hxxps://kabukistrength[.]com/wp-content/uploads/formidable/29/addendum-to-residential-mortgage-loan-application[.]pdf

Resubmissions

24/05/2023, 17:23

230524-vyej5aeb31 1

24/05/2023, 17:20

230524-vwv44aeb3s 1

24/05/2023, 17:18

230524-vvarrsdf92 1

24/05/2023, 16:47

230524-vajtyaea3z 1

Analysis

max time kernel
135s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2023, 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://kabukistrength.com/wp-content/uploads/formidable/29/addendum-to-residential-mortgage-loan-application.pdf

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31034980"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ad54f294c4fc0145a244c5228000574b00000000020000000000106600000001000020000000b5d590087c84cc9fdd300d147de70d3f3a8654ea2650f1524c33281e8de6b149000000000e800000000200002000000069b2e2d5b5ca784ee29e2bd21b6bbc165a6976dff842e1b1c6f2acbd2e1311272000000026951d757cde4e569550af0bdfaf4396dfbfe99b4a8178c4b4fd846bf901b30e40000000c3745a3679502de7f597025804082b2747dfd4bf23f7a52e23f8b1a8af91d76a5e864b9ad485e16c7ca1c839184fceddeb470f2dd34bea95122e996754e443e8	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7083049e648ed901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ad54f294c4fc0145a244c5228000574b000000000200000000001066000000010000200000005d6b490e91697699d63f78907219bce0956a231004c7460e75082f8e148e3237000000000e80000000020000200000003de58ed636afe5aff5586968aaa9786cde565d9b8939ebcdd795c9623c835975200000003a8b112578fbcc734df7585f88ecc520135b561f7f70ea9137de423c929e8b4140000000636dd201584de47dabd89917dd52b8ac7d4019337b8390ee9a0cf04869eb39f4ad339809dce8e57a34bb25135d80a8d81b8a9205e1d5d1fbab24a1b4e9bdf49d	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ad54f294c4fc0145a244c5228000574b000000000200000000001066000000010000200000003d1b44354691804f4f6f71376f2a0a7e2c430251bac10512ca5206ad106070f7000000000e800000000200002000000082219e440830e124d01db2a1b19a2e71f6daedd9494634463dc4bc46ca3c9749b0020000eb6d687209d702759715500b74bd917799f0e9e01f9a7cdc8f0719b02760c2367f6026bd9de94c0aa83316ad52d8b54816a5c9452b692d4cfa38c87710d3781877c31e6e5d73b0f90e28652e19737f2795f80d72ca5759b949a15d22538eb858ca83af861eaa74f0c86bcaeda0faedc28700574ef0f3d08873dea513772e8963349f5e6bb64f19686aca5fc963e55e83c718dd9d3c5096e2193e35c664120259d6860dda22a40b5af42162a785fc0ca260d7566d6c535ae3befdba178957df5be29086b1b1ba2519496b98b9f56d4eb0ac47e11096fe2e8a7082047721ed0d330eec2c5d4cebebd4ece366b7cea7d0dc283f3fa06a2a683d5100128af70622c0c4aa9e2c44b0891ed6aa6f3ad42e9667e0b02cf8e90d47ffe03c404683d521d537aff3c2ad11bc6bea32ee23fb2f74639c44da30f63096a6c21db16c39dd6a0479af7303f41f74d272b470134c4e8cb7572f6b3b8e6cb41f39dd439d87638432c4bf19156e6fff54c368a4f6e62d4248147fa455c5f2d1b8b51685c4b7463e493562a787391e0f60baaa1043b51066c07bd2d5995ab44cbd3821f3fdb129c5aa9be8695b13d984509f7ced02d95323737c507b1bbf73c96385d5e0a6a75ced4fa355e5b311a8a0c98ef28e8c120814147bb86842d71c3ee1a47d6818b4ecfea7cdfa754dba5f969fd26753077631e941a51cfe63a97926fd1d2e74e57df7c1dab99cd9bb886c460fc964ee73951ae6d270b1ed6b9ffccf30044623478b1a7cf2dab651d590d76984e798b01fe0e6af7428fdb6b88a84ee0eaf60b2d3a373d04e8ffd1c94d3a31b4cdde198c46faae9f74b96388347b1f9eae717b4f1a4d06a823dd40f4323b37cb9759eb76a403ccb0a2d3d438ee1b362c17f666283e374125353c07d69e42ff14cbcd3f4bd1b705ef2677e16aa90658cbe9a88b7695c5bb3b35a83a8406defb2b2ec3c8b0ff827639840000000026402f0f3d33ed733607c53cede578d0396434b8e938a07ab0fd3033bb95731146b737e85e9c085ce7cec174e3876f80a84092c1ebee9190c080a1f4116a8e5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31034980"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2400726183"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ad54f294c4fc0145a244c5228000574b00000000020000000000106600000001000020000000fbfe5d8c201db9fd44b6162d1ece14b68ae26a6fff22bb994237fe13535652ee000000000e80000000020000200000001861a931d245d9dfde6876dcdacb0955c4c0899f54cd2a9a4dc92bc025bff5572000000055c4180586d09039371bc782e0978bbc95484828798aa1b27e8473e4b269a1cf40000000bd39efbd0999cf7e4542c7f095ca028992577b51a25f449d4579900188daf92386ad5273ab13efd682e257703073b11ac90facaffd99f2ffd75730a63e88e7e4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31034980"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ad54f294c4fc0145a244c5228000574b000000000200000000001066000000010000200000000b72847268374b98f87066684ddaec313f9c5969c284b241f92ba64a3a955ace000000000e80000000020000200000009d06e6bc54f12727392563ab2c35ff17db08d54c1e90ae7ca5bba4be3eb8ff95b0040000105bef92751f5a6c706a19a37b4632e4eb913fc801b7f0717c6eaf70c0be06e042acdb83affdb08e2e9e55d07650b2a01a494ce8a2a9fc6e10d000bffc19389e2f0abf8b00084fd1035dd96ff8d3f2d738330def8265995952c5508072e621e2c53ad9e1437fa5fe727713394febb05be9c60eaaeb6d03632403b42d199a9dec8cd07bdcee9d0f8fddf5ece8fe0160b1c16ed00787c97ffdb135e5f76eadb51fbe8e4a2c1bcb0d1cfc11e6c9372828a2438542eed1c4f0614223987f69020aa559f1372a65dcc285bc5be119fd430addd7788f25e81b9f4aafaea5122ff123241835062c8402f7e7d487f4405efb55fdf630d1820242d45ee453bae4db450be9e40337bda28424d5ccf83450806e4f64bccf0ddcd73d46537ede226caaf30d107410c16c2cecc5397cec11e8044bbf9b92415896fbc37a3b3ee3bf9e69cafc5dc10758671a95b89f94a51101dcd3a592e818151c5905f844feebf2810490c8dfc78dae5cc6e66dc99ab0eea637f71c6fe8402b0ec69d2b5d2f73e03ad27b5e98759c2f4bf7b9fe275e818fcf621ec4af16fefb64035c9e5280ac17776e874593982b7addc70ad94110d03c6f5a277289745234917fa16f70ee5b37d093f87c71494a30b587300e1b96cb59b8837d83fbe369a1e4c8495d3eaa8c1a6bad21c72b91a71ee07dee3976d6b2cba0b6dab3c121b752ce5fa8efaab8a788cd4aca38d4951001bcaa916a77371df94dc2bd6c1ec0db609abbe9970a91da50a96bf973259b596aa8f5bc65e8297cab19194e8e7dd8748cfa2c98b547856345ab610b79e04616437f837e7fe542694635d7ccdebdba2cf0821dc3518304ae25dc3e525113218bf163a7e5fb07b211e5d380feafbbbbac83c6b59b24d33cda5709fabffe8e1cd0003731289732b65fe53461abe0031ea58766a93267a4e5225a247f95711bbcef63bf9370a75270c20f51ea9ed17370fe87bc6271ce8f0c8769e689ccfe6abb9bb0371f6dace60f3589cf28393b6dbc188d192b0870647d2734e95b9d4d5244e80440cb77deb5c5b6458ee032865e30875cc0ae51410cd21bf1ef445cb7174603a13366ef99a485a3ca17d0adcb81f3d82dbd14bb6815eaf85509731b4dc3b9737547e9f9993bcf599643abd6699026e421cd83cc93707a447121e140a90e85505df2f2f6653318bd9bee538c7b6ca45bf0cef2df47cca0209df7a65047ca3b2516af1f0d61fb4ebedf97140755ce3aaea2fb22e196b6a72451caab6eec821445021d8bf5f972e694f3be18f7aa509ab190ef286d74cb33a263d5b34ebe13eea36ebe36c737d8458bb386b17db4e0f0101cebc447be2fa10f15e48653bfb9da8c5fadbcfdbc2f69ad49977d2b60401c06ffd544c366f79ba9a2fdabc00d214990d277bf310f5c90ee9e0cbb72c30a620dcf573790a21d61321eb360dc7cdfca18057b5517d39099c53b152e547b5a493b18102ada11e11a480c2b2298cc1cd407f2da2c883723817e7d745659c4e4d15d0f176e5d9fe86b5487789e333997e65ec1107ef1107bf848f6f4ffb59b1b206f7250bd45ec593b4ef54e4c44c52f3e06d4fa7e06e14a04903d9e14fb627e61750a58b301b9ce44cd9620d586fed417a318c64f19458b7d1b7d3997ba9d1d4da15a278bc16d3c0e3bbb37b05c5d5b15fc59e93dfa296c2731e8c34a2bee2340000000460fc2f3917cf1ed85d5972ada84d2296f9a0c7d15f5eaaf5fb5ec256736ed613e564920faf698fbfc2a54e36e50ccc7e2b37917299c20aa9a94654fa484b781	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d07f8688648ed901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90855f8a648ed901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ad54f294c4fc0145a244c5228000574b000000000200000000001066000000010000200000007bebd24a05d61b1a4333a02d1d623a3f1384a2cbea76d3d5b5490296edfc0fab000000000e800000000200002000000031e89223593e7aed8e9e179094860549fde5d76d899483d812c1fb6833b2358a200000005bc6df509cb43721878f748a3ead018162eb879a418be02c713f3d05ec5834ca40000000a7a6a7ba4ed031de1347275ceae20cc14576b4cb5fc3e26717b47ee755c707e6f5d310b188d9b8bea27bcfca254c245f97930af04e1a66266a7cc29dfb5f99c5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B949BA18-FA57-11ED-8FFF-DE61172DF127} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ad54f294c4fc0145a244c5228000574b0000000002000000000010660000000100002000000058e873d31e3ca021e6c729b38bd79e8d7e956897f5e47a4d50138f0257cde2f7000000000e80000000020000200000002b0fdd58c42df7413b26d314e9cddb857058ea8d644d520f911cc92ab4cedc85200000003ae6e4f086ed08fb3add0a2d739573614570181779495ed4247a1969528b4004400000007d119af70de3166105c5432f5d3a02bc8b51355ea7a5a482356b79b53f0a4b929b52f0ae30b5b5207a0ec44fee97314bc693e18e0867d4badf38aba226cca30e	