6747896b68dfc7d88e687c14969df38294f141e91dd21254dbe0669c256ebd97

Resubmissions

21-05-2024 15:07

240521-shbgesaa8w 6

21-05-2024 15:04

240521-sfj1sahh48 6

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

# personal loan.pdf
Size

83KB
MD5

dccac01ec23f57cedd298e586bea8082
SHA1

13382aba7f9fbc2ae5f80d7e02ffa954af003c83
SHA256

6747896b68dfc7d88e687c14969df38294f141e91dd21254dbe0669c256ebd97
SHA512

e9300ae85014fb0643d78b31a6dfcbc72e8354216a6413881cf2e983b129632a1cacdba26bb26c7dfdbd1613c8d08c0abf765395ff64a04857d6710c25a9ba52
SSDEEP

1536:0tb5whuIEgOZoJrwUactLlzthM4YuZmONmflpNDGx6R7azTzsqPKelBLDx7RyaEo:0tb5+4gMoJrwcJndYuofl760R7/qPJTt

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

AcroRd32.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
3184	msedge.exe
3184	msedge.exe
5416	msedge.exe
5416	msedge.exe
2044	identity_helper.exe
2044	identity_helper.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

5416 msedge.exe
5416 msedge.exe
5416 msedge.exe
5416 msedge.exe
5416 msedge.exe
5416 msedge.exe
5416 msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

AcroRd32.exemsedge.exe

pid	process
2736	AcroRd32.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

2736 AcroRd32.exe
2736 AcroRd32.exe
2736 AcroRd32.exe
2736 AcroRd32.exe
2736 AcroRd32.exe
2736 AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2736 wrote to memory of 3456	2736	AcroRd32.exe	RdrCEF.exe
PID 2736 wrote to memory of 3456	2736	AcroRd32.exe	RdrCEF.exe
PID 2736 wrote to memory of 3456	2736	AcroRd32.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 4772	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 5824	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 5824	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 5824	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 5824	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 5824	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 5824	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 5824	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 5824	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 5824	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 5824	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 5824	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 5824	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 5824	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 5824	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 5824	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 5824	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 5824	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 5824	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 5824	3456	RdrCEF.exe	RdrCEF.exe
PID 3456 wrote to memory of 5824	3456	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\# personal loan.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:3456

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D6CADB11F7B65FBE535836DC4FAA2AD7 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4772

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=FA5645FF933826F7BD26F9D93E7097AE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=FA5645FF933826F7BD26F9D93E7097AE --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
3⤵
PID:5824

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4F0EC68D21DDE218CFAB9FD0A9C32400 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3128

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BCE90EE31969F6626637D6BBB69EA845 --mojo-platform-channel-handle=1928 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4932

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E14903623A591F919FB5202E3E14C764 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E14903623A591F919FB5202E3E14C764 --renderer-client-id=6 --mojo-platform-channel-handle=2108 --allow-no-sandbox-job /prefetch:1
3⤵
PID:632

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2E8704168BBCE5020278BAD78D80BDC7 --mojo-platform-channel-handle=2668 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://supraoracle.top/97044613/69700485/
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa594046f8,0x7ffa59404708,0x7ffa59404718
3⤵
PID:5324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,12597376004076996885,8934963515540945525,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
3⤵
PID:212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,12597376004076996885,8934963515540945525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,12597376004076996885,8934963515540945525,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
3⤵
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12597376004076996885,8934963515540945525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
3⤵
PID:1392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12597376004076996885,8934963515540945525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
3⤵
PID:1664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12597376004076996885,8934963515540945525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
3⤵
PID:2016

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,12597376004076996885,8934963515540945525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
3⤵
PID:4616

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,12597376004076996885,8934963515540945525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12597376004076996885,8934963515540945525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
3⤵
PID:4216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12597376004076996885,8934963515540945525,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
3⤵
PID:5568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12597376004076996885,8934963515540945525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
3⤵
PID:3764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12597376004076996885,8934963515540945525,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
3⤵
PID:5680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,12597376004076996885,8934963515540945525,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5596 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5936

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
68d572db8bd2e75155a321f380875a28

SHA1
861b8ec3c4e787297da6bc3ca5ae45c50bf0025b

SHA256
b69d16fed0a1e362ba9dcaea08f6eb83c4edca760b2e30d25d019de0fe00fec2

SHA512
8498c59d1e355d1ffc51b632972b7523495aed3761cd622f1f268459df768b3b7f0eb21d0ab9cd2bbabe9efa249b83c81ac26550b1554937bb1f7f1f3cb3f792

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009
Filesize
262KB

MD5
40e11acc99c1b33d7503eb2787124afa

SHA1
f9107e52a5860c70c7da6bc749bdfd5472bbd015

SHA256
71dd24e19543efa354c9c5a457d954c77737f382eee80c8c36cd5137afbe7034

SHA512
161d675ad0b2c8c2a6d7787ee1e160329731d62e2a7df6e2027e7251ddffae52d965725b085f199932ab257af1fa2b56ebb5199c5c8ffe281d8af8917c0161f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
552B

MD5
6b6323c2de0732f3cbd58b6d3e36a71e

SHA1
ad927045c46cf40b69b3a75a83fe333ef8d848ee

SHA256
6a714519a6cd4be6c7a69cd35185c394f7d46d88d4eabffc1e1282ef45b928cc

SHA512
b0f04e5d2c6e75622eb067810a6f5fb59d2fd7628425bf18517258f0baf2587642186d50339dc51460ef28fa02b61226909702f5a01cbe203f975a9e02f70ab8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
552B

MD5
471ec6d8cae02c626d8b211e25485b78

SHA1
8d33dffc5c8097a6efa7698d3e63d74897c2fd56

SHA256
ed3098dda5dee59f4fdc8ce898f4a0906d9fbd5622010cb0afc5c65e28fec034

SHA512
b4a11c22f2a80d44d7424976555702fec1ac4165313fcfed836bbe54009d8337240496866520197a34fd8d2d78d660b6f982dedae80008633bff1f4e845a62a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
c4950f6102b7f61fbad95752c8bed3a3

SHA1
7d25c061efd44049c5a7e4d1b84b843002c3af7d

SHA256
5da5408969c8333a118879b3b912ffdfa8af92a608378ff3fd34ce8f7130dd47

SHA512
f19214139d47bf6d2d7e29b3d79a30b9faf41515fa3bbe1010c039a36593d649f203ce67a7da95dd74aafe34ce905fbc90cc2e8cbea73f7b187a04e71edc45c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
21886d69e9d72909f412173efe027517

SHA1
467e2708eebf7eb7862a29f188b89fb9d7b03ce0

SHA256
85a7623b39e62eda3ff1997e97aca582cfe911fd40b86c902ad6e315acae2b99

SHA512
533344e23998e50370bacabb1e9afca4a058de84386dc856a145dc908694bfa659b31ac5857b06ed39b04ad6c8c9f5809530c4423ab4e3131dcec8d1d8133e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b825230a15808deefef532597ae64b49

SHA1
e1941c9ce97269b127fd63391e0d350f4c1f5feb

SHA256
df5d7a744c72c3e9b658a7f482391589739e1a51d63da7efc6896226130e34ee

SHA512
b76e61425adbf95f94bc50a670c6cf01fe66dad74141a9035b023a13a710a721a3c5a6fc94179908a52c9336c24677c81d0ee9b6eeabcebd72ea05b6a8d9fce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
edd89a0c4b74472d17535697f653d532

SHA1
9801b2c7c2bf1e1c082bbe9604f000cac2c6c0b0

SHA256
d8f48f773bd2b8f90b65c7a60fca5e5d5bf95e384622d179e2a14b92f242ad3b

SHA512
f26fd86672bb3aa824efe3875434745b7ecc60f6a99f181306010f2953c01dbd8d419c49b35321f315555f9fe47929c6aff9a714a72d6ffa5b22797ec77bbc5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
046de50c03e3a5c42b0c87219fe2fd7e

SHA1
ac503adf55ba8f8ae95193d5e34266990f15f62e

SHA256
f6ab4987c6cb8ca227fcce383808c2520a0fde787adfe0636a1685691980b0e2

SHA512
2fbd8179c8f17eee8469692e02e31f81782ea13a61886e4d6e6848e5e62127907d26be203d7ab00203cd8d0e05241f8ca26eb5318e6c58c16ed4ca0b20fea99a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
78dc311c8b0453d3bff213ea9e0d375d

SHA1
7f1d961276aea132fdf59b4a3685ed5922238664

SHA256
d6ce963e7949bdfbd187f89d51bc85332f7113b729f36c1686a761a4ca63ce3b

SHA512
08a787b0e33dd37fa962490314ced94195992d7c3d2b220252f25d336b64dd30760cd9b1e2bec7b0d67bb101930bdd166bd178c83f9c1c45443ac315702c0d51

Download Submit
\??\pipe\LOCAL\crashpad_5416_WQEICTVCZAMJJBJF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit