2060fb6fe904c2ae29874dbbbd031db657678f10b735778e882bb44a85411368

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2023 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lnvoice_1882936796.pdf
Size

64KB
MD5

db87674a18fe8a0aa88e56da7d7d5a1f
SHA1

904c025ea018c5b98cb96a374cca7354b834e1be
SHA256

2060fb6fe904c2ae29874dbbbd031db657678f10b735778e882bb44a85411368
SHA512

d272af7d298a39333a5d528ddb8ea4988116bf955f83bbbb133da516da61bc0776af04d6635c4755ed4f4870a0f92023e3dba486587a95f6c0bd58246fbe3873
SSDEEP

768:EmPJfVsEuFTvFxctbf1ppppppppppppppppob+bB44O:tdsTFTsF9pppppppppppppppg

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{A01321D9-F870-45BD-B570-A5E82DA8A11D}.catalogItem	svchost.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 767048.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2572	msedge.exe
2572	msedge.exe
1660	msedge.exe
1660	msedge.exe
1656	identity_helper.exe
1656	identity_helper.exe
1448	AcroRd32.exe
1448	AcroRd32.exe
1448	AcroRd32.exe
1448	AcroRd32.exe
1448	AcroRd32.exe
1448	AcroRd32.exe
1448	AcroRd32.exe
1448	AcroRd32.exe
1448	AcroRd32.exe
1448	AcroRd32.exe
1448	AcroRd32.exe
1448	AcroRd32.exe
1448	AcroRd32.exe
1448	AcroRd32.exe
1448	AcroRd32.exe
1448	AcroRd32.exe
1448	AcroRd32.exe
1448	AcroRd32.exe
1448	AcroRd32.exe
1448	AcroRd32.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1448	AcroRd32.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1448	AcroRd32.exe
1448	AcroRd32.exe
1448	AcroRd32.exe
1448	AcroRd32.exe
1448	AcroRd32.exe
1448	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 1660	1448	AcroRd32.exe	88
PID 1448 wrote to memory of 1660	1448	AcroRd32.exe	88
PID 1660 wrote to memory of 2780	1660	msedge.exe	89
PID 1660 wrote to memory of 2780	1660	msedge.exe	89
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 1120	1660	msedge.exe	91
PID 1660 wrote to memory of 2572	1660	msedge.exe	90
PID 1660 wrote to memory of 2572	1660	msedge.exe	90
PID 1660 wrote to memory of 4972	1660	msedge.exe	92
PID 1660 wrote to memory of 4972	1660	msedge.exe	92
PID 1660 wrote to memory of 4972	1660	msedge.exe	92
PID 1660 wrote to memory of 4972	1660	msedge.exe	92
PID 1660 wrote to memory of 4972	1660	msedge.exe	92
PID 1660 wrote to memory of 4972	1660	msedge.exe	92
PID 1660 wrote to memory of 4972	1660	msedge.exe	92
PID 1660 wrote to memory of 4972	1660	msedge.exe	92
PID 1660 wrote to memory of 4972	1660	msedge.exe	92
PID 1660 wrote to memory of 4972	1660	msedge.exe	92
PID 1660 wrote to memory of 4972	1660	msedge.exe	92
PID 1660 wrote to memory of 4972	1660	msedge.exe	92
PID 1660 wrote to memory of 4972	1660	msedge.exe	92
PID 1660 wrote to memory of 4972	1660	msedge.exe	92
PID 1660 wrote to memory of 4972	1660	msedge.exe	92
PID 1660 wrote to memory of 4972	1660	msedge.exe	92
PID 1660 wrote to memory of 4972	1660	msedge.exe	92
PID 1660 wrote to memory of 4972	1660	msedge.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\lnvoice_1882936796.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://booking-com-details.blogspot.com/
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff95a4746f8,0x7ff95a474708,0x7ff95a474718
    3⤵
    PID:2780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,16388779993674236293,5912280447005289982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,16388779993674236293,5912280447005289982,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
    3⤵
    PID:1120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,16388779993674236293,5912280447005289982,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
    3⤵
    PID:4972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,16388779993674236293,5912280447005289982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
    3⤵
    PID:2320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,16388779993674236293,5912280447005289982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
    3⤵
    PID:1416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,16388779993674236293,5912280447005289982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
    3⤵
    PID:4692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,16388779993674236293,5912280447005289982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
    3⤵
    PID:4800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2192,16388779993674236293,5912280447005289982,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3632 /prefetch:8
    3⤵
    PID:3800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,16388779993674236293,5912280447005289982,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
    3⤵
    PID:5092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,16388779993674236293,5912280447005289982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
    3⤵
    PID:4468
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,16388779993674236293,5912280447005289982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6516 /prefetch:8
    3⤵
    PID:3068
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,16388779993674236293,5912280447005289982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6516 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,16388779993674236293,5912280447005289982,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
    3⤵
    PID:2156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,16388779993674236293,5912280447005289982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
    3⤵
    PID:2680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,16388779993674236293,5912280447005289982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
    3⤵
    PID:5484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,16388779993674236293,5912280447005289982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
    3⤵
    PID:5496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,16388779993674236293,5912280447005289982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6832 /prefetch:1
    3⤵
    PID:5580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,16388779993674236293,5912280447005289982,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5472 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5028
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  PID:3588
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FE7B985CD9444820D8C0257417F12A6B --mojo-platform-channel-handle=1716 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4568
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=64261E3A72AA3C34B353DBCBBB086E57 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=64261E3A72AA3C34B353DBCBBB086E57 --renderer-client-id=2 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3576
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C6DD9937F23EE5BD60D0CC1EE487AE4B --mojo-platform-channel-handle=2184 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1980
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E38F4AED571B07DE19EBE3F216A7198B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E38F4AED571B07DE19EBE3F216A7198B --renderer-client-id=5 --mojo-platform-channel-handle=2212 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3592
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FAF16001A51EC9BFC35989AF945022F3 --mojo-platform-channel-handle=2744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3776
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=93B589E1C6B6B40A3C25FC693663C7D0 --mojo-platform-channel-handle=2824 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:2028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
6a4eed7c1fefb72c8ee7294d9123fec4

SHA1
c9e2ea2994430b48d4902df4810e1811aca30ec6

SHA256
ab9ed28af003d5d9c2dd42d190e90a0b6bca0532c4eb61a74ee9c553a90adaa9

SHA512
506d482f4aed421b68f48db432ec2b9ffb61bd66eae88aa9550ecef1afdf7328910f6628531aeb90da90367037b31f34843b8d66addaba4d68d8f396689a7142

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f7e75a88fe92d5147528c475c6908243

SHA1
7831682352cfdb17da7174cea8674e61e6fe7ff6

SHA256
4faebaa12ccf24466cb17632b61174043ca23e183a44b29e9e3f6cfc2ce3192d

SHA512
f210c56502e232b9e9b47c13eeb941a2ae7ee5b7b27742902172935e8986b23292151f21dd2d930d384b4dc74af032297b36947d1f8251ce5208cbdf93a56ff6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
180KB

MD5
497835d373e12af4cd257487dd5d3612

SHA1
425950e9427926ac0aa7940c4a18a44ab59df47a

SHA256
e11ff08dff0a884b311133e2469146b2a54319cf60094511e098df0c3677c4e0

SHA512
aa05611f56185e02289345f9c286ca98f96d5e1d24c8d152605e866e60013dc2945fc60f826e81459003ca9c2b7d439c0f6fdd173cbee57cd751ee51b18d2bf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
317c6410fb3acc773223fa759fef804f

SHA1
c950c81a075dd87df9dc00fa2b13ded47e59363a

SHA256
a4f0239f097f5001dfe87b78eeda3ae6e800756a89f82de95db8af0357ee52d2

SHA512
828db7986d6cdb24ba1197455f6648cd69f246fc136a41747d57928825b5a507ba6a1e9b2cb638eb082987c95eacd169ef9bba6e3b0bb193c97886b0d103ac5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
acf8ecb9c2500b32087a66c73b543157

SHA1
8e0cfa3fd03e3edca6f546c24f38eb733b67a573

SHA256
7439081a4acd42ba58c8e5788814cff2992ff357f133cf68670c5b4eea634b60

SHA512
ae5fb8e3488a35b38e1fc75376d97b8c6d34b188b179f4ef42e466c60cdfe9b04823a1fea60d8ba398a07ab95e9633af006b496eb6c1646d15ef1bb7a97ed94a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e6215a110534adc927e9166a4976f550

SHA1
cf62ffed11acb4d81cc2eeccf43fbfdd0ffbba92

SHA256
71cbe6a7fc0d1cb327bc4e70097eb755bb2d22353a717f01c1066f271b92ac86

SHA512
67f8190bf3a2d573dd8fb87226c9df112ee8b8981277cc62bd0869e31b62d07b0a9713b1205799bd6bd2247467e6ea78ac49a6e594b493638d907c56ddf54b01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a2eaec0e62b75020f897d3f8c8c6228c

SHA1
c713f4d793754d560d2a2c9b5df2058068afcd49

SHA256
3b2766b7ee46c74cf11b21d95f9faa70853a4fd6eb86167e5d52a7ffcda296d9

SHA512
b0384a940b6db2186623a0d31750b35fab5dc918fdea4a277ec8f4fbb3f3b5571915371231c0e99563a8f5a1f1663b000ed5e877dcae7dd0db9124b265217db1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
51bdf2ada900644dcff04108c5a57ba1

SHA1
728a4112c8123f271e00e454562261c517eb70d7

SHA256
afe4f5c0cd91479140309d68c3e43f29bcd2fb5bc72cb897dcfe7223c3047c43

SHA512
3d1929d04db077ea27606589f3d0ab6846437aeaea579a543422a93e788bcfea8783732f7e80af36f00dac8d770327ec9e6389707dd8872745ea1906faea6608

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
88d76733cde18621ed7567c0cfda2ab7

SHA1
41859bb156cfd94dbd7bd185567df2a9a5479998

SHA256
17a4767dee231bad758aa0b51bd7b7d8e6201c936e5b58aa76bbe5275c0c89cb

SHA512
e6555a48831412daf4af0a0039b47611428984d22ab0f851c62e68dfc9f91546542d0d68c759a988cc997b0fb1998e7aec10fa918869ed15742bfc4899f72f0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
062b2aca2fd85b0f30a98f27cd08fdb5

SHA1
5a446097572904f456bdec041d9e3c1c66d360f6

SHA256
3d484c913ab70a701bde79a39b6dd6fd61266645ed56f3afadae5523a6a4f1b9

SHA512
2d5a7deb02692195fd17abb755cdc612739498c814a6cf789c7f760856ec6c28057dff1f1d84ed289fc3d3a7090806a8de4b6236cae1be78362057fc1cc19482

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57df44.TMP

Filesize
1KB

MD5
11694847c0942200295834b1ee214c0b

SHA1
39bbd390b1b58eca0f6cc32fc24bf15c6f71cbb8

SHA256
571fbd469e6e10fb6f92618d73f8b31d8c8cd32700284ab9571beeae740c83fc

SHA512
627a9338a40ee3092cfbfa3ce8b58d5f01f82696f43f861e93b494ceba30494ad65fd080bbf707f33ca2d41b6a492597e80f1714a4cbeb1e243c3c073451c839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9b5f96f084bc34d91a9c90b099f45b8c

SHA1
bf04a6099938553ca4163cb7277eea1151e11990

SHA256
b2ac7e5299ea87cbd888425eaf1ab00aadf9968af35b799a77d4dd268130eb5b

SHA512
aa1d93b725a81b1a4ed4ddebc5a977c50a00da9bf3c6bb65fe7e8d73bec7bf67f7b49f7f856803523fe7e05a5137ec5b3acb129b5a92751c5420e40688fad9f9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 767048.crdownload

Filesize
490KB

MD5
311659f38280eeeee131b4a2381cfa91

SHA1
79311b6d0e8b8e508033939ffbcf882601616386

SHA256
cd4010442c335b79b12db17c9f41bc5c7f78bba720ae3a804bf5e9f638abaa95

SHA512
21d397e2a5c16ebd9eb5efe379bd342fc16658c297f0bba895ac0f2068555b6530c1fe768904bee79f9a7f9a25f8b3d04a0fa3272fed460971ec932e04584ccd

Download Submit
memory/1448-383-0x000000000C5A0000-0x000000000C6ED000-memory.dmp

Filesize
1.3MB

Download