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2384944874"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0cb0c9f648ed901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ad54f294c4fc0145a244c5228000574b00000000020000000000106600000001000020000000d6d0fa6f4d020462e63f231d536b6727af37ea93304b41c57f5ca3238274dd86000000000e800000000200002000000047db6e85d266022b4847fb366f50aa4b96a6ee2c6fa85e3b88c86b8625853550b002000078a52f9c15d5b80a39150e224e3decadde2ecf741a56b0cb3bcb8e971b75066aa4114b115bfbe8a02743e0b9f36dede7483163f726f018af0ec63dcf9ddeb50886dfde9b8bd26c98709eece1bed82c945c44c75283d8b09fd34fe8a747579405176b557fe8f059b3968479be9f75f57c2bdeccdf03e99b577f790d2e59dc5fd0a72f457b1bd823e359067507ca4f36267e4cdbc7d9d2501bb0b27b6f9c9b0a167ca6c14f1137d80dc4d0e5f16602a80b8520464377557ee4c90576e6c86c51a037d3548998c946c21686e760bdc96d2e96f9ea31f25c40a392cc3e87db6a9af575721c3af9f6e6f86455a4ea4ed2bc7ad2c71a5aab004a5db08cf9a13df2a9296f8835dc201baacb936efa2a8987f0b94892f60b133a79e0892b2aa8f004ab0e94627159944ffb541bdaa0354f12b21bf0065102c3d553c283820c48105fdfc607aaf71149cfbcdc45703c893206aa9d02ba8d7b11355840aaf680ab7a868b0a7f962955c2b880d4e6c408ed4dffc16559e52ff81a499c9e19dea92c04005ac54c39cf0625feba3841778a8644ae10f88cc7ccc1279a29002b2267d62b10fca5582cda53a1a64aa48258d6362ae404f60e120fd597c7e5cefba81a872aca45217a0792cffe15907f2493e94cd26b02817514935e04522fd4922c787ad10cfadcf3a75a962afdbe20fef3afcfa919c4d3a7416fa31289136c911e9fe252119874d46736285500e03d10cf7b1d32bfc24bbc414791cb4541f874daf8240b29e7631144eaa856baaed2d0664c39079c441ad3342e61532b84a08904f854acdf68fe612ccb36aba681b84ce0a1254bfb2b47410d0bdb50fd592f70a49c5d7e9dc7021cea6d655a70a86783d7ed34b41ded326b8c83518b01f4b83d8cd2bc4395f62f93e98428f34d166807561cf83df6e9ceb5f998161042c03c98175f2bd40ea897cf3370c907c8dc681409d5ebf395221340000000a4f1d49ec20e5051df7f5d731d48869404f4a496e4ddf532fe149daa3e3c669cca195849bbe7b392b1d0cfd6a97405e5eea8008578594bd7f8a92c9ae5f07ab4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2384944874"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "391713995"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b019c9bc648ed901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ad54f294c4fc0145a244c5228000574b000000000200000000001066000000010000200000000cc8dd715416e7aad88b36ca93dde2a23186864b35ba9b19d6c2af2b25a48758000000000e800000000200002000000096edc98021d9f376edeff6163941728f3d74156d48ffece29bc353eaa05622026006000075349624cbdfc14dfef72d2308566bdaf48738020a918323277ba62d23e3d83b7738b4fb8c76dc8f1719dcab0479859c71508f17811a6fa86841571ece6ab7c958e9cec5105c4800a9134a04c04cfbe665d221c42fbdcce4fe68f6b1ded67ba7035cd1bc6838f0a6fce5c929851190a891cd8b7e1c798fa9694433ba97b09972c28715cd95deef42545cb71f40fd457b8281bf957b804df46c4c2a03e3be641e4688c0aed277d08f795d42e2562b4f8bf35abbdf2428bee6ef5860e9fb77f5cbac499c20969c11ad2247b0edbfa191f418cdd26659fd588302ee7e92e994c0da97c33999ba3251ddcd571c9725835b3d1bbbac6b7bc9c126ab2df3d3020547bb07fe9e89de793114491410054d44b18005e403f8ec9adcba45204d261f4192293db0ed169b5410b76a7a5178d11af61bbf4b8152219e7b3aeed054a674fd8f55ae73d21e0d379ac3f6970698d0b54d2cd85151dba50311ded57572eb8f87bca721ebd99afee84418f21c5b0e2e7c00ef8d1c3cf76f5f1439267229fc9ad027dc5bdc637a30ce48a8201b230d5e5d197e49683d279860c006b8bb1b23ea9aacb6ca406e13929dbc3ab9dabf14ae28c237aee77cf569e888ca3cedd489a6587b2e0d436329d503d38d63417f12be841e4af42150de8c06e3a72d1950f6cf24263a7bfa81195c365602570c073753a4cb14fdd8ea6fe2c1d9d70bd243784b33f6ba78ca6161ac93bf319a0230cd091d9d85bf55868d2745c0bf1d1e3cd96c049271cc54526224ad95e580636721478c684015f247201df15b9a0536f05b8770bf25cdca4c8e1fa5e929cab89efdd6b02302152a430328ea7140c5277d49bd71fdd36daaa87e30d8d13e22c5b7c150dba577e47210179d5d2e21b61a3893b3c769fdfefad9c6bd97269cf5e47821b3f6af132883cbf8aef41223d91ae3fdad6fc375e2158afd1f9b527c607addd8c604c992f7fb209300b6ab68b8ed49a6da4d54cb4face3b8a329ed44b580d68cfb4d04e298b6bae4e5b2c46c888ebb5b8eed5fd6bf21f21aa51ee2ed69647db6a9c440d6d60dc01055c6ef952c326b321c5a829521e3d5c09301dea585999fbe21b324f3d51f65da64388d7bd75d8bf7cb5331a6f5e62b0a0acc31164fcf8448bbeb603b11ad8cf5f7102b134873b358d71150bc858970439749572085c066d7c44a38cfee9f102c43a4e0368062667995366725f8537c5388a0961c78131e07af4b9f7cc5608abed2993f8f7aee8b389f673e32835ab3979158fe1dd5d06f17f14d3c514a25c138e12e8814883c4e3d54bbff19eecaf171b8d64ceab7e68447ad4808072b0168439a486dd2e003880b281130b0f519370763631097f95b2e1d975b883be1caf73f7380d21d3ced6aee11416ad32692f1fb572669f1cd853e3d6fdb53f5fd6a184d78cf94f92ec1a421fe145e94388c281b9cd97184d89da3094c314741f0b23b7b3e4fa8af76e16dc3a244afe572eb04f1f3f3a0d2610381fc5a2520d6a85b82718f6fb7ab4054bf8f5575f93b6b3d07a99f60b48b045eccc5c6cbf2309b038950b55f23f063293e5fefbd8b99c8960cec0f31073c1132d30c995825ec6a9370a665b71cb3cafc9a47277f00ff634f7e813857be0226ab9c2d2a5575e6ee3100fc386527a103196eda0a1182d3cd2f33050199c8fc7ed9282c57d95044cac8c7cb4913bb39025aa1ac41892ec7cc24e935795b6e222d13508236a60c60d796f5a98132425777026165ef96a97a965ca545ffcec19e0251bd5612f95530a77505538173a4df91252311f0320d7d88fa78b303ad004fc8742b6ef37ecbe226dfb32a96c3bc1458a30f374be8310599a94613a93103ca4d7c87b60ac7bad14e9839b5b03ca34dbc20c949a2ab0ba2eaa0f608a192dc1114cf8556ed5462279923e0fcd41e5d5f0cf1648b85211f782e378a92883e5ecaa54f60c4e8a79a01b37ddbfed2ddb6f1714e3f4513da78dd7205160440c305861616aecd802fd12f267a2aa2c1a8edd79f13c08e1e582c04693ddd771bbf656773fcf3047b824f5f455bee27a47614eff8a3397ebe5cd0f512234f5d2a05cbdfbbd782a146f14188479abccd9ab4689c8767cb0e42814e540b4deac8b1a66cba139ddffbbed43de2062b7421a16ed1f75599243c3fbcc1bf40ec4fc677f473098d9452a3906426d5915e61ad2a4e07db02d0afc6bcadc9d48cba74ae30db6fd7c287e8b9f3b89055d4b64924c5402ddee60ed0c0125db90427040e73b9f58bffe0c2c7da435c3466fb21f57241931dc7a890ebe916e22dc840000000a72518fe4906f90fe397510782939ca129bd0dbc7e542f92d2de6b66cd109242293b8dd72fcec3e38eb195c5159943545f9ebc0abb459898752782a9a5881144	iexplore.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1120	IEXPLORE.EXE
2732	iexplore.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2732	iexplore.exe
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
2732	iexplore.exe
2732	iexplore.exe
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 1120	2732	iexplore.exe	87
PID 2732 wrote to memory of 1120	2732	iexplore.exe	87
PID 2732 wrote to memory of 1120	2732	iexplore.exe	87
PID 1120 wrote to memory of 2756	1120	IEXPLORE.EXE	90
PID 1120 wrote to memory of 2756	1120	IEXPLORE.EXE	90
PID 1120 wrote to memory of 2756	1120	IEXPLORE.EXE	90
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 3996	2756	RdrCEF.exe	91
PID 2756 wrote to memory of 2312	2756	RdrCEF.exe	92
PID 2756 wrote to memory of 2312	2756	RdrCEF.exe	92
PID 2756 wrote to memory of 2312	2756	RdrCEF.exe	92
PID 2756 wrote to memory of 2312	2756	RdrCEF.exe	92
PID 2756 wrote to memory of 2312	2756	RdrCEF.exe	92
PID 2756 wrote to memory of 2312	2756	RdrCEF.exe	92
PID 2756 wrote to memory of 2312	2756	RdrCEF.exe	92
PID 2756 wrote to memory of 2312	2756	RdrCEF.exe	92
PID 2756 wrote to memory of 2312	2756	RdrCEF.exe	92
PID 2756 wrote to memory of 2312	2756	RdrCEF.exe	92
PID 2756 wrote to memory of 2312	2756	RdrCEF.exe	92
PID 2756 wrote to memory of 2312	2756	RdrCEF.exe	92
PID 2756 wrote to memory of 2312	2756	RdrCEF.exe	92
PID 2756 wrote to memory of 2312	2756	RdrCEF.exe	92
PID 2756 wrote to memory of 2312	2756	RdrCEF.exe	92
PID 2756 wrote to memory of 2312	2756	RdrCEF.exe	92
PID 2756 wrote to memory of 2312	2756	RdrCEF.exe	92

