8e4c54df103d285c152fafe380fbf0bb3e2111a99fcec410ba322d861bb31f59

General

Target

OPeN 65a.pdf
Size

390KB
MD5

d5bb4965f28c3547362c0efc99255343
SHA1

38be14091811c5fa84fe1cb977230e5982cc4937
SHA256

8e4c54df103d285c152fafe380fbf0bb3e2111a99fcec410ba322d861bb31f59
SHA512

aa1a86adc3d055f179a0a216cc8b399182eac31a1168519a97bfa446a037e619057ae475b76ee79b278db80375428577d2c2de84eb300683714e10fd5a47922e

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 3 IoCs

Processes:

setup.exemsedge.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220509154828.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\Dictionaries\es-ES-3-0.bdic	msedge.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e148212c-3873-4f8a-95e1-128714435234.tmp	setup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

msedge.exemsedge.exeAcroRd32.exeidentity_helper.exeAdobeARM.exemsedge.exe

pid	process
3284	msedge.exe
3284	msedge.exe
3316	msedge.exe
3316	msedge.exe
384	AcroRd32.exe
384	AcroRd32.exe
384	AcroRd32.exe
384	AcroRd32.exe
384	AcroRd32.exe
384	AcroRd32.exe
384	AcroRd32.exe
384	AcroRd32.exe
384	AcroRd32.exe
384	AcroRd32.exe
384	AcroRd32.exe
384	AcroRd32.exe
384	AcroRd32.exe
384	AcroRd32.exe
384	AcroRd32.exe
384	AcroRd32.exe
384	AcroRd32.exe
384	AcroRd32.exe
384	AcroRd32.exe
384	AcroRd32.exe
5972	identity_helper.exe
5972	identity_helper.exe
1288	AdobeARM.exe
1288	AdobeARM.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
1288	AdobeARM.exe
1288	AdobeARM.exe
1288	AdobeARM.exe
1288	AdobeARM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

msedge.exe

pid	process
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

AcroRd32.exemsedge.exe

pid process

384 AcroRd32.exe
3316 msedge.exe
3316 msedge.exe
3316 msedge.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

AcroRd32.exeAdobeARM.exe

pid process

384 AcroRd32.exe
384 AcroRd32.exe
384 AcroRd32.exe
384 AcroRd32.exe
384 AcroRd32.exe
384 AcroRd32.exe
1288 AdobeARM.exe
384 AcroRd32.exe

pid	process
384	AcroRd32.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe

pid	process
384	AcroRd32.exe
384	AcroRd32.exe
384	AcroRd32.exe
384	AcroRd32.exe
384	AcroRd32.exe
384	AcroRd32.exe
1288	AdobeARM.exe
384	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 384 wrote to memory of 400	384	AcroRd32.exe	RdrCEF.exe
PID 384 wrote to memory of 400	384	AcroRd32.exe	RdrCEF.exe
PID 384 wrote to memory of 400	384	AcroRd32.exe	RdrCEF.exe
PID 384 wrote to memory of 1380	384	AcroRd32.exe	RdrCEF.exe
PID 384 wrote to memory of 1380	384	AcroRd32.exe	RdrCEF.exe
PID 384 wrote to memory of 1380	384	AcroRd32.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4244	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4444	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4444	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4444	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4444	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4444	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4444	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4444	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4444	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4444	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4444	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4444	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4444	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4444	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4444	1380	RdrCEF.exe	RdrCEF.exe
PID 1380 wrote to memory of 4444	1380	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\OPeN 65a.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:384

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
PID:400

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C80627AEBB05C090CAADB5D792935CDF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C80627AEBB05C090CAADB5D792935CDF --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4244

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4BE4C633DEC56F2D09733BE48323B08F --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4444

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D69003FC463649F378E2DBE617D16D77 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1288

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=36C2F0E75BBA442115B3AF2F19C74A2A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=36C2F0E75BBA442115B3AF2F19C74A2A --renderer-client-id=5 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1672

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FF286E49AA7963AE3A017203034D447D --mojo-platform-channel-handle=2588 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1600

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=90F4B766D8F8704D9E8C93EE8D22E32E --mojo-platform-channel-handle=2024 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://docs.google.com/drawings/d/1W6RerSPlQC12UNzTyNOn2RnBJGLt7nhMZy7rFFfv0BU/preview?1bEA1
2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:3316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffc60c346f8,0x7ffc60c34708,0x7ffc60c34718
3⤵
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
3⤵
PID:4804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
3⤵
PID:4216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
3⤵
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
3⤵
PID:2936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
3⤵
PID:2488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
3⤵
PID:3116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
3⤵
PID:2228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --lang=es --service-sandbox-type=collections --mojo-platform-channel-handle=5716 /prefetch:8
3⤵
PID:1308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --lang=es --service-sandbox-type=service --mojo-platform-channel-handle=5924 /prefetch:8
3⤵
PID:5224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --lang=es --service-sandbox-type=service --mojo-platform-channel-handle=6300 /prefetch:8
3⤵
PID:5372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1
3⤵
PID:5544

