Analysis
-
max time kernel
316s -
max time network
352s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
08-05-2022 16:54
Behavioral task
behavioral1
Sample
OTKPblTb 3512 - 341053.pdf
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
OTKPblTb 3512 - 341053.pdf
Resource
win10-20220414-en
General
-
Target
OTKPblTb 3512 - 341053.pdf
-
Size
325KB
-
MD5
4fc2ac9dd403c8ed1f1830020ed24bc5
-
SHA1
f194b156b3705492f35cab495c2f6126d5b693db
-
SHA256
8cd69137791ee2158c0431e02114f850cb63ddfbd8f0c8301ab10750238d36c3
-
SHA512
8026275eaf0f1dba3204a273074aadf9cab6b8b16e5ba46c3f9718111d118ff9c307c58510df0def0de9b4c782db53dc1a148adac343fa16f3904e6e24588063
Malware Config
Signatures
-
Drops file in Windows directory 4 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exeAcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = c27123be0d63d801 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = 20d9d4635774d801 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f59edbc00d63d801 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{16BC3655-0D78-4944-9CE2-D90C2796A6E1} = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 62be1bb20d63d801 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 09a2cebd0d63d801 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 8f5aac2d5250d801 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates\4EEF7FAF0062D34ABEE MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "358817915" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1" MicrosoftEdge.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
AcroRd32.exepid process 4588 AcroRd32.exe 4588 AcroRd32.exe 4588 AcroRd32.exe 4588 AcroRd32.exe 4588 AcroRd32.exe 4588 AcroRd32.exe 4588 AcroRd32.exe 4588 AcroRd32.exe 4588 AcroRd32.exe 4588 AcroRd32.exe 4588 AcroRd32.exe 4588 AcroRd32.exe 4588 AcroRd32.exe 4588 AcroRd32.exe 4588 AcroRd32.exe 4588 AcroRd32.exe 4588 AcroRd32.exe 4588 AcroRd32.exe 4588 AcroRd32.exe 4588 AcroRd32.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
MicrosoftEdgeCP.exepid process 4352 MicrosoftEdgeCP.exe 4352 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription pid process Token: SeDebugPrivilege 3456 MicrosoftEdge.exe Token: SeDebugPrivilege 3456 MicrosoftEdge.exe Token: SeDebugPrivilege 3456 MicrosoftEdge.exe Token: SeDebugPrivilege 3456 MicrosoftEdge.exe Token: SeDebugPrivilege 2788 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2788 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4088 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4088 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4088 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4148 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4148 MicrosoftEdgeCP.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 4588 AcroRd32.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
AcroRd32.exepid process 4588 AcroRd32.exe 4588 AcroRd32.exe 4588 AcroRd32.exe 4588 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
AcroRd32.exeMicrosoftEdge.exeMicrosoftEdgeCP.exepid process 4588 AcroRd32.exe 4588 AcroRd32.exe 4588 AcroRd32.exe 4588 AcroRd32.exe 4588 AcroRd32.exe 4588 AcroRd32.exe 3456 MicrosoftEdge.exe 4352 MicrosoftEdgeCP.exe 4352 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 4588 wrote to memory of 4260 4588 AcroRd32.exe RdrCEF.exe PID 4588 wrote to memory of 4260 4588 AcroRd32.exe RdrCEF.exe PID 4588 wrote to memory of 4260 4588 AcroRd32.exe RdrCEF.exe PID 4588 wrote to memory of 4680 4588 AcroRd32.exe RdrCEF.exe PID 4588 wrote to memory of 4680 4588 AcroRd32.exe RdrCEF.exe PID 4588 wrote to memory of 4680 4588 AcroRd32.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 64 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 1292 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 1292 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 1292 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 1292 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 1292 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 1292 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 1292 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 1292 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 1292 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 1292 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 1292 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 1292 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 1292 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 1292 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 1292 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 1292 4260 RdrCEF.exe RdrCEF.exe PID 4260 wrote to memory of 1292 4260 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\OTKPblTb 3512 - 341053.