hxxps://r20[.]rs6[.]net/tn[.]jsp?f=001Bl-ksCtcgjAs3-tEShFQa-aNijyE38YwDUaGTBkDg_PPkpLMJbfZazq1rbEbRswyN-u488Ye2TwHBW5SS_jEX3y9qvNkVLHeAbZrdcq-SixaoSYNPNKfIKbgVnYRtPaClUtcbpsSJBmYHnZ9y2Eu6sX_pdheOVqZ&c=BOf4efjZZw9a_mnRGVgKspoxUP4CIQIrhDQ1ogB3xQSrdZ789BQSJg==&ch=steoQuIx8MlPhyBJwT82w96HIIV_P9wis2MBuKMBrMKXVvWeh7oNlQ==

Analysis

max time kernel
147s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://r20.rs6.net/tn.jsp?f=001Bl-ksCtcgjAs3-tEShFQa-aNijyE38YwDUaGTBkDg_PPkpLMJbfZazq1rbEbRswyN-u488Ye2TwHBW5SS_jEX3y9qvNkVLHeAbZrdcq-SixaoSYNPNKfIKbgVnYRtPaClUtcbpsSJBmYHnZ9y2Eu6sX_pdheOVqZ&c=BOf4efjZZw9a_mnRGVgKspoxUP4CIQIrhDQ1ogB3xQSrdZ789BQSJg==&ch=steoQuIx8MlPhyBJwT82w96HIIV_P9wis2MBuKMBrMKXVvWeh7oNlQ==

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2616	msedge.exe
2616	msedge.exe
1284	msedge.exe
1284	msedge.exe
2288	identity_helper.exe
2288	identity_helper.exe
3132	msedge.exe
3132	msedge.exe
1868	AcroRd32.exe
1868	AcroRd32.exe
1868	AcroRd32.exe
1868	AcroRd32.exe
1868	AcroRd32.exe
1868	AcroRd32.exe
1868	AcroRd32.exe
1868	AcroRd32.exe
1868	AcroRd32.exe
1868	AcroRd32.exe
1868	AcroRd32.exe
1868	AcroRd32.exe
1868	AcroRd32.exe
1868	AcroRd32.exe
1868	AcroRd32.exe
1868	AcroRd32.exe
1868	AcroRd32.exe
1868	AcroRd32.exe
1868	AcroRd32.exe
1868	AcroRd32.exe
2036	msedge.exe
2036	msedge.exe
2036	msedge.exe
2036	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2128	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
1688	OpenWith.exe
2128	OpenWith.exe
2128	OpenWith.exe
2128	OpenWith.exe
2128	OpenWith.exe
2128	OpenWith.exe
2128	OpenWith.exe
2128	OpenWith.exe
2128	OpenWith.exe
2128	OpenWith.exe
2128	OpenWith.exe
2128	OpenWith.exe
2128	OpenWith.exe
2128	OpenWith.exe
2128	OpenWith.exe
2128	OpenWith.exe
2128	OpenWith.exe
2128	OpenWith.exe
2128	OpenWith.exe
2128	OpenWith.exe
2128	OpenWith.exe
2128	OpenWith.exe
2128	OpenWith.exe
2128	OpenWith.exe
2128	OpenWith.exe
2128	OpenWith.exe
1868	AcroRd32.exe
1868	AcroRd32.exe
1868	AcroRd32.exe
1868	AcroRd32.exe
1868	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 2376	1284	msedge.exe	84
PID 1284 wrote to memory of 2376	1284	msedge.exe	84
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 4456	1284	msedge.exe	86
PID 1284 wrote to memory of 2616	1284	msedge.exe	85
PID 1284 wrote to memory of 2616	1284	msedge.exe	85
PID 1284 wrote to memory of 1612	1284	msedge.exe	87
PID 1284 wrote to memory of 1612	1284	msedge.exe	87
PID 1284 wrote to memory of 1612	1284	msedge.exe	87
PID 1284 wrote to memory of 1612	1284	msedge.exe	87
PID 1284 wrote to memory of 1612	1284	msedge.exe	87
PID 1284 wrote to memory of 1612	1284	msedge.exe	87
PID 1284 wrote to memory of 1612	1284	msedge.exe	87
PID 1284 wrote to memory of 1612	1284	msedge.exe	87
PID 1284 wrote to memory of 1612	1284	msedge.exe	87
PID 1284 wrote to memory of 1612	1284	msedge.exe	87
PID 1284 wrote to memory of 1612	1284	msedge.exe	87
PID 1284 wrote to memory of 1612	1284	msedge.exe	87
PID 1284 wrote to memory of 1612	1284	msedge.exe	87
PID 1284 wrote to memory of 1612	1284	msedge.exe	87
PID 1284 wrote to memory of 1612	1284	msedge.exe	87
PID 1284 wrote to memory of 1612	1284	msedge.exe	87
PID 1284 wrote to memory of 1612	1284	msedge.exe	87
PID 1284 wrote to memory of 1612	1284	msedge.exe	87
PID 1284 wrote to memory of 1612	1284	msedge.exe	87
PID 1284 wrote to memory of 1612	1284	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://r20.rs6.net/tn.jsp?f=001Bl-ksCtcgjAs3-tEShFQa-aNijyE38YwDUaGTBkDg_PPkpLMJbfZazq1rbEbRswyN-u488Ye2TwHBW5SS_jEX3y9qvNkVLHeAbZrdcq-SixaoSYNPNKfIKbgVnYRtPaClUtcbpsSJBmYHnZ9y2Eu6sX_pdheOVqZ&c=BOf4efjZZw9a_mnRGVgKspoxUP4CIQIrhDQ1ogB3xQSrdZ789BQSJg==&ch=steoQuIx8MlPhyBJwT82w96HIIV_P9wis2MBuKMBrMKXVvWeh7oNlQ==
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe353e46f8,0x7ffe353e4708,0x7ffe353e4718
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,12001608642280236444,586277156301104402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,12001608642280236444,586277156301104402,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,12001608642280236444,586277156301104402,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12001608642280236444,586277156301104402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12001608642280236444,586277156301104402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12001608642280236444,586277156301104402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,12001608642280236444,586277156301104402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,12001608642280236444,586277156301104402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12001608642280236444,586277156301104402,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12001608642280236444,586277156301104402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12001608642280236444,586277156301104402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12001608642280236444,586277156301104402,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,12001608642280236444,586277156301104402,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12001608642280236444,586277156301104402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,12001608642280236444,586277156301104402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6036 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12001608642280236444,586277156301104402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12001608642280236444,586277156301104402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12001608642280236444,586277156301104402,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1688 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2152,12001608642280236444,586277156301104402,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=3176 /prefetch:8
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12001608642280236444,586277156301104402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:1
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,12001608642280236444,586277156301104402,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5068

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2128
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\event.ics"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1868
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:1648
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=82EAC22BD81E2AEF7F7C560452C28304 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:264
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A1B5CC2D60855F00C32AEBC6C4D52B96 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A1B5CC2D60855F00C32AEBC6C4D52B96 --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:5008
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D515A9A8F676BEA7F882D4A31DEF7918 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1404
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=939400F6365CA0CC4BB6EE59E39282BE --mojo-platform-channel-handle=1932 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1640
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0C7523538FBC25B49D5C4599A8F11342 --mojo-platform-channel-handle=2476 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
1b7cf4c964fdb7587d998b857e859e6a

SHA1
3e1849cec36ccf33f6e99c650c29f056a15ddb27

SHA256
d2cfaabee28ff3ca41f57ea5931af080288bc5862f56fa4f4e010f9a856b527a

SHA512
c446b9afd939b44fcea42b3bd18562b00a6f2392152621a4a2826bd7a0d04c6fc2cd86b79c1064b12667362d5923c95c8afea390002391aac9fbf17bbc65d57a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
7ae7304eaf9c70b346453c42f8df9f12

SHA1
bf05eac2e3d0b9c66acfe5c2fb92f823c538330b

SHA256
453ad144d34ca5c37cb659f70d20870915b27c4f06e206a524765ff815f90822

SHA512
06eda9082f21fc145a7ac8c9ebc525805163a8fbc415152ddf69468666d940889b29b8eebcfb17d057db6e14dee8f6dfb9ab89b9842de9b00963ea8e9c82c7cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
ed09cb09f0644c62af81a304bf259e88

SHA1
e61d167de7039663dcd0039bf64fe25af329fec2

SHA256
c99c83e70b269e73f39d8720e4a5bd7550a8973b8459bf42e5499e98ade63391

SHA512
49785bfa5155264058a00c84293f7ae7b7e95e3cff7a6b95ecea29a7277e5491da998302f727c633e51b8e069120c0aee6ab0de94deb2b3dcab396fbeb138149

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
5f9ffcd73b4d95e1c8595a93226bef77

SHA1
3729fc9c23f1fce9d5fa79f0a936a6e6af06f689

SHA256
f873e99c119cd61044de9632a936d5f69074b7660db0941e739eebfe86e2690e

SHA512
234453eb69e942d367711ee439f334f230f3113754b937dddafb00fdc718682b7398741e39f51e305250fe06264b4d2df0c2f7189b459926bdcedac007b5ccdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
826bb957b6d9e3281337be982276ef11

SHA1
38d2d8b37a9125db24664f17d1bd4717bed7c01c

SHA256
69d8a4a76441ecac8b87124f11e083b380071c11f2e48b7fe300610ba0ac4937

SHA512
5417faa51b8dd3c74d8ee5679b331add9f0f7f3d77d2158fca869c25a0963922e9585064e6d1b1658a188a58df331ece6a9ef6e8655d19ec69ac1a19d055c5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
38a09030334edae7123ee62e30ce18fb

SHA1
6ead309be77d70b8fe7d841297abb23dfd1c31f8

SHA256
2940e5fa2c5056cf7b93bcee92b6da286496211ced2424034984807629192029

SHA512
e41c7812d6cedb0026ed3d9352ba37fbbe16ccf1d2d40398abca5fc3224195e78f719b4494b4006fdebd0e1a950c87bd6ee914b28cbcb365a6e19c11391214e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
129e6ab406a7e92f00c192a47ce9d4a0

SHA1
e3cd260edfc50ab306f5403025104ee4391fe721

SHA256
8f48b297e17f57258a1d278bae42101a7aebcc687dac6c69736cd764270e12b5

SHA512
296c1ce37bb865bd6b1da7b94c13f05e53fc92164db48c93a674c003be90aa711541154b4c66d5c9af940f9ec9bb4b0e8cf64d4183b3deac5046780568ea4998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
30688fdbf791d6ec85175687ea4dcd61

SHA1
fe48cb9fceacb6763cf8bf46d22a98bd03867460

SHA256
465c66b4ac0e7e35af89e78a22a9e54ae70e47e6153076441e205a3a7f632cb7

SHA512
a4b7e385c0b2467e8bf43a29c0f8f781e1fbec6134bcc5943d85e3576afba79732ef8dd9197cad395ac1559fd3f76622a0e6e4abceecb8a30dfadd265dab0122

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
121510c1483c9de9fdb590c20526ec0a

SHA1
96443a812fe4d3c522cfdbc9c95155e11939f4e2

SHA256
cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c

SHA512
b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
58393799a1f50cb7473a3da6fb8a8ed6

SHA1
affc6299f3dc6ab77cdf22793b59021d53ccabe5

SHA256
f273e429aa754323bd40491f864649a840cde57be19f9563fe50dcb08ea87a06

SHA512
d4bab2a660ef8eccbab9d1e09a36194df571cb2f0d3fb59a167cf04eb4d67026c9df8dec608d508d52226baa376ec5af20dc7175608f8c0499982bf8df3f8359

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b4c9e6b7e3e4f2d86aa2570b69ecb1d6

SHA1
c50938ef32d0a58bdb5e61a73a34897329f8f618

SHA256
7c817fcdd7e6785ebd24a61a7b0205b4c4e50423640dece6afce24315468610c

SHA512
1f1c331048cc93b7474852122e7c705def8247141fe9b7dbc601d608e98598d91da50d674f8b4582bc8f2eadb85a63a77c85463e6251f63781dfe6a9e44b6cae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a26e957afd519a57d9e1638f940d4e97

SHA1
6397c762d1d95b376a339ec9a88a8a146a620e7e

SHA256
2270b7601ba3023380a2ae60610be8acf79e6f4b90076c5ad9c5256a1899f6af

SHA512
b4cbef77cec5434a75c3699e156e31137451c49cace51a1ec39becee34948ee5cd6a2d5d8aa43d05ff9419d11fcb6c585695c477256daac0c287c1189a2a2849

Download Submit
C:\Users\Admin\Downloads\event.ics

Filesize
798B

MD5
2b5c6540521bbc4d34adf00a5bca1b06

SHA1
0a367d483a03ecff2fbbd8ff23b7ed73e6c17540

SHA256
3b168db3d0c128cc26047e729bbd6c994fdee68c7704eb8e434430b5d7c44f9e

SHA512
4ca234d6292d7c5eaec0b371bbcd7cba35a581f49c3af930ab68321e7ead2206d930bd3264eff6a7797f5f75ff4c195f0e5da82a5b854cd273ca0ebaf48e0137

Download Submit