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=4540 /prefetch:8
3⤵
PID:5612

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:5624

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff646ae5460,0x7ff646ae5470,0x7ff646ae5480
4⤵
PID:5684

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=4540 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
3⤵
PID:5988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
3⤵
PID:6012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
3⤵
PID:4168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
3⤵
PID:944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
3⤵
PID:5596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=4132 /prefetch:8
3⤵
PID:6040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
3⤵
PID:4720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=6792 /prefetch:8
3⤵
PID:2372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=6900 /prefetch:8
3⤵
PID:1888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
3⤵
PID:60

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --lang=es --service-sandbox-type=collections --mojo-platform-channel-handle=4244 /prefetch:8
3⤵
PID:6040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=1304 /prefetch:8
3⤵
PID:5560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
3⤵
PID:1484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1980 /prefetch:1
3⤵
PID:1900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,9365339640073810894,11605213519551380866,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=3012 /prefetch:8
3⤵
PID:5360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://docs.google.com/drawings/d/1W6RerSPlQC12UNzTyNOn2RnBJGLt7nhMZy7rFFfv0BU/preview?1bEA1
2⤵
PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc60c346f8,0x7ffc60c34708,0x7ffc60c34718
3⤵
PID:4272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://docs.google.com/drawings/d/1W6RerSPlQC12UNzTyNOn2RnBJGLt7nhMZy7rFFfv0BU/preview?1bEA1
2⤵
PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc60c346f8,0x7ffc60c34708,0x7ffc60c34718
3⤵
PID:1308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://docs.google.com/drawings/d/1W6RerSPlQC12UNzTyNOn2RnBJGLt7nhMZy7rFFfv0BU/preview?1bEA1
2⤵
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc60c346f8,0x7ffc60c34708,0x7ffc60c34718
3⤵
PID:2056

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1288

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
3⤵
PID:5400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:5796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
Filesize
471B

MD5
440eb3ee2a72891d4a6f095b1ea259d5

SHA1
b1234ddb19e3175479bd65c06fd3fc7dda4844ea

SHA256
dd51d916edb47b5cc652d75f5623c9f258a97a15f6be3583b3f9289e3d8a0c11

SHA512
8637290e5f3397232f7c7b7b1ec88a5266a513fc1778e78d7e7ae562ff069f307537eaccd215e1d5f5bbd3c7ba192b8c1dcd257fc85b0dca48714c9df0798ff4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
Filesize
434B

MD5
184a5cfeede2e2cd0f3db19c3bc7e6dd

SHA1
33c39985e8ab83ae349660f88aa2f22c60e8e8a9

SHA256
8cbfc040042bf48254cc0720c365240d96841a7ff98c2e7be6ff12370874c506

SHA512
7cfeee4535ec0a15f47101b53e4262c08aa200ee66f028b24c14825c50352ee2fa6825314678ff6e2932d4705c92bec73671c361f0d7e34f3f6bba3cfb522c18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
57df4904eea85aeb7b4d9b9d9130ecad

SHA1
f6b26bbbf2a5f6645e1a400b49a8bb1c346a0cc4

SHA256
ad7f7e5f652cca952b91effac780ae3f46aa02eb9de5f18340d8f55efd8a4c68

SHA512
9ee0ab6f4e4a55f748e0177bbdac33c824c2b02cd3110fd3a0545f5885a6e4da6da3eb61f30880e5a30b29eb33274cd518f548b527f9da9cd74c8413bec57f4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
57df4904eea85aeb7b4d9b9d9130ecad

SHA1
f6b26bbbf2a5f6645e1a400b49a8bb1c346a0cc4

SHA256
ad7f7e5f652cca952b91effac780ae3f46aa02eb9de5f18340d8f55efd8a4c68

SHA512
9ee0ab6f4e4a55f748e0177bbdac33c824c2b02cd3110fd3a0545f5885a6e4da6da3eb61f30880e5a30b29eb33274cd518f548b527f9da9cd74c8413bec57f4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
57df4904eea85aeb7b4d9b9d9130ecad

SHA1
f6b26bbbf2a5f6645e1a400b49a8bb1c346a0cc4

SHA256
ad7f7e5f652cca952b91effac780ae3f46aa02eb9de5f18340d8f55efd8a4c68

SHA512
9ee0ab6f4e4a55f748e0177bbdac33c824c2b02cd3110fd3a0545f5885a6e4da6da3eb61f30880e5a30b29eb33274cd518f548b527f9da9cd74c8413bec57f4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
57df4904eea85aeb7b4d9b9d9130ecad