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=129639BC57A89E0471E4B54A0CED6EC8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=129639BC57A89E0471E4B54A0CED6EC8 --renderer-client-id=2 --mojo-platform-channel-handle=1648 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FB4A58BFC466FD96D357595D7A324D1B --mojo-platform-channel-handle=1636 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D8C8920691628E03F065E2527E551206 --mojo-platform-channel-handle=2232 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3288A797EAEE894C0A7B0247425DA21E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3288A797EAEE894C0A7B0247425DA21E --renderer-client-id=5 --mojo-platform-channel-handle=1704 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=26E0A35192FCD5501D8DD77FF2A8704D --mojo-platform-channel-handle=2448 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FB97E2941CBBAF2DA15F5AC1855312B9 --mojo-platform-channel-handle=2676 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Windows\SysWOW64\LaunchWinApp.exe"C:\Windows\system32\LaunchWinApp.exe" "https://docs.google.com/drawings/d/1vOI1VgX8BxJIwDZbwXUJy4fAt2x8AHMl3fVj3B2kxhQ/preview?IOHPOKOBDPC"2⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=12CCF1FB6A503CEA068E0E2562241CD9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=12CCF1FB6A503CEA068E0E2562241CD9 --renderer-client-id=2 --mojo-platform-channel-handle=1636 --allow-no-sandbox-job /prefetch:11⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9CBF8CDD0252B7C97B6C7B90ECCE9B2F --mojo-platform-channel-handle=1644 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:21⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\69C6F6EC64E114822DF688DC12CDD86CFilesize
631B
MD5aff8be3d9a9e573fca3e21fd98f0c42c
SHA11e35d69743ae61c13f984c82c300e29c0e9169eb
SHA256d20a7c97c5b348fb70b0d62a3a8400ed55b605be4da54a8826122fdc3012ab36
SHA512d72281a0a58431a9b03e6ef7abcc83c7bfe95a4ca31ab6289314d57534ba02e824a66cd78b7da484efa5249004e51f0f9178d9146b52a811847a5f31b7187af4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86CFilesize
242B
MD59ecee789a46037ce462df75f07ca1e02
SHA1b86b051127497fab6a4f94248ff264a49173785a
SHA25644af824cd87ee515af5cf2684976f72d157b100f5a69b19ce47630408828aa6d
SHA5120245260ca276feba95554f482646f46168334ca911992102bbed69b4d4a9c72f7dc67ad43af26ea14d96f41e402e01a18f591a0009d6b879cdcd1bf17c7562e2
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2219095117.priFilesize
207KB
MD5e2b88765ee31470114e866d939a8f2c6
SHA1e0a53b8511186ff308a0507b6304fb16cabd4e1f
SHA256523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e
SHA512462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d
-
memory/64-121-0x0000000000000000-mapping.dmp
-
memory/64-119-0x0000000077592000-0x0000000077593000-memory.dmpFilesize
4KB
-
memory/984-130-0x0000000077592000-0x0000000077593000-memory.dmpFilesize
4KB
-
memory/984-132-0x0000000000000000-mapping.dmp
-
memory/1188-159-0x0000000000000000-mapping.dmp
-
memory/1292-125-0x0000000000000000-mapping.dmp
-
memory/1292-122-0x0000000077592000-0x0000000077593000-memory.dmpFilesize
4KB
-
memory/3456-161-0x0000021F81C00000-0x0000021F81C10000-memory.dmpFilesize
64KB
-
memory/3456-160-0x0000021FFFE20000-0x0000021FFFE30000-memory.dmpFilesize
64KB
-
memory/3520-140-0x0000000000000000-mapping.dmp
-
memory/3828-152-0x0000000000000000-mapping.dmp
-
memory/3828-149-0x0000000077592000-0x0000000077593000-memory.dmpFilesize
4KB
-
memory/4260-117-0x0000000000000000-mapping.dmp
-
memory/4404-147-0x0000000000000000-mapping.dmp
-
memory/4404-145-0x0000000077592000-0x0000000077593000-memory.dmpFilesize
4KB
-
memory/4556-157-0x0000000000000000-mapping.dmp
-
memory/4556-155-0x0000000077592000-0x0000000077593000-memory.dmpFilesize
4KB
-
memory/4680-118-0x0000000000000000-mapping.dmp
-
memory/4840-129-0x0000000000000000-mapping.dmp
-
memory/4900-133-0x0000000077592000-0x0000000077593000-memory.dmpFilesize
4KB
-
memory/4900-136-0x0000000000000000-mapping.dmp
-
memory/4944-141-0x0000000077592000-0x0000000077593000-memory.dmpFilesize
4KB
-
memory/4944-143-0x0000000000000000-mapping.dmp