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://kabukistrength.com/wp-content/uploads/formidable/29/addendum-to-residential-mortgage-loan-application.pdf
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:17410 /prefetch:2
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=57867D73A9F33130511A9F5161EF1E6E --mojo-platform-channel-handle=1712 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:3996
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6C923804B3539B44F355465C2FF947AD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6C923804B3539B44F355465C2FF947AD --renderer-client-id=2 --mojo-platform-channel-handle=1704 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:2312
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F889DD3BF5DE3C31CDA8030BDB49CC0B --mojo-platform-channel-handle=2284 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1664
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E2C1C5D4500F76A63780B1D3D88B5C25 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E2C1C5D4500F76A63780B1D3D88B5C25 --renderer-client-id=5 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:1672
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7217529C1D9AE72B218E2F1785B8A611 --mojo-platform-channel-handle=2552 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2380
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=84BE864B7DA6680893E8E32036AEB2D7 --mojo-platform-channel-handle=1716 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:732
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:4652
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D2B2355CC396E1BBA4105B2A7A97E9B1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D2B2355CC396E1BBA4105B2A7A97E9B1 --renderer-client-id=2 --mojo-platform-channel-handle=1684 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:2380
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=58225A36D5CD81E7C6FD8F45E9A91526 --mojo-platform-channel-handle=1784 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1184
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=733A22F2723A9BCEC8E8368AF6B1E4DD --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4476
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8336FA79D5B2F3E7B7DC9AD1F37321BB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8336FA79D5B2F3E7B7DC9AD1F37321BB --renderer-client-id=5 --mojo-platform-channel-handle=2520 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:2672

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe" -Embedding
1⤵
PID:3500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:236

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe" -Embedding
1⤵
PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_1

Filesize
264KB

MD5
1f2491073b4b2787254fd958180a792a

SHA1
809a07d308e4955752d85c7c8150fd5695f495b1

SHA256
578bf01b45ac7104730b83a48fc2c4632801a325b41932fca99640cc0f36a413

SHA512
c4f2e9ad0340663611449e48b25edfcb4c5d887274dcced00186b507a657a9c3ba9db3550d744537280461e35c14c4e35395697e5d9d776a138a13671e40620c

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links

Filesize
128KB

MD5
575c00abdd76284b6f40db67d60a1d9e

SHA1
c8191993d289713a1b2add954719ee9c85f4e36c

SHA256
17ad8d02b8e0045dc07f817716ca112542f82d29c68eba15d037ccba7753e70e

SHA512
0db07793e8acfc3975d689b7014e1807ba0faeddede2b9bc55ad4b6bab1784479f2898b0a4a7c910bd49a41444589e25866a21e964d9681c29abca5d75289ef9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
3fbb8ee33354096d9f116c557a402d14

SHA1
f75756c42d45d1047eb04fa54bd7702f5560df4b

SHA256
13e2696561dd0955e1d61f7e18166c8bd7a02faf1dbfe04e738b5d68cc2ca57e

SHA512
cc21e56f9278282b3c15964b5618d42bdfda83b245d7bf01d12550aabd69a9747d1deaa5a9a9830e6d6a47465f580e21e0a7621cf992b56244ad4bee8779c338

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
4214f7002e2c00a4d60d395fd2d5b79b

SHA1
b9072e750dacb9cb0527c143633fedb5c3bf942c

SHA256
4408f953a74c0bf459e6a6138917c74f4e62f5ce659446eaf2d112e4bac829ba

SHA512
52ae45126bb972f9381771cbfb32fcbdd94aa03c5349c2a11f3f4820a9aa63d47a31a216b746059b82a1cdb73efcc8a0e9dbe1692cefb27c45a17f2be2353e91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\montserrat-bold[1].eot

Filesize
29KB

MD5
65e03151914e450958061cbb762eebe1

SHA1
39e54ebf3eba09b2c95200138d63e4f9db3aa9ab

SHA256
64c4febd551454ba2b82e10dac1e18e5d5253f9c4d152f6c7e56186a5c823e4a

SHA512
9be544d089f53cce7792c0eb9e525192c7539e5c9dd5bf63b4c86cae691b53ac12049b1a181ebf52628c3e502a98699fd827d13dfc053676ecac43aa9306dc54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4VT6R2QM\montserrat-regular[1].eot