SHA1
f6b26bbbf2a5f6645e1a400b49a8bb1c346a0cc4

SHA256
ad7f7e5f652cca952b91effac780ae3f46aa02eb9de5f18340d8f55efd8a4c68

SHA512
9ee0ab6f4e4a55f748e0177bbdac33c824c2b02cd3110fd3a0545f5885a6e4da6da3eb61f30880e5a30b29eb33274cd518f548b527f9da9cd74c8413bec57f4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
53473ab893aa74c050da4b15a702cea9

SHA1
85c34c1138235afa21eae7c142640358ee110a5d

SHA256
0ab2a2ba17aad5490bd5c0e2febf6087af97eff3cf347b615b1542a70909b852

SHA512
3ffad5f15b37bcddd4018adfc0633e7e1573b5de829e217550d805870afdbe13194e1f0ef3026d1d26a50fc2a231966ed5eff465df4f9ea8e8490dc478df7e6d

Download Submit
\??\pipe\LOCAL\crashpad_3316_RMRUUSKSOXNIIEOG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/60-218-0x0000000000000000-mapping.dmp

Download
memory/400-130-0x0000000000000000-mapping.dmp

Download
memory/532-154-0x0000000000000000-mapping.dmp

Download
memory/944-205-0x0000000000000000-mapping.dmp

Download
memory/1288-200-0x0000000000000000-mapping.dmp

Download
memory/1288-141-0x0000000000000000-mapping.dmp

Download
memory/1308-184-0x0000000000000000-mapping.dmp

Download
memory/1308-166-0x0000000000000000-mapping.dmp

Download
memory/1380-131-0x0000000000000000-mapping.dmp

Download
memory/1484-224-0x0000000000000000-mapping.dmp

Download
memory/1600-149-0x0000000000000000-mapping.dmp

Download
memory/1672-144-0x0000000000000000-mapping.dmp

Download
memory/1888-216-0x0000000000000000-mapping.dmp

Download
memory/1900-226-0x0000000000000000-mapping.dmp

Download
memory/2056-170-0x0000000000000000-mapping.dmp

Download
memory/2228-181-0x0000000000000000-mapping.dmp

Download
memory/2372-213-0x0000000000000000-mapping.dmp

Download
memory/2488-177-0x0000000000000000-mapping.dmp

Download
memory/2936-175-0x0000000000000000-mapping.dmp

Download
memory/3116-179-0x0000000000000000-mapping.dmp

Download
memory/3284-160-0x0000000000000000-mapping.dmp

Download
memory/3316-151-0x0000000000000000-mapping.dmp

Download
memory/3584-165-0x0000000000000000-mapping.dmp

Download
memory/4128-169-0x0000000000000000-mapping.dmp

Download
memory/4168-203-0x0000000000000000-mapping.dmp

Download
memory/4216-163-0x0000000000000000-mapping.dmp

Download
memory/4244-133-0x0000000000000000-mapping.dmp

Download
memory/4272-159-0x0000000000000000-mapping.dmp

Download
memory/4332-152-0x0000000000000000-mapping.dmp

Download
memory/4444-136-0x0000000000000000-mapping.dmp

Download
memory/4552-156-0x0000000000000000-mapping.dmp

Download
memory/4720-211-0x0000000000000000-mapping.dmp

Download
memory/4752-173-0x0000000000000000-mapping.dmp

Download
memory/4804-158-0x0000000000000000-mapping.dmp

Download
memory/5224-186-0x0000000000000000-mapping.dmp

Download
memory/5360-228-0x0000000000000000-mapping.dmp

Download
memory/5372-188-0x0000000000000000-mapping.dmp

Download
memory/5400-214-0x0000000000000000-mapping.dmp

Download
memory/5400-201-0x0000000000000000-mapping.dmp

Download
memory/5544-190-0x0000000000000000-mapping.dmp

Download
memory/5560-222-0x0000000000000000-mapping.dmp

Download
memory/5596-207-0x0000000000000000-mapping.dmp

Download
memory/5624-191-0x0000000000000000-mapping.dmp

Download
memory/5684-192-0x0000000000000000-mapping.dmp

Download
memory/5972-193-0x0000000000000000-mapping.dmp

Download
memory/5988-195-0x0000000000000000-mapping.dmp

Download
memory/6012-197-0x0000000000000000-mapping.dmp

Download
memory/6040-209-0x0000000000000000-mapping.dmp

Download
memory/6040-220-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads