01c2f5c86ec84cbe5b48e478be07b7b69fc379db2

SHA512
bd24669006b02cbf982e2257114df4c06c7696fabb18399e8334bfc3f5f238c6ec23f7994cb5ed3ccaef4b5f8099098886f2eb3fd266a419ee1b50725f618893

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
MD5
380b5f097b01444d7dbfd6637375346a

SHA1
669f90c1db201978050b73bcd74ad6f282f3dc7c

SHA256
f322016d451cf709cfa463391eacfc54d85838e8c9e8f92bfc69412ca16e52f9

SHA512
04faf0349e62d00f8cc96c037a3d0ca7617f75cf0e606f876e489d6d3019e361c5e82641b5142763ff947841a76da091f43d7c6c1a7bbff6cdff329730ffc7e0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_F77EF3C2B32BF1AA808568B05E417354
MD5
c4ff4b205043b23db6cce91116b412e6

SHA1
185da0f5a969854d41eadbeb80e16b70addabb0f

SHA256
83558b8ec24450115d4bc9aaa72a7d6f14837b90611bd3e3ac999e0a511a06e1

SHA512
bf5f12ece87e59ae4d949a60f5d031b1aba759dbe59a675016f42af159563ad1b3ee2c25bf3957ae91137d7a3e3bb3abed8c6b9d9a66bb15e28d567c7e13d8b2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2274612954.pri
MD5
0db264b38ac3c5f6c140ba120a7fe72f

SHA1
51aa2330c597e84ed3b0d64bf6b73bf6b15f9d74

SHA256
2f6955b0f5277a7904c59e461bfa6b06c54fece0d7c11f27408fa7a281a4556d

SHA512
3534c243516cef5cee0540d5efd5cde1f378e127e6013b5e309a2e0be8393417bfe458706564b4b955f92132a51e2772c67f9fd90441476cc3512a5d9f910d84

Download Submit
memory/800-129-0x00000000772C2000-0x00000000772C3000-memory.dmp

Filesize
4KB

Download
memory/800-131-0x0000000000000000-mapping.dmp

Download
memory/800-130-0x0000000000DC3000-0x0000000000DC4000-memory.dmp

Filesize
4KB

Download
memory/1072-136-0x0000000001052000-0x0000000001053000-memory.dmp

Filesize
4KB

Download
memory/1072-135-0x00000000772C2000-0x00000000772C3000-memory.dmp

Filesize
4KB

Download
memory/1072-137-0x0000000000000000-mapping.dmp

Download
memory/1140-144-0x0000000000DCD000-0x0000000000DCE000-memory.dmp

Filesize
4KB

Download
memory/1140-145-0x0000000000000000-mapping.dmp

Download
memory/1140-143-0x00000000772C2000-0x00000000772C3000-memory.dmp

Filesize
4KB

Download
memory/1336-119-0x00000000772C2000-0x00000000772C3000-memory.dmp

Filesize
4KB

Download
memory/1336-124-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/1336-121-0x0000000000000000-mapping.dmp

Download
memory/1336-120-0x000000000100F000-0x0000000001010000-memory.dmp

Filesize
4KB

Download
memory/1796-147-0x0000000000000000-mapping.dmp

Download
memory/2688-125-0x0000000000000000-mapping.dmp

Download
memory/2688-127-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/2688-128-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/2688-123-0x0000000000FFC000-0x0000000000FFD000-memory.dmp

Filesize
4KB

Download
memory/2688-122-0x00000000772C2000-0x00000000772C3000-memory.dmp

Filesize
4KB

Download
memory/3116-141-0x0000000000000000-mapping.dmp

Download
memory/3116-139-0x00000000772C2000-0x00000000772C3000-memory.dmp

Filesize
4KB

Download
memory/3116-140-0x0000000000DCB000-0x0000000000DCC000-memory.dmp

Filesize
4KB

Download
memory/3668-118-0x0000000000000000-mapping.dmp

Download