Filesize
28KB

MD5
f6215401e6aae823823c97578c0e132e

SHA1
9b49f51a4ea4d19f3a651a44abe2b709fcfa7c34

SHA256
0b32375761df803fd122de37b123251bb4997f14ef68e9e520289fc49b41fb00

SHA512
39600d6e91447560247baf4761c77409ada6ffbbb96abccbe1272d759502f6604a16d61e6a2ae28358ef3c03a660f1d20ebf070206492d4e2ebc1888af4ce78d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EY3KXMB3\caf[1].js

Filesize
144KB

MD5
9e64f721108995bd5a37fa80ff58f5fc

SHA1
7ce05cff5b866b0551487a2e62fd8d1f4ddbf5a2

SHA256
ed3f9710cac3f1e6cc3ff6fa64f8e210c5a14f33c384d678c11d627054a2eb64

SHA512
2fddfb38f7b57e2f236ceccf4e25bd7ffcacc286f99149f54e2eea76d827cd03a7ce42ed8ea58f7ed89709c32134a330bcbed41cb9ec459b21843414422fab1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EY3KXMB3\px[1].js

Filesize
346B

MD5
f84f931c0dd37448e03f0dabf4e4ca9f

SHA1
9c2c50edcf576453ccc07bf65668bd23c76e8663

SHA256
5c1d5fd46a88611c31ecbb8ffc1142a7e74ec7fb7d72bd3891131c880ef3f584

SHA512
afc3089d932fb030e932bf6414ac05681771051dd51d164f09635ca09cbd8525a52879524b6aa24e972e7766ddf529484cc1ec416de8b61255435a89ba781f8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EY3KXMB3\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IULL1L\addendum-to-residential-mortgage-loan-application[1].pdf

Filesize
120KB

MD5
066afa71e9ae5fb5b2428da899192e6a

SHA1
d337f1856d79910e27d632912cde4cf4c0a27bf5

SHA256
f7a6db46ac821a0e9d92ae0d254bfa4fe52951475fc98022eacedd9895631900

SHA512
8844bcdcc78bb54d9f77fdf49f737b81673afc0a983009a19926a32c285493ef4b4eb087c4184fef40c13e968c0e4e9c33381738213453c9044b69d862ff65ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IULL1L\min[1].js

Filesize
8KB

MD5
c16c3a4c0fad29106f34d00e89f6886e

SHA1
6e11811ab8a98bb295b0916cdee68b302c33403d

SHA256
097786d677a859b7bc87e285377b083b76d66a2fc2832a16bcd50b0e99df77ff

SHA512
154baf532dbedba258b2ac12aa16463a66098b9f149dece93ab337072976eb2ccceaedfbfaace25606ccdb48f795803fce1bfe5eca197325743e8dd7c849f6e3

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_store

Filesize
10KB

MD5
a46502281e4e072540f601729158073f

SHA1
8c242ee00ebf9a0c6bbe280219be3a1d675b476c

SHA256
ec4eb52788f8861884d58bf808cc3513f29a3a2b4b11e897fc5ae33be01e9627

SHA512
5f27e7d73f213e704a4ca6135f5f61d667ac0958383ba632054f93b91639c83c1f419c092efe48d281276d80b594375f0ecaa437d844abebe927ddb8aeccfa06

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\TMDocs.sav

Filesize
36B

MD5
5c6b932a79952b4b27833691305e61db

SHA1
09804db0986a989c2c49cdcea563567fb4c7b1a0

SHA256
dee5a5925227b125f4ac6d9b70a277e6ec8494ffc73d1cce9e08cc7a78d6208a

SHA512
4faa9585bb10156d5dea3b62d3a3a1bfa92430ba6e1e3381fc4c76c3071c85e53d5cbce0016dba1d1f9ea1b7af37b4a4efbaf4f3106b7d958b6e2e90aa0df059

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\TMGrpPrm.sav

Filesize
54B

MD5
6a614a7743b0c781aaeca60448e861d6

SHA1
67b7df5ebeb4527e4c31f3f9b7e52a0581dc4b6d

SHA256
9703120dc62c2c3f843bad5b1e77594682ca7820f0345ae0bbd73021c1427146

SHA512
3a45b27ed6f3aaa8c2113fbb21637675cc91d1239754447a7032d1a86cb1e7381575b28f992e5ffc9986354c2b9c173c614f1f703ca4c2bee63ab3bc6ed909a6

Download Submit